Microsoft has patched a vulnerability in the Web viewing component of Crystal Reports. This component is used in Visual Studio .NET 2003, Outlook 2003 (when used with Business Contact Manager), and Microsoft's CRM solution.
Details
The source of the threat is a Directory Transversal Vulnerability, CAN-2004-0204. This can result in a denial of service event or a confidential information disclosure.
MBSA (Microsoft Baseline Security Analyzer) can't detect this problem, but the Systems Management Server (SMS) will report if the update is needed.

Crystal Reports 8.0 was the last release of Crystal Reports before the integration with Crystal Enterprise and the last version to include a stand-alone reports web server. Since that time, Crystal Reports has been through three versions and the current version is 10.0. In addition, Crystal Enterprise has also grown to become the standard distribution framework for distributing reports over the web.

In a posting on their support web site, Business Objects has identified a number of Microsoft security updates that may cause HTTP 500 errors with ASP or CSP pages that access Crystal Enterprise. These updates are listed as:
Update 837001
Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution

Update 837009
Cumulative Security Update for Outlook Express

Update 828741
Cumulative Update for Microsoft RPC/DCOM

Update 835732
Security Update for Microsoft Windows

Readers of Visual Studio Magazine have recognized Business Objects with a Visual Studio Magazine 2004 Readers Choice Award. For the ninth year in a row, readers have selected Crystal Reports® as the best product in the “Data Reporting and Analysis Tools” category. The highly coveted Readers Choice Awards recognize products that professional developers choose as the most valuable developer tools and components

Shipping inside the box of both Borland Enterprise Studio 7 for Java™ and JBuilder X Enterprise, Crystal Reports for JBuilder simplifies and accelerates the process of embedding Crystal Reports inside JavaServer™ Pages (JSPs). Crystal Decisions' 100% Java Reporting Component is also included to process and render dynamic reports within J2EE™ applications. An interactive zero-client viewer is included for customized end-user report interaction - including drill-down, exporting and printing functions. A custom tag library is also included for developers to rapidly integrate report viewing from within their J2EE applications.