Microsoft's regular monthly patch delivery slipped into port yesterday carrying five new patches, each described by Redmond as "important".
First up there's a flaw (MS04-041) in WordPad that potentially allows malicious code to be executed. All flavours of Windows (XP, 2000, 2003 and NT) need patching. A vulnerability (MS04-043) in the HyperTerminal component of Windows similarly affects all versions of Windows.
But a security bug in DHCP (Dynamic Host Configuration Protocol) that might allow remote code execution and denial of service affects only Windows NT (MS04-042).
Next up we have Vulnerabilities in Windows Kernel and Local Security Authority Subsystem (LSASS) which create a means for hackers to elevate their privileges (MS04-044). Again all flavours of Windows are affected.
Lastly, there a vulnerability in Windows Internet Naming Service (WINS) that could allow remote code execution (MS04-045).
Buffer overflow bugs are the culprit for almost all of these vulnerabilities.
Microsoft's most important December patch came earlier this month when it broke with its normal cycle to release a fix for the IFRAME vulnerability in IE, infamously exploited by the Bofra worm. Unsurprisingly this fix (MS04-040) is a "critical" update for all versions of Windows bar Win XP SP2 and Windows 2003. ®