Microsoft has given its customers an early holiday present with the first release candidate (RC1) for Windows XP Service Pack 3. Windows XP SP3 RC1 is a pre-release intended for post-beta testing. It also puts to rest the speculation that Microsoft will or will not release a third service pack for Windows XP.

Windows XP Service Pack 3 is currently scheduled for full release during the first quarter of 2008, at which time its contents will be fully described in Microsoft Knowledge Base article 936929: Release Notes for Windows XP Service Pack 3. Until then, the official description resides in the PDF file Overview of Windows XP Service Pack 3. An excellent alternate source of ongoing SP3 information is Paul Thurrott’s Windows XP Service Pack 3 FAQ.

(more…)

Back in August 2007, Microsoft released a critical update for a Visual Basic 6 Runtime file. The file, OLEAUT32.DLL, contains a vulnerability that can be exploited and allowing an attacker to gain complete control of a computer if the logged-on user has Administrator privileges. The exploit may be performed by a COM component or an ActiveX control residing in a Windows application or a Web page.

The vulnerability itself is caused by the improper checking of input data, allowing specially crafted memory requests to be passed to the Windows OLE Automation service. The OLEAUT32.DLL library provides the API to COM and ActiveX components to access this service. The update released by Microsoft patches the vulnerability by adding validity checking to memory requests.

So what’s to worry? You faithfully run Microsoft Update on the second Tuesday of every month, right? Well, hang on to your mouse–not all critical updates released by Microsoft are distributed through Microsoft Updates. This Visual Basic critical vulnerability is one that you’ll need to patch yourself.

(more…)