- Support
- Downloads
- Purchasing
Which products and which bulletins does LANguard N.S.S. support?
The information in this article applies to:
- GFI LANguard Network Security Scanner 3
- GFI LANguard Network Security Scanner 5
- GFI LANguard Network Security Scanner 6
Article ID: KBID001820
Query keywords: Bulletins
List of supported product updates which LANguard N.S.S. checks for:Products
| Product | Lastest Supported Service Pack |
| Windows NT Workstation 4.0 | Service Pack 6a |
| Windows NT Server 4.0 | Service Pack 6a |
| Windows NT Server 4.0, Enterprise Edition | Service Pack 6a |
| Windows NT Server 4.0, Terminal Server Edition | Service Pack 6 |
| Windows 2000 Professional | Service Pack 4 |
| Windows 2000 Server | Service Pack 4 |
| Windows 2000 Advanced Server | Service Pack 4 |
| Windows XP Home Edition | Service Pack 2 |
| Windows XP Professional | Service Pack 2 |
| Internet Information Server 3.0 | None |
| Internet Information Server 4.0 | None |
| Internet Information Services 5.0 | None |
| Internet Information Services 5.1 | None |
| SQL Server 7.0 | Service Pack 4 |
| SQL Server 2000 | Service Pack 4 |
| Internet Explorer 4.0 | None |
| Internet Explorer 4.01 | Service Pack 2 |
| Internet Explorer 5 | None |
| Internet Explorer 5.01 | Service Pack 4 |
| Internet Explorer 5.5 | Service Pack 2 |
| Internet Explorer 6 | Service Pack 2 |
| Office 2000 | Service Pack 3 |
| Office XP | Service Pack 3 |
| ISA Server 2000 | Service Pack 2 |
| Exchange 2000 Server | Service Pack 3 |
| Exchange 2000 Enterprise Server | Service Pack 3 |
| Exchange Server 5.5 | Service Pack 4 |
| Windows Server 2003, Enterprise Edition | Service Pack 1 |
| Windows Server 2003, Standard Edition | Service Pack 1 |
| Windows Server 2003, Web Edition | Service Pack 1 |
| Windows Server 2003, Datacenter Edition | Service Pack 1 |
| Internet Explorer 6.0 for Windows Server 2003 | None |
| MDAC 2.6 | Service Pack 2 |
| MDAC 2.7 | Service Pack 2 |
| MDAC 2.8 | None |
| MDAC 2.5 | Service Pack 3 |
| Office System 2003 | Service Pack 2 |
| Exchange Server 2003 | Service Pack 2 |
| Outlook Express 5.5 | Service Pack 2 |
| Outlook Express 6.0 | Service Pack 2 |
| Outlook Express 6 on Windows 2003 | None |
| ISA Server 2004 | Service Pack 1 |
Bulletins
| Bulletin | Title | Summary | Detectable |
|
|
Cumulative Security Update for Internet Explorer (896688) | This update resolves a newly-discovered, public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in DirectShow Could Allow Remote Code Execution (904706) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability |
|
|
|
Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245) | This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) | This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an authenticated attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. |
|
|
|
Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589) | This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Client Service for NetWare (CSNW). By default, CSNW is not installed on any affected operating system version. Only customers who manually installed CSNW could be vulnerable to this issue. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. This service is also called Gateway Service for NetWare on Windows 2000 Server. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Network Connection Manager Could Allow Denial of Service (905414) | This update resolves a newly-discovered, public vulnerability. A vulnerability in Network Connection Manager could allow a denial of service on the affected platforms against the Network Connection Manager. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received. |
|
|
|
Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering (905495) | This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the Windows FTP client because of the way it handles filename validation. This vulnerability could allow tampering with the file transfer location on the client during an FTP file transfer session. The vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. |
|
|
|
Vulnerability in the Print Spooler Service Could Allow Remote Code Execution (896423) | This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587) | This update resolves two newly-discovered vulnerabilities, a privately reported vulnerability and a publicly reported vulnerability. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could cause the service responsible for authenticating users in an Active Directory domain to stop responding. |
|
|
|
Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591) | This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. |
|
|
|
Vulnerability in Windows Telephony Service Could Allow Remote Code Execution (893756) | This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exits in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) | This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. |
|
|
|
Cumulative Security Update for Internet Explorer (896727) | This update resolves two newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in JView Profiler Could Allow Remote Code Execution (903235) | This update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. A remote code execution vulnerability exists in the Microsoft Color Management Module because of the way that it handles ICC profile format tag validation. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights |
|
|
|
Cumulative Security Update for ISA Server 2000 (899753) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. |
|
|
|
Vulnerability in Telnet Client Could Allow Information Disclosure (896428) | This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this information disclosure vulnerability could remotely read the session variables for users who have an open connection to a malicious telnet server. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. |
|
|
|
Vulnerability in Microsoft Agent Could Allow Spoofing (890046) | This update resolves a newly-discovered, privately-reported vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. |
|
|
|
Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) | This update resolves a newly-discovered, privately-reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability. |
|
|
|
Vulnerability in Outlook Express Could Allow Remote Code Execution (897715) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) | This update resolves a newly-discovered, privately-reported vulnerability. A cross-site scripting and spoofing vulnerability exists in Outlook Web Access for Exchange Server 5.5 that could allow an attacker to convince a user to run a malicious script. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the vulnerability could perform cross-site scripting attacks. |
|
|
|
Vulnerability in Web Client Service Could Allow Elevation of Privilege (896426) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) | This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in HTML Help Could Allow Remote Code Execution (896358) | This update resolves a newly-discovered, privately-reported vulnerability. . A vulnerability exists in HTML Help that could allow remote code execution on an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability. |
|
|
|
Cumulative Security Update for Internet Explorer (883939) | This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Web View Could Allow Remote Code Execution (894320) | This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View within Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169) | This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. The vulnerabilities are documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges |
|
|
|
Vulnerability in Exchange Server Could Allow Remote Code Execution (894549) | This update resolves a newly-discovered, privately-reported vulnerability in Microsoft Exchange Server that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Cumulative Security Update for Internet Explorer (890923) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) | This update resolves several newly-discovered, privately-reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could install then programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. |
|
|
|
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) | This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Message Queuing Could Allow Code Execution (892944) | This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Message Queuing component. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually installed the Message Queuing component could be vulnerable to this issue. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Cumulative Security Update for Internet Explorer (867282) | This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in the DHTML Editing ActiveX Control could allow code execution (891781) | This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the DHTML Editing ActiveX control that could allow Information Disclosure or, at worst remote code execution on an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333) | This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could install then programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in Server Message Block Could Allow Remote Code Execution (885250) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerability in the License Logging Service Could Allow Code Execution (885834) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
|
|
|
Vulnerabilty in Windows Shell Could Allow Remote Code Execution (890047) | This update resolves a newly-discovered vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
|
|
|
Vulnerability in Windows Could Allow Information Disclosure (888302) | This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited this vulnerability could remotely read the user names for users who have an open connection to an available shared resource. |
|
|
|
Vulnerability in Microsoft Office XP could lead to Buffer Overrun (873352) | This update resolves a newly-discovered, privately reported vulnerability that could allow an attacker to run code on the affected system. The vulnerability is documented in the Vulnerability Details section of this bulletin. |
|
|
|
Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could install programs; view, change, or delete data; or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. |
|
|
|
Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) | This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in HTML Help Could Allow Code Execution (890175) | This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. This vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. |
|
|
|
Vulnerability in WINS Could Allow Remote Code Execution (870763) | This update resolves several newly-discovered, public and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in HyperTerminal Could Allow Code Execution (873339) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability. |
|
|
|
Vulnerability in DHCP Could Allow Remote Code Execution and Denial Of Service (885249) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, attempts to exploit these vulnerabilities would most likely result in a denial of service of the Dynamic Host Configuration Protocol (DHCP) Server service. |
|
|
|
Vulnerability in WordPad Could Allow Code Execution (885836) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. If a user is logged on with administrative privileges, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability. |
|
|
|
Cumulative Security Update for Internet Explorer (889293) | This update resolves a newly-discovered publicly reported vulnerability. A vulnerability exists in Internet Explorer that could allow remote code execution on an affected system. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. This vulnerability could enable an attacker to spoof trusted Internet content. We recommend that customers install the update at the earliest opportunity. |
|
|
|
Cumulative Security Update for Internet Explorer (834707) | This update resolves several newly discovered publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in Windows Shell Could Allow Remote Code Execution (841356) | This update resolves several newly-discovered, public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit these vulnerabilities. |
|
|
|
Vulnerability in NNTP Could Allow Code Execution (883935) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) Component of the affected operating systems. This vulnerability could potentially affect systems that do not use NNTP because certain affected software requires this component to be enabled for installation. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in SMTP Could Allow Remote Code Execution (885881) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Simple Mail Transfer Protocol (SMTP) component that is provided as part of the affected software. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in Compressed (zipped) Folders Could Allow Code Execution (873376) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the way that Windows processes Compressed (zipped) Folders. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability. |
|
|
|
Vulnerability in Microsoft Excel Could Allow Code Execution (886836) | This update resolves a newly-discovered, privately reported vulnerability. An attacker who exploited this vulnerability on a system could execute code of their choice, including installing programs; viewing, changing, or deleting data. The vulnerability is further documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Security Update for Microsoft Windows (840987) | This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in NetDDE Could Allow Remote Code Execution (841533) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Network Dynamic Data Exchange (NetDDE) services because of an unchecked buffer. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, the NetDDE services are not started by default and would have to be manually started, or started by an application that requires NetDDE, for an attacker to attempt to remotely exploit this vulnerability. |
|
|
|
Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who exploited this vulnerability could cause WebDAV to consume all available memory on an affected server and CPU time which could lead to a denial of service and would require the IIS service to be restarted in order to restore functionality. |
|
|
|
Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350) | This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited the vulnerability could cause the affected system to stop responding or could potentially read portions of active memory content. |
|
|
|
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) | This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section. If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in WordPerfect Converter Could Allow Code Execution (884933) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the WordPerfect 5.x converter that is provided as part of the affected software. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842463) | This update resolves a newly-discovered, privately reported vulnerability. A cross-site scripting and spoofing vulnerability exists in OWA for Exchange Server 5.5 that could cause a user to run script on the attacker's behalf. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited the vulnerability could make changes to Web browser caches and intermediate proxy server caches, and put spoofed content in those caches. They may also be able to exploit the vulnerability to perform cross-site scripting attacks. |
|
|
|
Cumulative Security Update for Internet Explorer (867801) | This update resolves several newly-discovered, public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) | This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows Shell launches applications. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, significant user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in HTML Help Could Allow Code Execution (840315) | This update resolves two newly-discovered vulnerabilities. The HTML Help vulnerability was privately reported and the showHelp vulnerability is public. Each vulnerability is documented in this bulletin in its own Vulnerability Details section. If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Vulnerability in Task Scheduler Could Allow Code Execution (841873) | This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. |
|
|
|
Security Update for IIS 4.0 (841373) | This update resolves a newly-discovered, privately reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in POSIX Could Allow Code Execution (841872) | This update resolves a newly-discovered, privately reported vulnerability. A privilege elevation vulnerability exists in the POSIX operating system component (subsystem). The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in Utility Manager Could Allow Code Execution (842526) | This update resolves a newly-discovered, privately reported vulnerability. A privilege elevation vulnerability exists in the way that Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges and could take complete control of the system. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Cumulative Security Update for Outlook Express (823353) | This update resolves a public vulnerability. A denial of service vulnerability exists in Outlook Express because of a lack of robust verification for malformed e-mail headers. The vulnerability is documented in the Vulnerability Details section of this bulletin. This update also changes the default security settings for Outlook Express 5.5 Service Pack 2 (SP2). This change is documented in the Frequently Asked Questions related to this security update section of this bulletin. If a user is running Outlook Express and receives a specially crafted e-mail message, Outlook Express would fail. If the preview pane is enabled, the user would have to manually remove the message, and then restart Outlook Express to resume functionality. |
|
|
|
Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service (842689) | This update resolves a newly-discovered vulnerability in Crystal Reports and Crystal Enterprise from Business Objects. Microsoft Visual Studio .NET 2003 (all versions), Outlook 2003 with Business Contact Manager re-distributes Crystal Reports and are therefore affected by the vulnerability. Microsoft Customer Relationship Management (CRM) 1.2 redistributes Crystal Enterprise, which is affected in the same way. The vulnerability is documented in the Vulnerability Details section of this bulletin. |
|
|
|
Vulnerability in DirectPlay Could Allow Denial of Service (839643) | This update resolves a newly-discovered, privately reported vulnerability. A denial of service vulnerability exists in the implementation of the IDirectPlay4 application programming interface (API) of Microsoft DirectPlay because of a lack of robust packet validation. The vulnerability is documented in the Vulnerability Details section of this bulletin. |
|
|
|
Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) | This update resolves a newly-discovered vulnerability. A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, significant user interaction is required to exploit this vulnerability. |
|
|
|
Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) | A buffer overrun vulnerability exists in the Microsoft Jet Database Engine (Jet) that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. |
|
|
|
Cumulative Security Update for Outlook Express (837009) | This is a cumulative update that includes the functionality of all the previously-released updates for Outlook Express 5.5 and Outlook Express 6. Additionally, it eliminates a new vulnerability that could allow an attacker who exploited this vulnerability to access files and take complete control of the affected system. This could occur even if Outlook Express is not used as the default E-mail reader on the system. |
|
|
|
Cumulative Update for Microsoft RPC/DCOM (828741) | This update resolves several newly-discovered vulnerabilities in RPC/DCOM. Each is documented in this bulletin in its own section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of the affected system. An attacker could then take any action on the affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Security Update for Microsoft Windows (835732) | This update resolves several newly-discovered vulnerabilities. Each vulnerability is documented in this bulletin in its own section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. |
|
|
|
Vulnerability in MSN Messenger Could Allow Information Disclosure (838512) | A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method by which MSN Messenger handles a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker would be able to view the contents of a file on the hard drive without the user’s knowledge as long as the attacker knew the location of the file and the user had read access to the file. To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request. |
|
|
|
Vulnerability in Microsoft Outlook Could Allow Code Execution (828040) | A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The vulnerability results from the incorrect parsing of specially crafted mailto URLs by Outlook 2002. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user. Outlook 2002 is available as a separate product and is also included as part of Office XP. |
|
|
|
Vulnerability in Windows Media Services Could Allow a Denial of Service (832359) | A vulnerability exists because of the way that Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. The service must be restarted to regain its functionality. |
|
|
|
ASN .1 Vulnerability Could Allow Code Execution (828028) | A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow. An attacker who successfully exploited this buffer overflow vulnerability could execute code with System privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. Abstract Syntax Notation 1 (ASN.1) is a data standard used by many applications and devices in the technology industry for allowing the normalization and understanding of data across various platforms. More information about ASN.1 can be found in Microsoft Knowledge Base Article 252648. |
|
|
|
Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) | A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method used by WINS to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. This could most likely cause a denial of service, and the service would have to be manually restarted to restore functionality. The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature used in the development of Windows Server 2003 called the /GS flag. The purpose of this security feature is to detect when an attempt is made to exploit a stack-based buffer overrun and reduce the chance it can be easily exploited. In some cases this security feature will be forced to terminate the service in order to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. It is possible that methods may be found in the future to bypass this security feature which could then enable code execution, so customers should apply the update. For more information on these security features please view the following Web site. On Windows NT and Windows 2000 the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update on these platforms that corrects the vulnerable code as a preventive measure to ensure that methods are not found in the future to exploit this vulnerability. |
|
|
|
Vulnerability in Virtual PC for Mac could lead to privilege elevation (835150) | A security vulnerability exists in Microsoft Virtual PC for Mac. The vulnerability exists because of the method by which Virtual PC for Mac creates a temporary file when you run Virtual PC for Mac. An attacker could exploit this vulnerability by inserting malicious code into the file which could cause the code to be run with system privileges. This could give the attacker complete control over the system. To exploit this vulnerability, an attacker would have to already have a valid logon account on the local system, or the attacker would already have to have access to a valid logon account. |
|
|
|
Cumulative Security Update for Internet Explorer (832894) | This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. |
|
|
|
Buffer Overrun in MDAC Function Could Allow code execution (832483) | Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a vulnerability in a specific MDAC component, an attacker could respond to this request with a specially crafted packet that could cause a buffer overflow. An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions under which the application using MDAC ran. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application ran under the local system context, the attacker would have the same level of permissions. MDAC is available for download from the Microsoft Web site so it may not always be possible to determine what version of MDAC that is installed by the version of Windows. A tool is available that can help you determine what version of MDAC is running on your system: Microsoft Knowledge Base article 301202 “HOW TO: Check for MDAC Version” describes this tool and explains how to use it. Also, refer to Knowledge Base article 231943, which outlines the release history of MDAC for more on the different versions of MDAC. |
|
|
|
Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759) | A vulnerability exists in the way in which HTTP connections are re-used when using NTLM authentication between Front-End Exchange 2003 servers, running Outlook Web Access, on Windows 2000 and Windows Server 2003, and back-end Exchange 2003 servers running on Windows Server 2003. Users who use Outlook Web Access (OWA) for Exchange Server 2003 to access their mailboxes might get connected to another user’s mailbox. An attacker seeking to exploit this vulnerability would be unable to predict which mailbox they would get connected to. The vulnerability results in random and unreliable access to mailboxes and is specifically limited to mailboxes accessed through OWA in the recent past. This behavior manifests itself in deployments where OWA is used in an Exchange Front-End server configuration and where Kerberos is disabled as an authentication method for the IIS web site that is running the Exchange Server 2003 programs on the back-end Exchange servers. By default, Kerberos is used when OWA for Exchange server 2003 authenticates to the back-end Exchange server. This vulnerability is exposed if the web site that is running the Exchange Server 2003 programs on the Exchange back-end server has been configured not to negotiate Kerberos authentication, causing OWA to fall back to using NTLM authentication. The only known way in which this vulnerability can be exposed is by a change in the default configuration of Internet Information Services 6.0 on the Exchange back-end server and not by a routine fallback to NTLM due to a problem with Kerberos authentication. This configuration change can occur when Microsoft Windows SharePoint Services 2.0 is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. |
|
|
|
Vulnerability in H.323 Filter can Allow Remote Code Execution (816458) | A security vulnerability exists in the H.323 filter for Microsoft ISA Server 2000 that could allow an attacker to overflow a buffer in the Microsoft Firewall Service in Microsoft ISA Server 2000. An attacker who successfully exploited this vulnerably could attempt to run code of their choice in the security context of the Microsoft Firewall Service, giving the attacker complete control over the system. The H.323 filter is enabled by default on ISA Server 2000 computers installed in integrated or firewall mode. |
|
|
|
Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360) | This bulletin addresses two new security vulnerabilities in Microsoft FrontPage Server Extensions, the most serious of which could enable an attacker to run arbitrary code on a user's system. The first vulnerability exists because of a buffer overrun in the remote debug functionality of FrontPage Server Extensions. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual Interdev. An attacker who successfully exploited this vulnerability could be able to run code with IWAM_machinename account privileges on an affected system, or could cause FrontPage Server Extensions to fail. The second vulnerability is a Denial of Service vulnerability that exists in the SmartHTML interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. An attacker who successfully exploited this vulnerability could cause a server running Front Page Server Extensions to temporarily stop responding to requests. |
|
|
|
Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527) | A security vulnerability exists in Microsoft Excel that could allow malicious code execution. This vulnerability exists because of the method Excel uses to check the spreadsheet before reading the macro instructions. If successfully exploited, an attacker could craft a malicious file that could bypass the macro security model. If an affected spreadsheet was opened, this vulnerability could allow a malicious macro embedded in the file to be executed automatically, regardless of the level at which the macro security is set. The malicious macro could then take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. A security vulnerability exists in Microsoft Word that could allow malicious code execution. This vulnerability exists due to to the way Word checks the length of a data value (Macro names) embedded in a document. If a specially crafted document were to be opened it could overflow a data value in Word and allow arbitrary code to be executed. If successfully exploited, an attacker could then take the same actions as the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. |
|
|
|
Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) | A security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. This vulnerability results because of an unchecked buffer in the Workstation service. If exploited, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. An attacker could take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges. |
|
|
|
Cumulative Security Update for Internet Explorer (824145) | This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. |
|
|
|
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489) | A cross-site scripting vulnerability results due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form. An attacker could seek to exploit this vulnerability by having a user run script on the attacker’s behalf. The script would execute in the security context of the user. If the script executes in the security context of the user, the attacker’s code could then execute by using the security settings of the OWA Web site (or of a Web site that is hosted on the same server as the OWA Web site) and could enable the attacker to access any data that belongs to the site where the user has access.To exploit this flaw through OWA, an attacker would have to send an e-mail message that has a specially-formed link to the user. The user would then have to click the link. To exploit this flaw in another way, an attacker would have to know the name of the user’s Exchange server and then entice the user to open a specially-formed link from another source while the user is logged on to OWA. |
|
|
|
Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (822363) | In Exchange Server 5.5, a security vulnerability exists in the Internet Mail Service that could allow an attacker to connect to the SMTP port on an Exchange server. The attacker could then issue a specially-crafted extended verb request that could allocate a large amount of memory. This could shut down of the Internet Mail Service service or could cause the server to stop responding because of a low memory condition. In Exchange 2000 Server, a security vulnerability exists that could allow an attacker to connect to the SMTP port on an Exchange server and to issue a specially-crafted extended verb request. That request could cause a denial of service that is similar to the one that could occur for Exchange 5.5. Additionally, if an attacker issues the request with carefully chosen data, the attacker could cause a buffer overrun. A buffer overrun could allow an attacker to run malicious programs of their choice in the security context of the SMTP service. |
|
|
|
Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) | A vulnerability results because the ListBox control and the ComboBox control both call a function, which is located in the User32.dll file, that contains a buffer overrun. The function does not correctly validate the parameters that are sent from a specially-crafted Windows message. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and to communicate with other interactive processes. A security vulnerability exists because the function that provides the list of accessibility options to the user does not correctly validate Windows messages that are sent to it. One process in the interactive desktop could use a specific Windows message to cause the ListBox control or the ComboBox control to execute arbitrary code. Any program that implements the ListBox control or the ComboBox control could allow code to be executed at an elevated level of administrative credentials, as long as the program is running at an elevated level of privileges for example, Utility Manager in Windows 2000). This could include third-party applications. An attacker who had the ability to log on to a system interactively could run a program that could send a specially-crafted Windows message to any applications that have implemented the ListBox control or the ComboBox control, causing the application to take any action an attacker specified. This could give an attacker complete control over the system by using Utility Manager in Windows 2000. |
|
|
|
Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) | A security vulnerability exists in the Help and Support Center function which ships with Windows XP and Windows Server 2003. The affected code is also included in all other supported Windows operating systems, although no known attack vector has been identified at this time because the HCP protocol is not supported on those platforms. The vulnerability results because a file associated with the HCP protocol contains an unchecked buffer. An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, could execute code of the attacker’s choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. |
|
|
|
Buffer Overrun in Messenger Service Could Allow Code Execution (828035) | A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The flaw results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. Additionally, this patch also includes a fix to correct the issue described in Microsoft Knowledge Base article 330904- Messenger Service Window That Contains an Internet Advertisement Appears |
|
|
|
Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232) | A security vulnerability exists because the Microsoft Local Troubleshooter ActiveX control contain a buffer overflow that could allow an attacker to run code of their choice on a user’s system. Because this control are marked “safe for scripting”, an attacker could exploit this vulnerability by convincing a user to view a specially crafted HTML page that references this ActiveX control. The Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000. To exploit this flaw, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability. In the worst case, this vulnerability could allow an attacker to load malicious code onto a user's system and then to execute the code. The code would run in the context of the user. Therefore, the code is limited to any action that the legitimate user could take on the system. Any limitations on the user's account would also limit the actions of any arbitrary code that the attacker could execute. |
|
|
|
Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) | All versions of Microsoft Windows contain support for Authenticode technology. Authenticode provides code signing capabilities that identify the publisher of a Microsoft ActiveX control. Based on this information a user can make a determination whether or not to download and install the code. By default, Authenticode prompts a user prior to the installation of an ActiveX control. Authenticode prevents ActiveX controls from installing automatically on a user’s system by presenting the user with a dialogue requiring the user to confirm that they trust the publisher of a control and that they want to install the control on their system. Only when the user clicks Yes is the ActiveX control downloaded and installed on the user’s system. There is a flaw in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with the dialogue discussed above. To exploit this vulnerability, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized AcitiveX control could be installed and executed on the user’s system. Alternatively, an attacker could host a malicious Web Site that contained a Web Page designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the user’s system. In both scenarios the flaw in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the user’s system, with the same permissions as the user, without prompting the user for approval. |
|
|
|
Cumulative Patch for Internet Explorer (828750) | This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities: A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML based e-mail that would attempt to exploit this vulnerability; A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML based e-mail that would attempt to exploit this vulnerability. A change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player’s (WMP) ability to open URL’s in the context of the local computer zone from a separate zone to construct an attack. An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior.To exploit these flaws, the attacker would have to create a specially formed HTML based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site. |
|
|
|
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) | The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026. Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another. An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service. Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched. |
|
|
|
Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104) | With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database.—With Microsoft Access Snapshot Viewer, the customer can package the database so that the supplier can view it and print it without having Access installed. By default, the Microsoft Access Snapshot Viewer is installed with all versions of Access and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control. A vulnerability exists because of a flaw in the way that Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can occur, which could allow an attacker to execute the code of their choice in the security context of the logged-on user. For an attack to be successful, an attacker would have to persuade a user to visit a malicious Web site that is under the attacker’s control. |
|
|
|
Flaw in Visual Basic for Applications Could Allow Arbitrary Code execution (822715) | Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications based around an existing host application. A flaw exists in the way VBA checks document properties passed to it when a document is opened by the host application. A buffer overrun exists which if exploited successfully could allow an attacker to execute code of their choice in the context of the logged on user. In order for an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker. This document could be any type of document that supports VBA, such as a Word document, Excel spreadsheet, PowerPoint presentation. In the case where Microsoft Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail, however the user would need to reply to, or forward the mail message in order for the vulnerability to be exploited. |
|
|
|
Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103) | Microsoft Office provides a number of converters that allow users to import and to edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are also available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other applications, including Office for the Macintosh and third-party productivity applications. There is a flaw in the way that the Microsoft WordPerfect converter handles Corel (R) WordPerfect documents. A security vulnerability results because the converter does not correctly validate certain parameters when it opens a WordPerfect document, which results in an unchecked buffer. As a result, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if an application that uses the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter. The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious WordPerfect document—there is no way for an attacker to force a malicious document to be opened or to trigger an attack automatically by sending an e-mail message. |
|
|
|
Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653) | A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Microsoft Word supports the use of macros to allow the automation of commonly performed tasks. Since macros are executable code it is possible to misuse them, so Microsoft Word has a security model designed to validate whether a macro should be allowed to execute depending on the level of macro security the user has chosen. A vulnerability exists because it is possible for an attacker to craft a malicious document that will bypass the macro security model. If the document was opened, this flaw could allow a malicious macro embedded in the document to be executed automatically, regardless of the level at which macro security is set. The malicious macro could take the same actions that the user had permissions to carry out, such as adding, changing or deleting data or files, communicating with a web site or formatting the hard drive. The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious document - there is no way for an attacker to force a malicious document to be opened. |
|
|
|
Flaw in NetBIOS Could Lead to Information Disclosure (824105) | Network basic input/output system (NetBIOS) is an application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network. This vulnerability involves one of the NetBT (NetBIOS over TCP) services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the TCP/IP world and it provides a way to find a system’s IP address given its NetBIOS name, or vice versa. Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system’s memory. This data could, for example, be a piece of HTML if the user on the target system was using an Internet browser, or it could contain other types of data that exist in memory at the time that the target system responds to the NetBT Name Service query. An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system and then by examining the response to see if it includes any random data from that system’s memory. If best security practices have been followed, and port 137 UDP has been blocked at the firewall, Internet based attacks would not be possible. |
|
|
|
Unchecked Buffer in MDAC Function Could Enable System Compromise (823718) | Microsoft Data Access Components (MDAC) is a collection of components that are used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: By default, MDAC is included by default as part of Microsoft Windows XP, Windows 2000, Windows Millennium Edition, and Windows Server 2003. MDAC is available for download as a stand-alone technology. MDAC is either included in or installed by a number of other products and technologies. For example, MDAC is included in the Microsoft Windows NT® 4.0 Option Pack and in Microsoft SQL Server 2000. Additionally, some MDAC components are present as part of Microsoft Internet Explorer even when MDAC itself is not installed. MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a flaw in a specific MDAC component, an attacker could respond with a specially crafted packet that could cause a buffer overflow. An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions which the application using MDAC ran under. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application runs under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker’s choice. This bulletin supercedes the patch discussed in MS02-040. Customers should install this patch as it contains the fix for the vulnerability discussed in bulletin MS02-040 and the patch discussed in this bulletin. |
|
|
|
Cumulative Patch for Internet Explorer (822925) | This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities: A vulnerability involving the cross-domain security model of Internet Explorer, which keeps windows of different domains from sharing information. This flaw could result in the execution of script in the My Computer zone. To exploit this flaw, an attacker would have to host a malicious Web site that contained a Web page designed to exploit this particular vulnerability and then persuade a user to visit that site. After the user has visited the malicious Web site, it would be possible for the attacker to run malicious script by misusing the method Internet Explorer uses to retrieve files from the browser cache, and cause that script to access information in a different domain. In the worst case, this could enable the Web site operator to load malicious script code onto a user's system in the security context of the My Computer zone. In addition, this flaw could also enable an attacker to run an executable file that was already present on the local system or view files on the computer. The flaw exists because a file from the Internet or intranet with a maliciously constructed URL can appear in the browser cache running in the My Computer zone. A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability. This patch also sets the Kill Bit on the BR549.DLL ActiveX control. This control implemented support for the Windows Reporting Tool, which is no longer supported by Internet Explorer. The control has been found to contain a security vulnerability. To protect customers who have this control installed, the patch prevents the control from running or from being reintroduced onto users' systems by setting the Kill Bit for this control. This issue is discussed further in Microsoft Knowledge Base article 822925. In addition to these vulnerabilities, a change has been made to the way Internet Explorer renders HTML files. This change addresses a flaw in the way Internet Explorer renders Web pages that could cause the browser or Outlook Express to fail. Internet Explorer does not properly render an input type tag. A user visiting an attacker's Web site could allow the attacker to exploit the vulnerability by viewing the site. In addition, an attacker could craft a specially formed HTML–based e-mail that could cause Outlook Express to fail when the e-mail was opened or previewed. This patch also contains a modification to the fix for the Object Type vulnerability (CAN-2003-0344) corrected in Microsoft Security Bulletin MS03-020. The modification corrects the behavior of the fix to prevent the attack on specific languages. To exploit these flaws, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site. |
|
|
|
Cumulative Patch for Microsoft SQL Server (815495) | This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, and Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server Desktop Engine (MSDE 2000). In addition, it eliminates three newly discovered vulnerabilities. Named Pipe Hijacking: Upon system startup, SQL Server creates and listens on a specific named pipe for incoming connections to the server. A named pipe is a specifically named one-way or two way channel for communication between a pipe server and one or more pipe clients. The SQL Server named pipe is checked for verification of which connection attempts to the pipe can log into the SQL Server to execute queries against data stored on the server. A flaw exists in the checking method for the named pipe that could allow an attacker local to the SQL Server system to "hijack" control of the named pipe during another client's authenticated login. This would allow the attacker to gain control of the named pipe at the same privilege level as the user attempting to connect. If the user connecting remotely has higher access rights than the attacker, the attacker will assume those rights when the named pipe is compromised. Named Pipe Denial of Service: In the same named pipes scenario that is mentioned above, it is possible for an unauthenticated user-- local to the intranet-- to send a very large packet to a specific named pipe that the SQL Server is listening on and cause it to become unresponsive. This vulnerability would not allow an attacker to run arbitrary code or elevate their permissions, however it may still be possible for a denial of service condition to exist which would require that the server be rebooted in order to restore functionality. SQL Server Buffer Overrun A flaw exists in a specific Windows function that may allow an authenticated user-- with direct access to log onto the SQL Server-- the ability create a specially crafted packet that, when sent to the listening LPC port of the system, could cause a buffer overrun. If successfully exploited, this could allow a user with limited privileges on the system to elevate themselves to the level of the SQL Server service account, or cause arbitrary code to run. |
|
|
|
Unchecked Buffer in DirectX Could Enable System Compromise (819696) | DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation, and rendering. There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. A security vulnerability results because it would be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user. An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. In the case where the file was hosted on a Web site or network share, the user would need to open the specially crafted file. If the file was embedded in a page the vulnerability could be exploited when a user visited the Web page. In the HTML-based e-mail case, the vulnerability could be exploited when a user opened or previewed the HTML-based e-mail. A successful attack could cause DirectShow, or an application making use of DirectShow, to fail. A successful attack could also cause an attacker's code to run on the user's computer in the security context of the user. |
|
|
|
Flaw in Windows Function Could Allow Denial of Service (823803) | Subsequent to issuing this security bulletin, Microsoft identified a problem with the security patch which specifically affects systems which have the Remote Access Service (RAS) enabled on them. This causes RAS to fail when the system is rebooted after applying the patch. It does not affect other non-RAS functions, nor is there a problem with the actual fix for the security vulnerability itself. Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patch. A flaw exists in a Windows NT 4.0 Server file management function that can cause a denial of service vulnerability. The flaw results because the affected function can cause memory that it does not own to be freed when a specially crafted request is passed to it. If the application making the request to the function does not carry out any user input validation and allows the specially crafted request to be passed to the function, the function may free memory that it does not own. As a result, the application passing the request could fail. By default, the affected function is not accessible remotely, however applications installed on the operating system that are available remotely may make use of the affected function. Application servers or Web servers are two such applications that may access the function. Note that Internet Information Server 4.0 (IIS 4.0) does not, by default, make use of the affected function. |
|
|
|
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456) | ISA Server contains a number of HTML-based error pages that allow the server to respond to a client requesting a Web resource with a customized error. A cross-site scripting vulnerability exists in many of these error pages that are returned by ISA Server under specific error conditions. To exploit this flaw, an attacker would have to first be aware of a specific ISA server and its access policies or host an ISA server of their own and create specific access policies designed to exploit this vulnerability. The attacker could then craft a request to trigger a page refusal. Once the attack was crafted, the attacker would have to host a Web site containing the link, or send the link to the user in the form of an HTML e-mail. After the user previewed or opened the e-mail, the malicious site could be visited automatically without further user interaction. In the Web-based attack scenario, an attacker would have no way to force a user to visit the Web site. |
|
|
|
Unchecked Buffer in Windows Shell Could Enable System Compromise (821557) | The Windows shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows desktop. It also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start programs. An unchecked buffer exists in one of the functions used by the Windows shell to extract custom attribute information from certain folders. A security vulnerability results because it is possible for a malicious user to construct an attack that could exploit this flaw and execute code on the user’s system. An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt custom attribute, and then host it on a network share. If a user were to browse the shared folder where the file was stored, the vulnerability could then be exploited. A successful attack could have the effect of either causing the Windows shell to fail, or causing an attacker’s code to run on the user’s computer in the security context of the user. |
|
|
|
Buffer Overrun In RPC Interface Could Allow Code Execution (823980) | Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the “mitigating factors” and “workarounds” discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action. In addition, the bulletin has also been updated to include information about Windows 2000 Service Pack 2 support for this patch. Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports. |
|
|
|
Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679) | Microsoft Windows 2000 contains support for Accessibility options within the operating system. Accessibility support is a series of assistive technologies within Windows that allow users with disabilities to still be able to access the functions of the operating system. Accessibility support is enabled or disabled through shortcuts built into the operating system, or through the Accessibility Utility Manager. Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (Microsoft Magnifier, Narrator, On–Screen Keyboard) and to start or stop them. There is a flaw in the way that Utility Manager handles Windows messages. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and communicate with other interactive processes. A security vulnerability results because the control that provides the list of accessibility options to the user does not properly validate Windows messages sent to it. It's possible for one process in the interactive desktop to use a specific Windows message to cause the Utility Manager process to execute a callback function at the address of its choice. Because the Utility Manager process runs at higher privileges than the first process, this would provide the first process with a way of exercising those higher privileges. By default, the Utility Manager contains controls that run in the interactive desktop with Local System privileges. As a result, an attacker who had the ability to log on to a system interactively could potentially run a program that could send a specially crafted Windows message upon the Utility Manager process, causing it to take any action the attacker specified. This would give the attacker complete control over the system. The attack cannot be exploited remotely, and the attacker would have to have the ability to interactively log on to the system. |
|
|
|
Buffer Overrun in Windows Could Lead to Data Corruption (817606) | Server Message Block (SMB) is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what's described as a client server request-response protocol. A flaw exists in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server is not properly validating the buffer length established by the packet. If the client specifies a buffer length that is less than what is needed, it can cause the buffer to be overrun. |
|
|
|
Buffer Overrun In HTML Converter Could Allow Code Execution (823559) | All versions of Microsoft Windows contain support for file conversion within the operating system. This functionality allows users of Microsoft Windows to convert file formats from one to another. In particular, Microsoft Windows contains support for HTML conversion within the operating system. This functionality allows users to view, import, or save files as HTML. There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut and paste operation. This flaw causes a security vulnerability to exist. A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged in user. Since this functionality is used by Internet Explorer, an attacker could craft a specially formed web page or HTML email that would cause the HTML converter to run arbitrary code on a user's system. A user simply visiting an attacker’s website could allow the attacker to exploit the vulnerability without any other user action. In order to exploit this vulnerability, the attacker would have to create a specially-formed HTML email and send it to the user. Alternatively, an attacker would have to host a malicious web site that contained a web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site. |
|
|
|
Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343) | Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions. This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension – nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS. There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system. Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server. |
|
|
|
Flaw In Windows Media Player May Allow Media Library Access (819639) | An ActiveX control included with Windows Media Player 9 Series allows Web page authors to create Web pages that can play media and provide a user interface by which the user can control playback. When a user visits a Web page with embedded media, the ActiveX control provides a user interface that allows the user to take such actions as pausing or rewinding the media. A flaw exists in the way in which the ActiveX control provides access to information on the user’s computer. A vulnerability exists because an attacker could invoke the ActiveX control from script code, which would allow the attacker to view and manipulate metadata contained in the media library on the user’s computer. To exploit this flaw, an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability, and then persuade a user to visit that site—an attacker would have no way to force a user to the site. An attacker could also embed a link to the malicious site in an HTML e-mail and send it to the user. After the user previewed or opened the e-mail, the malicious site could be visited automatically without further user interaction. The attacker would only have access to manipulate the media library on the user’s computer. The attacker would not be able to browse the user’s hard disk and would not have access to passwords or encrypted data. The attacker would not be able to modify files on the user’s hard disk, but could modify the contents of any Media Library entries associated with those files. The attacker might also be able to determine the user name of the logged-on user by examining the directory paths to media files. |
|
|
|
Cumulative Patch for Internet Explorer (818529) | This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates two newly discovered vulnerabilities: A buffer overrun vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a web server. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. If a user visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability. A flaw that results because IE does not implement an appropriate block on a file download dialog box. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. If a user simply visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability. In order to exploit these flaws, the attacker would have to create a specially formed HTML email and send it to the user. Alternatively an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability. The attacker would then have to persuade a user to visit that site. As with the previous Internet Explorer cumulative patches released with bulletins MS03-004 and MS03-015, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch. |
|
|
|
Flaw in ISAPI extension for Windows Media Services could cause denial of service (817772) | Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available as a downloadable version for Windows NT 4.0 Server. Windows Media Services contain support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming however, there is no direct communication between the server and the users that can be logged by the server. To help with this problem, Windows 2000 includes logging capabilities for multicast and unicast transmissions. This capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension nsiislog.dll. When Windows Media Services are installed in Windows NT 4.0 Server or added through add/remove programs to Windows 2000, nsiislog.dll is installed to the Internet Information Services (IIS) Scripts directory on the server. There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests. Windows Media Services is not installed by default on Windows 2000, and must be downloaded to install on Windows NT 4.0. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server. The denial of service would only affect IIS, and other services on the server would remain unaffected. |
|
|
|
Cumulative Patch for Internet Information Service (811114) | This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 since Windows 2000 Service Pack 2 and IIS 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled. Additional information about this patch. In addition to all previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and 5.1: A Cross-Site Scripting (CSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving the error message that’s returned to advise that a requested URL has been redirected. An attacker who was able to lure a user into clicking a link on his or her web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker’s. A buffer overrun that results because IIS 5.0 does not correctly validate requests for certain types of web pages known as server side includes. An attacker would need the ability to upload a Server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could result, which would allow the attacker to execute code of their choice on the server with user-level permissions. A denial of service vulnerability that results because of a flaw in the way IIS 4.0 and 5.0 allocate memory requests when constructing headers to be returned to a web client. An attacker would need the ability to upload an ASP page to a vulnerable IIS server. This ASP page, when called by the attacker, would attempt to return an extremely large header to the calling web client. Because IIS does not limit the amount of memory that can be used in this case, this could case IIS to fail as a result of running out of local memory. A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when an overly long WebDAV request is passed to them. As a result an attacker could cause IIS to fail however both IIS 5.0 and 5.1 will by default restart immediately after this failure. |
|
|
|
Flaw in Windows Media Player Skins Downloading Could Allow Code Execution (817787) | Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of skins. Skins are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins, each one providing an additional visual experience. Windows Media Player comes with several skins to choose from, but it is relatively easy to create and distribute custom skins. A flaw exists in the way Windows Media Player 7.1 and Windows Media Player for Windows XP handle the download of skin files. The flaw means that an attacker could force a file masquerading as a skin file into a known location on a user’s machine. This could allow an attacker to place and then launch a malicious executable on the system. |
|
|
|
Cumulative Patch for BizTalk Server (815206) | Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners and business processes BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server. The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents the HTTP receiver and could result in an attacker being able to execute code of their choice on the BizTalk Server. The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL Injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string. |
|
|
|
Cumulative Patch for Internet Explorer (813489) | This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following four newly discovered vulnerabilities: A buffer overrun vulnerability in URLMON.DLL that occurs because Internet Explorer does not correctly check the parameters of information being received from a web server. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. A user simply visiting an attacker’s website could allow the attacker to exploit the vulnerability without any other user action. A vulnerability in the Internet Explorer file upload control that allows input from a script to be passed to the upload control. This vulnerability could allow an attacker to supply a file name to the file upload control and automatically upload a file from the user’s system to a web server. A flaw in the way Internet Explorer handles the rendering of third party files. The vulnerability results because the Internet Explorer method for rendering third party file types does not properly check parameters passed to it. An attacker could create a specially formed URL that would inject script during the rendering of a third party file format and cause the script to execute in the security context of the user. A flaw in the way modal dialogs are treated by Internet Explorer that occurs because an input parameter is not properly checked. This flaw could allow an attacker to use an injected script to provide access to files stored on a user’s computer. Although a user who visited the attacker’s website could allow the attacker to exploit the vulnerability without any other user action, an attacker would have no way to force the user to visit the website. In addition to eliminating the above vulnerabilities, this patch also includes a fix for Internet Explorer 6.0 SP1 that corrects the method by which Internet Explorer displays help information in the local computer zone. While we are not aware of a method to exploit this vulnerability by itself, if it were possible to exploit it, it could allow an attacker to read local files on a visiting user’s system. This patch also sets the Kill Bit on the Plugin.ocx ActiveX control which has a security vulnerability. This killbit has been set in order to ensure that the vulnerable control cannot be reintroduced onto users’ systems and to ensure that users who already have the vulnerable control on their system are protected. This issue is discussed further in Microsoft Knowledge Base Article 813489. |
|
|
|
Cumulative Patch for Outlook Express (330994) | MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an Internet standard that defines the MIME (Multipurpose Internet Mail Extensions) structure used to send HTML content in e-mail message bodies. The MHTML URL Handler in Windows is part of Outlook Express and provides a URL type that can be used on the local machine. This URL type (MHTML://) allows MHTML documents to be launched from a command line, from Start/Run, using Windows Explorer or from within Internet Explorer. A vulnerability exists in the MHTML URL Handler that allows any file that can be rendered as text to be opened and rendered as part of a page in Internet Explorer. As a result, it would be possible to construct a URL that referred to a text file that was stored on the local computer and have that file render as HTML. If the text file contained script, that script would execute when the file was accessed. Since the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened within the Local Computer Zone are subject to fewer restrictions than files opened in other security zones. |
|
|
|
Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) | The Windows kernel is the core of the operating system. It provides system level services such as device and memory management, allocates processor time to processes and manages error handling. There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system. For an attack to be successful, an attacker would need to be able to logon interactively to the system, either at the console or through a terminal session. Also, a successful attack would require the introduction of code in order to exploit this vulnerability. Because best practices recommends restricting the ability to logon interactively on servers, this issue most directly affects client systems and terminal servers. |
|
|
|
Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Service (331066) | There is a flaw in the Winsock Proxy service in Microsoft Proxy Server 2.0, and the Microsoft Firewall service in ISA Server 2000, that would allow an attacker on the internal network to send a specially crafted packet that would cause the server to stop responding to internal and external requests. Receipt of such a packet would cause CPU utilization on the server to reach 100%, and thus make the server unresponsive. The Winsock Proxy service and Microsoft Firewall service work with FTP, telnet, mail, news, Internet Relay Chat (IRC), or other client applications that are compatible with Windows Sockets (Winsock). These services allow these applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to a Proxy Server 2.0 or ISA Server computer, thus establishing a communication path from the internal application to the Internet through it. |
|
|
|
Flaw in Microsoft VM Could Enable System Compromise (816093) | The Microsoft VM is a virtual machine for the Win32® operating environment. The Microsoft VM is shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. The present Microsoft VM, which includes all previously released fixes to the VM, has been updated to include a fix for the newly reported security vulnerability. This new security vulnerability affects the ByteCode Verifier component of the Microsoft VM, and results because the ByteCode verifier does not correctly check for the presence of certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a web page that when opened, would exploit the vulnerability. An attacker could then host this malicious web page on a web site, or could send it to a user in e-mail |
|
|
|
Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) | Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerabilty for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ below, which is to protect the NT 4.0 system with a firewall that blocks Port 135. |
|
|
|
Flaw in ISA Server DNS intrusion detection filter can cause Denial of Service (331065) | Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. Application filters allow ISA Server to analyze a data stream for a particular application and provide application-specific processing including inspecting, screening or blocking, redirecting, or modifying the data as it passes through the firewall. This mechanism is used to protect against things like invalid URLs, or attacks against internal Domain Name Service (DNS) Servers. A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests. An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected. |
|
|
|
Flaw in Windows Script Engine could allow code execution (814078) | The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript. A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker’s choice with the user’s privileges. The web page could be hosted on a web site, or sent directly to the user in email. Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the Workarounds section in the FAQ below. |
|
|
|
Unchecked Buffer In Windows Component Could Cause Server Compromise (815021) | Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, and results because the component contains an unchecked buffer. An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context). Although Microsoft has supplied a patch for this vulnerability and recommends customers install the patch immediately, additional tools and preventive measures have been provided that customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the Workarounds section in the FAQ below. |
|
|
|
Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) | Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://". A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer. An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attacker’s choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL send in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. |
|
|
|
Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577) | The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the Add a Network Place Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share. A security vulnerability exists in the implementation of the Windows Redirector on Windows XP because an unchecked buffer is used to receive parameter information. By providing malformed data to the Windows Redirector, an attacker could cause the system to fail, or if the data was crafted in a particular way, could run code of the attacker’s choice. |
|
|
|
Cumulative Patch for Internet Explorer (810847) | This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates the following two newly discovered vulnerabilities involving Internet Explorer’s cross-domain security model which keeps windows of different domains from sharing information. A flaw results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes. In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misuing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system. A related cross-domain vulnerability allows Internet Explorer’s showHelp() functionality to execute without proper security checking. showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user’s local system or load malicious code onto a user’s local system. The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user’s local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker’s choice. This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update is installed, window.showHelp( ) will function again, but with some limitations (see the caveats section later in this bulletin). This has been necessary in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user’s local system. In order to restore the window.showHelp( ) functionality, please download the latest version of HTML Help from Windows Update. |
|
|
|
Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262) | Microsoft Outlook 2002 provides the facility to encrypt e-mails sent between e-mail recipients. Encryption is used to prevent parties other than the intended recipients from reading the contents of an e-mail. Outlook uses public key certificates to facilitate the exchange of the cryptographic keys that are used in the encryption process, and Outlook offers a number of different options as to what type of certificates can be used. S/MIME certificates are the most commonly used (and are not affected by the vulnerability that is the subject of this bulletin), but there are other certificate options including V1 Exchange Server Security certificates. A vulnerability exists because there is a flaw in the way Outlook 2002 handles a V1 Exchange Server Security certificate when using it to encrypt e-mail. As a result of this flaw, Outlook fails to encrypt the mail correctly and the message will be sent in plain text. This could cause the information in the e-mail to be exposed when the user believed it to be protected through encryption. |
|
|
|
Cumulative Patch for Microsoft Content Management Server (810487) | Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server product that simplifies developing and managing E-Commerce web sites. MCMS includes a number of pre-defined ASP web pages that allow web site operators to quickly set up E-business websites. A Cross-Site Scripting flaw exists in one of these ASP pages that could allow an attacker to insert script into the data being sent to a MCMS server. Because the server generates a web page in response to a user request made using this page, it is possible that the script could be embedded within the page that CMS generates and returns to the user, this script would then run when processed by the user’s browser. This could result in an attacker being able to access information the user shared with the legitimate site. An attacker might attempt to exploit this flaw by crafting a malicious link to a valid site that the user intended to visit. If the attacker were able to get a user to click the link most likely by sending the link in an email then it could be possible for the attacker to take a variety of actions. The attacker could alter the data that appeared to be contained on the web pages presented by the legitimate site, monitor the user’s session with the legitimate site and copy personal data from the legitimate site to a site under the attacker’s control, or access the legitimate site's cookies. |
|
|
|
Unchecked Buffer in Locator Service Could Lead to Code Execution (810833) | The Microsoft Locator service is a name service that maps logical names to network-specific names. It ships with Windows NT 4.0, Windows 2000, and Windows XP. By default, the Locator service is enabled only on Windows 2000 domain controllers and Windows NT 4.0 domain controllers; it is not enabled on Windows NT 4.0 workstations or member servers, Windows 2000 workstations and or member servers, or Windows XP. A security vulnerability results from an unchecked buffer in the Locator service. By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system. |
|
|
|
Unchecked Buffer in Windows Shell Could Enable System Compromise (Q329390) | The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications. An unchecked buffer exists in one of the functions that is used by the Windows Shell to extract custom attribute information from audio files. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. An attacker could seek to exploit this vulnerability by creating an .MP3 or .WMA file that contained a corrupt custom attribute and then host it on a website, on a network share, or send it via an HTML email. If a user were to hover his or her mouse pointer over the icon for the file (either on a web page or on the local disk), or open the shared folder where the file was stored, the vulnerable code would be invoked. An HTML email could cause the vulnerable code to be invoked when a user opened or previewed the email. A successful attack could have the effect of either causing the Windows Shell to crash, or causing an attacker’s code to run on the user’s computer in the security context of the user. |
|
|
|
Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation (328310) | Subsequent to the release of this bulletin it was determined that the patch for Microsoft Windows NT 4.0 machines introduced an error that may, under certain configurations, cause NT 4.0 to fail. Microsoft has investigated this issue and is releasing an updated patch for Windows NT 4.0. The bulletin has been updated to include the new download links for the NT 4.0 patch. Customers who have installed the patch on Microsoft Windows 2000 and Windows XP are unaffected by this error. Windows messages provide a way for interactive processes to react to user events (e.g., keystrokes or mouse movements) and communicate with other interactive processes. One such message, WM_TIMER, is sent at the expiration of a timer, and can be used to cause a process to execute a timer callback function. A security vulnerability results because it's possible for one process in the interactive desktop to use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process did not set a timer. If that second process had higher privileges than the first, this would provide the first process with a way of exercising them. By default, several of the processes running in the interactive desktop do so with LocalSystem privileges. As a result, an attacker who had the ability to log onto a system interactively could potentially run a program that would levy a WM_TIMER request upon such a process, causing it to take any action the attacker specified. This would give the attacker complete control over the system. In addition to addressing this vulnerability, the patch also makes changes to several processes that run on the interactive desktop with high privileges. Although none of these would, in the absence of the TM_TIMER vulnerability, enable an attacker to gain privileges on the system, we have included them in the patch to make the services more robust. |
|
|
|
Flaw in SMB Signing Could Enable Group Policy to be Modified (329170) | Server Message Block (SMB) is a protocol natively supported by all versions of Windows. Although nominally a file-sharing protocol, it is used for other purposes as well, the most important of which is disseminating group policy information from domain controllers to newly logged on systems. Beginning with Windows 2000, it is possible to improve the integrity of SMB sessions by digitally signing all packets in a session. Windows 2000 and Windows XP can be configured to always sign, never sign, or sign only if the other party requires it. A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes. Although this vulnerability could be exploited to expose any SMB session to tampering, the most serious case would involve changing group policy information as it was being disseminated from a Windows 2000 domain controller to a newly logged-on network client. By doing this, the attacker could take actions such as adding users to the local Administrators group or installing and running code of his or her choice on the system. |
|
|
|
Flaw in Microsoft VM Could Enable System Compromise (810030) | The Microsoft VM is a virtual machine for the Win32 operating environment. The Microsoft VM shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. A new version of the Microsoft VM is available, which includes all previously released fixes for the VM, as well as fixes for eight newly reported security issues. The attack vectors for all of the new issues would likely be the same. An attacker would create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail. |
|
|
|
Cumulative Patch for Internet Explorer (324929) | This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user’s local system. Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user’s local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous. An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site In the case of the HTML mail-based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane. |
|
|
|
E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail (331866) | Microsoft Outlook provides users with the ability to work with e-mail, contacts, tasks, and appointments. Outlook e-mail handling includes receiving, displaying, creating, editing, sending, and organizing e-mail messages. When working with received e-mail messages, Outlook processes information contained in the header of the e-mail which carries information about where the e-mail came from, its destination, and attributes of the message. A vulnerability exists in Outlook 2002 in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances. The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook 2002 client would again function normally. |
|
|
|
Cumulative Patch for Internet Explorer (Q328970) | This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: A buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened. To the best of Microsoft’s knowledge, this vulnerability could only be used to cause Internet Explorer to fail. The effect of exploiting the vulnerability against Internet Explorer would be relatively minor the user would only need to restart the browser to restore normal operation.However, a number of other Microsoft products notably, most Microsoft Office products and Microsoft Index Server – rely on Internet Explorer to render PNG files, and exploiting the vulnerability against such an application would cause them to fail as well. Because of this, Microsoft recommends that customers install this patch regardless of whether they are using Internet Explorer as their primary web browser. An information disclosure vulnerability related to the way that Internet Explorer handles encoded characters in a URL. This vulnerability could allow an attacker to craft a URL containing some encoded characters that would redirect a user to a second web site. If a user followed the URL, the attacker would be able to piggy-back the user’s access to the second website. This could allow the attacker to access any information the user shared with the second web site. A vulnerability that occurs because under certain circumstances Internet Explorer does not correctly check the component that the OBJECT tag calls. This could allow an attacker to obtain the name of the Temporary Internet Files folder on the user’s local machine. The vulnerability would not allow an attacker to read or modify any files on the user’s local system, since the Temporary Internet Files folder resides in the Internet security zone. Knowledge of the name of the Temporary Internet Files folder could allow an attacker to identify the username of the logged-on user and read other information in the Temporary Internet Files folder such as cookies. Three vulnerabilities that although having differing root causes, have the same net effects. All three vulnerabilities result because of incomplete security checks being carried out when using particular programming techniques in web pages, and would have the effect of allowing one website to access information in another domain, including the user’s local system. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be viewed in a browser window. In addition, this could also enable an attacker to invoke an executable that was already present on the local system. |
|
|
|
Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) | Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: It is included by default as part of Windows XP, Windows 2000, and Windows Millennium. It is available for download as a stand-alone technology in its own right. It is either included in or installed by a number of other products and technologies. For instance, MDAC is included in the Windows NT4.0 Option Pack, and some MDAC components are present as part of Internet Explorer even if MDAC itself is not installed. MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. One of the MDAC components, known as Remote Data Services (RDS), provides functionality that support three-tiered architectures – that is, architectures in which a client’s requests for service from a back-end database are intermediated through a web site that applies business logic to them. A security vulnerability is present in the RDS implementation, specifically, in a function called the RDS Data Stub, whose purpose it is to parse incoming HTTP requests and generate RDS commands. A security vulnerability resulting from an unchecked buffer in the Data Stub affects versions of MDAC prior to version 2.7 (the version that shipped with Windows XP). By sending a specially malformed HTTP request to the Data Stub, an attacker could cause data of his or her choice to overrun onto the heap. Although heap overruns are typically more difficult to exploit than the more-common stack overrun, Microsoft has confirmed that in this case it would be possible to exploit the vulnerability to run code of the attacker’s choice on the user’s system. |
|
|
|
Windows 2000 Default Permissions Could Allow Trojan Horse Program (Q327522) | On Windows 2000, the default permissions provide the Everyone group with Full access (Everyone:F) on the system root folder (typically, C:\). In most cases, the system root is not in the search path. However, under certain conditions for instance, during logon or when applications are invoked directly from the Windows desktop via Start | Run it can be. This situation gives rise to a scenario that could enable an attacker to mount a Trojan horse attack against other users of the same system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program. The Trojan horse program would execute with the user’s own privileges, thereby enabling it to take any action that the user could take. The simplest attack scenario would be one in which the attacker knew that a particular system program was invoked by a logon script. In that case, the attacker could create a Trojan horse with the same name as the system program, which would then be executed by the logon script the next time someone logged onto the system. Other scenarios almost certainly would require significantly greater user interaction for instance, convincing a user to start a particular program via Start | Run and would necessitate the use of social engineering. The systems primarily at risk from this vulnerability would be workstations that are shared between multiple users, and local terminal server sessions. Other systems would be at significantly less risk: Workstations that are not shared between users would be at no risk, because the attacker would require the ability to log onto the system in order to place the Trojan horse. Servers would be at no risk, if standard best practices have been followed that advocate only allowing trusted users to log onto them. Remote Terminal server sessions would be at little risk, because each user’s environment is isolated. That is, the system root is never the current folder instead, the user’s Documents and Settings folder is, but the permissions on this folder would not enable an attacker to place a Trojan horse there. |
|
|
|
Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks (Q329834) | Windows 2000 and Windows XP natively support Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking technology that is implemented as part of Remote Access Services (RAS). PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME. A security vulnerability results in the Windows 2000 and Windows XP implementations because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system. The vulnerability could be exploited against any server that offers PPTP. If a workstation had been configured to operate as a RAS server offering PPTP services, it could likewise be attacked. Workstations acting as PPTP clients could only be attacked during active PPTP sessions. Normal operation on any attacked system could be restored by restarting the system. |
|
|
|
Cumulative Patch for Internet Information Service (Q327696) | This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled Additional information about this patch. Before applying the patch, system administrators should take note of the caveats discussed in the same section. In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1: A privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process. By design, the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise. A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail. A vulnerability involving the operation of the script source access permission in IIS 5.0. This permission operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only write access to upload such a file. A pair of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each of these vulnerabilities have the same scope and effect: an attacker who was able to lure a user into clicking a link on his web site could relay a request containing script to a third-party web site running IIS, thereby causing the third-party site’s response (still including the script) to be sent to the user. The script would then render using the security settings of the third-party site rather than the attacker’s. In addition, the patch causes 5.0 and 5.1 to change how frequently the socket backlog list which, when all connections on a server are allocated, holds the list of pending connection requests is purged. The patch changes IIS to purge the list more frequently in order to make it more resilient to flooding attacks. The backlog monitoring feature is not present in IIS 4.0. |
|
|
|
Elevation of Privilege in SQL Server Web Tasks (Q316333) | SQL Server 7.0 and 2000 provide stored procedures which is a collection of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks. An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account. |
|
|
|
Flaw in Windows XP Help and Support Center Could Enable File Deletion (Q328940) | Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. A security vulnerability is present in the Windows XP version of Help and Support Center, and results because a file intended only for use by the system is instead available for use by any web page. The purpose of the file is to enable anonymous upload of hardware information, with the user’s permission, so that Microsoft can evaluate which devices users are not currently finding device drivers for. This information is then used to work with hardware vendors and device teams to improve the quality and quantity of drivers available in Windows. By design, after attempting to upload an XML file containing the hardware information, the system deletes it. An attacker could exploit the vulnerability by constructing a web page that, when opened, would call the errant function and supply the name of an existing file or folder as the argument. The attempt to upload the file or folder would fail, but the file nevertheless would be deleted. The page could be hosted on a web site in order to attack users visiting the site, or could be sent as an HTML mail in order to attack the recipient when it was opened. |
|
|
|
Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure (Q330008) | Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet. A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user’s local computer. In order for an attacker to take advantage of this vulnerability, the attacker would need to perform the following steps: Craft a Word or Excel document that exploits the vulnerability. Deliver it to the user, via email or some other method. Entice the user to open the document. Return the document to the attacker. (Microsoft is aware of one case in which it would not be necessary for the user to do this. There is one method through which the attacker’s document could post information directly to a web site, but it would only allow the first line of the file to be sent) |
|
|
|
Unchecked Buffer in Outlook Express S/MIME Parsing Could Enable System Compromise (Q328676) | To allow for verification of the authenticity of mail messages, Microsoft Outlook Express supports digital signing of messages through S/MIME. A buffer overrun vulnerability lies in the code that generates the warning message when a particular error condition associated with digital signatures occurs. By creating a digitally signed email and editing it to introduce specific data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened or previewed it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of their choice on the user’s machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. This vulnerability could only affect messages that are signed using S/MIME and sent to an Outlook Express user. Users of Microsoft Outlook products are not affected by this vulnerability. |
|
|
|
Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209) | All three vulnerabilities discussed in this bulletin involve the inclusion of the Sun RPC library in Microsoft’s Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the Sun RPC library from the Interix SDK need to evaluate three vulnerabilities. Windows Services for UNIX (SFU) 3.0 provides a full range of cross-platform services to integrate Windows into existing UNIX environments. In version 3.0, the Interix subsystem technology is built in so that Windows Services for UNIX 3.0 can provide platform interoperability and application migration in one fully integrated and supported product from Microsoft. Developers who have integrated Windows into their existing UNIX environments may have used the Interix SDK to develop custom applications and utilities so that applications that only ran on the UNIX platform can now run in a Windows environment. Developers who used the Interix SDK to develop applications or utilities should read this bulletin. The first vulnerability is an integer overflow in the XDR library that ships with the Sun RPC library on the Interix SDK for Microsoft’s Services for Unix (SFU) 3.0. An attacker could send a malicious RPC request to the RPC server from a remote machine and cause corruption in the server program. This can cause the server to fail and potentially allow the attacker to run code of his or her choice in the context of the server program. The second vulnerability is a buffer overrun. An attacker could send a malicious RPC request to the RPC server with an improper parameter size check. This could lead to a buffer overrun, causing the server to fail and preventing it from servicing any further requests from clients. The third vulnerability is an RPC implementation error. An application using the Sun RPC library does not properly check the size of client TCP requests. This could result in a denial of service to a server application using the Sun RPC library. The RPC library expects client TCP requests to specify the size of the record that follows. Because there is a flaw in the way RPC detects client packets, an attacker could send a malformed RPC request to the RPC server from a remote machine and cause the server to fail by not servicing any further client requests. After applying the patch, it is necessary to recompile any Interix application that is statically linked with the Interix SDK Sun RPC library. |
|
|
|
Cumulative Patch for SQL Server (Q316333) | This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, and Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In addition, it eliminates four newly discovered vulnerabilities. A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication. By sending a specially malformed login request to an affected server, an attacker could either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service. It would not be necessary for the user to successfully authenticate to the server or to be able to issue direct commands to it in order to exploit the vulnerability. A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server. A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000. SQL Server allows unprivileged users to create scheduled jobs that will be executed by the SQL Server Agent. By design, the SQL Server Agent should only perform job steps that are appropriate for the requesting user’s privileges. However, when a job step requests that an output file be created, the SQL Server Agent does so using its own privileges rather than the job owners privileges. This creates a situation in which an unprivileged user could submit a job that would create a file containing valid operating system commands in another user’s Startup folder, or simply overwrite system files in order to disrupt system operation |
|
|
|
Unchecked Buffer in Windows Help Facility Could Enable Code Execution (Q323255) | The HTML Help facility in Windows includes an ActiveX control that provides much of its functionality. One of the functions exposed via the control contains an unchecked buffer, which could be exploited by a web page hosted on an attacker’s site or sent to a user as an HTML mail. An attacker who successfully exploited the vulnerability would be able to run code in the security context of the user, thereby gaining the same privileges as the user on the system. A second vulnerability exists because of flaws associated with the handling of compiled HTML Help (.chm) files that contain shortcuts. Because shortcuts allow HTML Help files to take any desired action on the system, only trusted HTML Help files should be allowed to use them. Two flaws allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security Zone in the case where a web page or HTML mail delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone – the one associated with the web page or HTML mail that delivered it – the HTML Help facility incorrectly handles it in the Local Computer Zone, thereby considering it trusted and allowing it to use shortcuts. This error is compounded by the fact that the HTML Help facility doesn’t consider what folder the content resides in. Were it to do so, it could recover from the first flaw, as content within the Temporary Internet Folder is clearly not trusted, regardless of the Security Zone it renders in. The attack scenario for this vulnerability would be complex, and involves using an HTML mail to deliver a .chm file that contains a shortcut, then making use of the flaws to open it and allow the shortcut to execute. The shortcut would be able to perform any action the user had privileges to perform on the system. |
|
|
|
Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048) | Zipped files (files having a .zip extension) provide a means to store information in a way that uses less space on a hard disk. This is accomplished by compressing the files that are put into in the zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows XP, the Compressed Folders feature allows zipped files to be treated as folders. The Compressed Folders feature can be used to create, add files to, and extract files from zipped files. Two vulnerabilities exist in the Compressed Folders function: An unchecked buffer exists in the programs that handles the decompressing of files from a zipped file. A security vulnerability results because attempts to open a file with a specially malformed filename contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker’s choice being run. The decompression function could place a file in a directory that was not the same as, or a child of, the target directory specified by the user as where the decompressed zip files should be placed. This could allow an attacker to put a file in a known location on the users system, such as placing a program in a startup directory |
|
|
|
Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096) | The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server Extensions (FPSE), and provides support for web forms and other FrontPage-based dynamic content. The interpreter contains a flaw that occurs when processing a request for a particular type of web file, if the request included certain other characteristics. This affects the two versions of FrontPage Server Extensions differently. To FrontPage Server Extensions 2000, such a request would cause the interpreter to consume most or all CPU availability until the web service was restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected web server. To FrontPage Server Extensions 2002, the same type of request could cause a buffer overrun potentially allowing an attacker to run code of his choice. |
|
|
|
Flaw in Java VM JDBC Classes Could Allow Code Execution (Q329077) | A new patch for the Microsoft VM is available, which eliminates two security vulnerabilities. The attack vectors for both would likely be the same. An attacker would likely create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail. The first vulnerability involves the Java Database Connectivity (JDBC) classes, which provide features that allow Java applications to connect to and use data from a wide variety of data sources, ranging from flat files to SQL Server databases. The vulnerability results because of a flaw in the way the classes vet a request to load and execute a DLL on the user’s system. Although the classes do perform checks that are designed to ensure that only authorized applets can levy such a request, it’s possible to spoof this check by malforming the request in a particular way, thereby enable an attacker to load and execute any DLL on the user’s system. The second vulnerability involves a class that provides support for the use of XML by Java applications. This class exposes a number of methods; some of these are suitable for use by any applet, while others are only suitable for use by trusted ones. However, the class does not differentiate correctly between these cases, and instead makes all of the methods available to all applets. Among the functions that could be misused through this vulnerability are ones that would enable an applet to take virtually any desired action on the user’s system. In addition to eliminating the above vulnerabilities, the patch also eliminates a bug in the JDBC classes through which a web page could cause Internet Explorer to fail. Although this bug doesn’t pose a security risk of any kind, it could be used in annoyance attacks and we have therefore included it in the patch. |
|
|
|
Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure (Q324380) | The Remote Data Protocol (RDP) provides the means by which Windows systems can provide remote terminal sessions to clients. The protocol transmits information regarding a terminal sessions' keyboard, mouse and video to the remote client, and is used by Terminal Services in Windows NT 4.0 and Windows 2000, and by Remote Desktop in Windows XP. Two security vulnerabilities, both of which are eliminated by this patch, have been discovered in various RDP implementations. The first involves how session encryption is implemented in certain versions of RDP. All RDP implementations allow the data in an RDP session to be encrypted. However, in the versions in Windows 2000 and Windows XP, the checksums of the plaintext session data are sent without being encrypted themselves. An attacker who was able to eavesdrop on and record an RDP session could conduct a straightforward cryptanalytic attack against the checksums and recover the session traffic. The second involves how the RDP implementation in Windows XP handles data packets that are malformed in a particular way. Upon receiving such packets, the Remote Desktop service would fail, and with it would fail the operating system. It would not be necessary for an attacker to authenticate to an affected system in order to deliver packets of this type to an affected system. |
|
|
|
Certificate Validation Flaw Could Enable Identity Spoofing (Q329115) | The original version of this bulletin was released on 05 September 2002. On 09 September 2002, we updated the bulletin to advise customers that a Microsoft-issued digital certificate, used to sign device drivers, did not meet the stricter validation standards established by the patch. As a result, customers who installed the patch could see unexpected error messages when installing new hardware, or in some cases might be unable to install new hardware altogether. On 20 November 2002, we released an updated version of the patch that not only eliminates this problem, but also eliminates a newly discovered variant of the original vulnerability. The IETF Profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum allowable length of the certificate’s chain and whether the certificate is a Certificate Authority or an end-entity certificate. However, the APIs within CryptoAPI that construct and validate certificate chains (CertGetCertificateChain(), CertVerifyCertificateChainPolicy(), and WinVerifyTrust()) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh. The vulnerability identified in the original version of the bulletin could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks. |
|
|
|
Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568) | In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened. Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute. The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context. |
|
|
|
Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172) | All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the user’s local certificate store. The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user’s system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features. An attack could be carried out through either of two scenarios. The attacker could create a web page the that exploits the vulnerability, and host it on a web site in order to attack users who visited the site. The attacker also could send the page as an HTML mail in order to attack the recipient. A new version of the control is available that corrects the vulnerability, and can be installed via the patch or Windows XP Service Pack 1 A patch is available for all other Windows systems, as discussed in the Patch Availability section below. Internet Explorer 5 or later is a prerequisite to installing the patch. As discussed in the Caveats section, customers who operate web sites that use the Certificate Enrollment Control will need to make minor revisions to their web applications in order to use the new control. Microsoft Knowledge Base article Q323172 details how to do this. In addition, the patch addresses a similar, but less serious vulnerability discovered in the SmartCard Enrollment control. This control ships with Windows 2000 and Windows XP. A new version of this control is also provided. |
|
|
|
Cumulative Patch for Internet Explorer (Q323759) | This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: A buffer overrun vulnerability affecting the Gopher protocol handler. This vulnerability was originally discussed in Microsoft Security Bulletin MS02-027, which provided workaround instructions while the patch provided here was being completed. A buffer overrun vulnerability affecting an ActiveX control used to display specially formatted text. The control contains a buffer overrun vulnerability that could enable an attacker to run code on a user’s system in the context of the user. A vulnerability involving how Internet Explorer handles an HTML directive that displays XML data. By design, the directive should only allow XML data from the web site itself to be displayed. However, it does not correctly check for the case where a referenced XML data source is in fact redirected to a data source in a different domain. This flaw could enable an attacker’s web page to open an XML-based files residing a remote system within a browser window that the site could read, thereby enabling the attacker to read contents from websites that users had access to but the attacker was not able to navigate to. A vulnerability involving how Internet Explorer represents the origin of a file in the File Download Dialogue box. This flaw could enable an attacker to misrepresent the source of a file offered for download in an attempt to fool users into accepting a file download from an untrusted source believing it to be coming from a trusted source. A Cross Domain verification vulnerability that occurs because of improper domain checking in conjunction with the Object tag. As a result, the vulnerability could enable a malicious web site operator to access data across different domains, for example one in a web site’s domain and the other on the user’s local file system and then pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be viewed n a browser window. In addition, this can also enable an attacker to invoke, but not pass parameters to, an executable on the local system, much like the "Local Executable Invocation via Object tag" vulnerability discussed in MS02-015. A newly reported variant of the "Cross-Site Scripting in Local HTML Resource" vulnerability originally discussed in Microsoft Security Bulletin MS02-023. Like the original vulnerability, this variant could enable an attacker to create a web page that, when opened, would run in the Local Computer zone, allowing it to run with fewer restrictions than it would in the Internet Zone. In addition, the patch sets the Kill Bit on the MSN Chat ActiveX control discussed in Microsoft Security Bulletin MS02-022 as well as the TSAC ActiveX control discussed in Microsoft Security Bulletin MS02-046. This has been done to ensure that vulnerable controls cannot be introduced onto users’ systems. Customers who use the MSN Chat control should ensure that they have applied the updated version of the control discussed in MS02-022 and customers who use the TSAC control should ensure that they have applied the updated version of the control discussed in MS02-046. |
|
|
|
Buffer Overrun in TSAC ActiveX Control Could Allow Code Execution (Q327521) | The Terminal Services Advanced Client (TSAC) web control is an ActiveX control that can be used to run Terminal Services sessions within Internet Explorer. The downloadable ActiveX control provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web. The TSAC control does not come installed as part of any Windows client system. Instead, clients obtain the control from web servers that offer terminal services. The configuration process that enables an IIS server to provide terminal services involves installing on the server a cabinet file containing the control. The server then delivers the cabinet file to any client system that needs it, and the client installs the control via the cabinet file. A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker could gain the ability to run code in the security context of the currently logged on user. This would enable the attacker to take any desired action on the user's system. The attacker could mount an attack by either hosting a web page that exploits the vulnerability against any user who visits it, or by sending an HTML mail to another user. |
|
|
|
Unchecked Buffer in Network Share Provider can lead to Denial of Service (Q326830) | SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code. |
|
|
|
Unsafe Functions in Office Web Components (Q328130) | The Office Web Components (OWC) contain several ActiveX controls that gives users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable. The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose: Host(). This function, by design, provides the caller with access to applications' object models on the user's system. By using the Host() function, an attacker could, for instance, open an Office application on the user's system and invoke commands there that would execute operating system commands as the user. LoadText(). This method allows a web page to load text into a browser window. The method does check that the source of the text is in the same domain as the window, and in theory should restrict the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located within the web page's domain, and then setting up a server-side redirect of that text to a file on the user's system. This would provide an attacker with a way to read any desired file on the user's system. Copy()/Paste(). These methods allow text to be copied and pasted. A security vulnerability results because the method does not respect the 'disallow paste via script' security setting in IE. Thus, even if this setting had been selected, a web page could continue to access the copy buffer, and read any text that the user had copied or cut from within other applications. |
|
|
|
Cumulative Patch for SQL Server (Q316333) | This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and SQL Server 2000. In addition, it eliminates a newly discovered vulnerability. SQL Server 7.0 and SQL Server 2000 provide for extended stored procedures, which are external routines written in programming languages such as C or C#. These procedures appear as normal stored procedures to users and can be invoked and executed just like normal stored procedures. By default, SQL Server 7.0 and SQL Server 2000 ship with a number of extended stored procedures which are used for various helper functions. Some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account have a flaw in common – namely, they have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges. An attacker could exploit this vulnerability in one of two ways. The attacker could attempt to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed paramete |
|
|
|
Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886) | The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established. By design, this handler routine should run in the security context of the user. However, a flaw could make it possible for an unprivileged user to cause the handler routine to run in the security context of LocalSystem, though a very complex process. An attacker who exploited this flaw could specify code of his or her choice as the handler, then establish a network connection in order to cause that code to be invoked by the NCM. The code would then run with full system privilege |
|
|
|
Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075) | Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise Server product that simplifies developing and managing e-business web sites. Microsoft has learned of three security vulnerabilities affecting it: A buffer overrun in a low-level function that performs user authentication. At least one web page included with MCMS 2001 passes inputs directly to the function, thereby potentially providing a way for an attacker to overrun the buffer. The result of exploiting the vulnerability would be to either cause MCMS to fail, or run code in the context of the MCMS service (which runs as Local System). A vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server. The first flaw lies in how the function authenticates requests, and would allow any user to submit an upload request. The second results because it is possible to override the upload location; where the function should upload files to a folder that only privileged users can access, it can be overridden to upload it to a temporary folder that does allow unprivileged users to call it. By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed. A SQL injection vulnerability affecting a function that services requests for image files and other resources. Exploiting the vulnerability could enable an attacker to run SQL commands on the server, which would not only allow data in the MCMS database to be added, changed or deleted, but also would enable the attacker to run operating system commands on the server. |
|
|
|
Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise (Q326573) | The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. A security vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer. An attacker who submitted a database query containing a specially malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker. |
|
|
|
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875) | There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service. The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably. |
|
|
|
Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution (Q316333) | This patch eliminates two newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000: A buffer overrun vulnerability that occurs in several Database Consistency Checkers (DBCCs) that ship as part of SQL Server 2000. DBCCs are command console utilities that allow maintenance and other operations to be performed on a SQL Server. While many of these are executable only by sysadmin, some are executable by members of the db_owner and db_ddladmin roles as well. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server. A SQL injection vulnerability that occurs in two stored procedures used in database replication. One of these can only be run by users who have been assigned the db_owner role; the other, due to a permissions error, could be run by any user who could log onto the server interactively. Exploiting the vulnerability could enable an attacker to run operating system commands on the server, but is subject to significant mitigating factors as discussed below. |
|
|
|
Server Response To SMTP Client EHLO Command Results In Buffer Overrun (Q326322) | A security vulnerability results because of an unchecked buffer in the IMC code that generates the response to the EHLO protocol command. If the total length of the message exceeds a particular value, the data would overrun the buffer. If the buffer were overrun with random data, it would result in the failure of the IMC. If, however, the buffer were overrun with carefully chosen data, it could be possible for the attacker to run code in the security context of the IMC, which runs as Exchange5.5 Service Account. It is important to note that the attacker could not simply send data to the IMC in order to overrun the buffer. Instead, the attacker would need to create a set of conditions that would cause the IMC to overrun its own buffer when it generated the EHLO response. Specifically, the attacker would need to ensure that a reverse DNS lookup would not only succeed, but would provide an FQDN whose length was sufficient to result in the buffer overrun. |
|
|
|
Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation (Q317138) | A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories. |
|
|
|
SQL Server Installation Process May Leave Passwords on System (Q263968) | A security vulnerability results because of two factors: The files remain on the server after the installation is complete. Except for the setup.iss file created by SQL Server 2000, the files are in directories that can be accessed by anyone who can interactively log on to the system. The password information stored in the files is either in clear text (for SQL Server 7.0 prior to Service Pack 4) or encrypted using fairly weak protection. An attacker who recovered the files could subject them to a password cracking attack to learn the passwords, potentially compromising the sa password and/or a domain account password |
|
|
|
Cumulative Patch for SQL Server (Q316333) | This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE): A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL server runs as. A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself. A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system. |
|
|
|
Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273) | Four vulnerabilities exist in the Commerce Server products: A vulnerability that results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provided specially malformed data to certain calls exposed by the Profile Service could cause the Commerce Server process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. A buffer overrun vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who provided specially malformed data as input to the OWC package installer could cause the process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. A vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who invoked the OWC package installer in a particular manner could cause commands to be run on the Commerce Server according to the privileges associated with the attacker's log on credentials. This vulnerability only affects Commerce Server 2000. A new variant of the ISAPI Filter vulnerability discussed in Microsoft Security Bulletin MS02-010. This variant affects both Commerce Server 2000 and Commerce Server 2002. |
|
|
|
Cumulative Patch for Windows Media Player (Q320920) | This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity: An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity;A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system; A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity. It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher. |
|
|
|
Cumulative Patches for Excel and Word for Windows (Q324458) | These patches eliminate four newly discovered vulnerabilities all of which could enable an attacker to run Macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to. An Excel macro execution vulnerability that relates to how inline macros that are associated with objects are handled. This vulnerability could enable macros to execute and bypass the Macro Security Model when the user clicked on an object in a workbook. An Excel macro execution vulnerability that relates to how macros are handled in workbooks when those workbooks are opened via a hyperlink on a drawing shape. It is possible for macros in a workbook so invoked to run automatically. An HTML script execution vulnerability that can occur when an Excel workbook with an XSL Stylesheet that contains HTML scripting is opened. The script within the XSL stylesheet could be run in the local computer zone. A new variant of the "Word Mail Merge" vulnerability first addressed in MS00-071. This new variant could enable an attacker's macro code to run automatically if the user had Microsoft Access present on the system and chose to open a mail merge document that had been saved in HTML format. |
|
|
|
Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911) | SQLXML enables the transfer of XML data to and from SQL Server 2000. Database queries can be returned in the form of XML documents which can then be stored or transferred easily. Using SQLXML, you can access SQL Server 2000 using XML through your browser over HTTP. Two vulnerabilities exist in SQLXML: A unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the user’s computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone. |
|
|
|
Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138) | A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system. |
|
|
|
Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599) | The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP. |
|
|
|
Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889) | This is a work-around bulletin that details steps customers can take to protect themselves against a publicly disclosed vulnerability until patches are available. There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out. A successful attack requires that the attacker be able to send information to the intended target using the Gopher protocol. Anything which inhibited Gopher connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well. |
|
|
|
Unchecked Buffer in ASP.NET Worker Process (Q322289) | Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes. One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost. The StateServer mode is not the default mode for session state management in ASP.NET. ASP.NET applications using StateServer mode that do not use cookies are not vulnerable. |
|
|
|
Malformed Mail Attribute Can Cause Exchange 2000 to Exhaust CPU Resources (Q320436) | There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message. A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service. |
|
|
|
Authentication Flaw in Windows Debugger Can Lead to Elevated Privileges (Q320206) | There is a flaw in the authentication mechanism for the debugging facility such that an unauthorized program can gain access to the debugger. A vulnerability results because an attacker can use this to cause a running program to run a program of her choice. Because many programs run as the operating system, this means that an attacker can exploit this vulnerability to run code as the operating system itself. She could take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system. A successful attack requires the ability to logon interactively to the system, either at the console or through a terminal session. |
|
|
|
15 May 2002 Cumulative Patch for Internet Explorer (Q321232) | This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates six newly discovered vulnerabilities. |
|
|
|
Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661) | An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context. |
|
|
|
E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804) | Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker. The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode. An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take. |
|
|
|
SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507) | Several of the Microsoft provided extended stored procedures have an unchecked buffer flaw. Exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. |
|
|
|
Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309) | This is a cumulative patch that, when applied, eliminates all previously discussed security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities. |
|
|
|
Cumulative Patch for Internet Information Service (Q319733) | This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. Before applying the patch, system administrators should take note of the caveats discussed in the same section. In addition to including all previously released security patches, this patch also includes fixes for ten newly discovered security vulnerabilities affecting IIS 4.0, 5.0 or 5.1. |
|
|
|
Unchecked Buffer in the Multiple UNC Provider Could Enable Code Execution (Q311967) | When MUP requests a file using the uniform naming convention (UNC), it will allocate a buffer to store this request. There is proper input checking in this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges. |
|
|
|
Opening Group Policy Files for Exclusive Read Blocks Policy Application (Q318593) | Group Policy in Windows 2000 is implemented by storing data in the Active Directory and the system volume on the domain controller. This storage location is called the Group Policy Object (GPO). When a machine or user logs onto the domain, it reads the GPO and applies the settings it contains. Most of these settings are also refreshed by default every 90 minutes. However, like most operating systems, Windows 2000 provides several types of read access, including exclusive-read, and this could enable an attacker to lock the Group Policy files, thereby allowing a user to prevent Group Policy from being applied for all users affected by the GPO. |
|
|
|
28 March 2002 Cumulative Patch for Internet Explorer | This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates the following two newly discovered vulnerabilities: A vulnerability in the zone determination function that could allow a script embedded in a cookie to be run in the Local Computer zone. While HTML scripts can be stored in cookies, they should be handled in the same zone as the hosting site associated with them, in most cases the Internet zone. An attacker could place script in a cookie that would be saved to the user’s hard disk. When the cookie was opened by the site the script would then run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have. A vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on the user’s machine. A malicious user could create HTML web page that includes this object tag and cause a local program to run on the victim’s machine. |
|
|
|
Unchecked Buffer in Windows Shell Could Lead to Code Execution | An unchecked buffer exists in one of the functions that helps to locate incompletely removed applications on the system. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. |
|
|
|
04 March 2002 Cumulative VM Update | The Microsoft VM is a virtual machine for the Win32 operating environment. The Microsoft VM is available for Windows 95, Windows 98, ME, Windows NT 4.0, Windows 2000, and Windows XP. It is also available as part of Internet Explorer 6 and earlier. A new build of the VM (build 3805) is available, which eliminates two security vulnerabilities. The first vulnerability is the result of a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker’s choice. resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker’s choice. |
|
|
|
Malformed Data Transfer Request Can Cause Windows SMTP Service to Fail | The flaw involves how the service handles a particular type of SMTP command used to transfer the data that constitutes an incoming mail. By sending a malformed version of this command, an attacker could cause the SMTP service to fail. This would have the effect of disrupting mail services on the affected system, but would not cause the operating system itself to fail. |
|
|
|
Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service | A vulnerability results because of a flaw in the NTLM authentication layer used by the SMTP service in Windows 2000 and Exchange Server 5.5. The SMTP service receives a successful acknowledgement that the NTLM credentials are valid and then allows a malicious user to relay mail through the SMTP service. An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server. |
|
|
|
Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise | A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server. |
|
|
|
Incorrect VBScript Handling in IE Can Allow Web Pages to Read Local Files | Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. |
|
|
|
XMLHTTP Control Can Allow Access to Local Files | A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user’s local system. The attacker could then use this to return information from the local system to the attacker’s web site. |
|
|
|
SQL Server Remote Data Source Function Contain Unchecked Buffers | An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. |
|
|
|
Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run | Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version. A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause code to run on the system in LocalSystem context. This could give the attacker the ability to take any desired action on the system. |
|
|
|
11 February 2002 Cumulative Patch for Internet Explorer | This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the six newly discovered vulnerabilities. |
|
|
|
Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution | The Telnet protocol provides remote shell capabilities. Microsoft has implemented the Telnet protocol by providing a Telnet Server in several products. The implementations in two of these products – Windows 2000 and Interix 2.2 – contain unchecked buffers in the code that handles the processing of telnet protocol options. An attacker could use this vulnerability to perform a buffer overflow attack. A successful attack could cause the Telnet Server to fail, or in some cases, could possibly allow an attacker to execute code of her choice on the system. Such code would execute using the security context of the Telnet service, but this context varies from product to product. In Windows 2000, the Telnet service always runs as System; in the Interix implementation, the administrator selects the security context in which to run as part of the installation process. |
|
|
|
Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions | The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. It performs a variety of functions related to the on-going maintenance of the Exchange system. To allow remote administration of an Exchange Server using the Exchange System Manager Microsoft Management Console (MMC) snap in, the System Attendant makes changes to the permissions on the Windows Registry to allow Exchange Administrators to remotely update configuration settings stored in the Registry. There is a flaw in how the System Attendant makes these Registry configuration changes. This flaw could allow an unprivileged user to remotely access configuration information on the server. Specifically, this flaw inappropriately gives the "Everyone" group privileges to the WinReg key. This key controls the ability of users and groups to remotely connect to the Registry. By default, only Administrators are given the ability to remotely connect to the Registry, by granting permissions on this key. The flaw does not grant any abilities beyond the ability to connect remotely. However, an attacker’s ability to make changes to the Registry once they have successfully connected would be dictated by the permissions on the specific keys within the Registry itself. Thus, while this vulnerability does not itself give an attacker the ability to change Registry settings, it could be used in conjunction with inappropriately permissive registry settings to gain access to, and make changes to a systems Registry. |
|
|
|
Malformed Network Request Can Cause Office v. X for Mac to Fail | Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces Office’s own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down. A security vulnerability results because of a flaw in the Network PID Checker. Specifically, the Network PID Checker doesn’t correctly handle a particular type of malformed announcement – receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other users’ Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines |
|
|
|
Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data | Trust relationships are created between Windows NT or Windows 2000 domains to allow users in one domain to access resources in other domains without requiring them to authenticate separately to each domain. When a user in a trusted domain requests access to a resource in a trusting domain, the trusted domain supplies authorization data in the form of a list of Security Identifiers (SIDs) that indicate the user's identity and group memberships. The trusting domain uses this data to determine whether to grant the user's request. A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identified a user or security group that is not in the trusted domain, the trusting domain would accept the information and use it for subsequent access control decisions. If an attacker inserted SIDs of his choice into the authorization data at the trusted domain, he could elevate his privileges to those associated with any desired user or group, including the Domain Administrators group for the trusting domain. This would enable the attacker to gain full Domain Administrator access on computers in the trusting domain. |
|
|
|
SQL Server Text Formatting Functions Contain Unchecked Buffers | SQL Server 7.0 and 2000 provide a number of functions that enable database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered. |
|
|
|
Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise | Technical description: The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network. The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives – messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system. The second vulnerability results because the UPnP doesn’t sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations don’t adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios. In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system’s availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within within earshot, consuming some or all of those systems' availability. In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain. |
|
|
|
13 December 2001 Cumulative Patch for IE | This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered vulnerabilities. The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability does not affect IE 5.5. The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletins MS00-033, MS00-055, MS00-093, and MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site’s domain and the other on the user’s local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user’s local computer that could be opened in a browser window. This vulnerabilty affects both IE 5.5 and 6.0. The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into opening unsafe attachments from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0. |
|
|
|
Specially Formed Script in HTML Mail Can Execute in Exchange 5.5 OWA | Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser. A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a a specially crafted message to the user. If the user opened the message in OWA, the script would then execute. While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail. |
|
|
|
Windows Media Player .ASF Processor Contains Unchecked Buffer | One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer. By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail; in the more complex case, code chosen by the attacker could be made to run on the user’s computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page. |
|
|
|
13 November 2001 Cumulative Patch for IE | This update resolves the "Cookie Data in IE Can Be Exposed or Altered Through Script Injection" security vulnerability in Internet Explorer 6.0, and is discussed in Microsoft Security Bulletin MS01-055. Download now to prevent a malicious user from reading the contents of cookies on your machine, which might contain personal information, or even altering the contents of the cookies on your machine, by hosting a Web page with a maliciously crafted URL. This URL can be hosted on a Web page or contained in an HTML e-mai |
|
|
|
Invalid Universal Plug and Play Request Can Disrupt System Operation | The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. A vulnerability results because the UPnP service does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak. Each time a Windows XP system received such a request, a small amount of system memory would become unavailable; if repeated many times, it could deplete system resources to the point where performance slowed or stopped altogether. |
|
|
|
Downloaded Applications Can Execute on Mac IE 5.1 for OS X | The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files. A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. |
|
|
|
Invalid RDP Data Can Cause Terminal Service Failure | The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability, the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server. |
|
|
|
Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone | This patch eliminates three vulnerabilities affecting Internet Explorer. The first involves how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6. The second involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. In most cases, this would only allow the attacker to send the user to a site and request a page on it. However, if exploited against a web-based service (e.g., a web-based mail service), it could be possible for the attacker to take action on the user’s behalf, including sending a request to delete data. The third is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 machines. The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the user’s system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments. |
|
|
|
Malformed Excel or PowerPoint Document Can Bypass Macro Security | Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking. A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email. |
|
|
|
Deeply-nested OWA Request Can Consume Server CPU Availability | A security vulnerability exists in Exchange 2000 Outlook Web Access, because it will accept and process a request for an item in an authenticated user’s mailbox without verifying first that the folder structure is valid. An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox. |
|
|
|
Malformed Request to RPC Endpoint Mapper Can Cause RPC Service to Fail | The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. The Windows NT 4.0 endpoint mapper contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server. |
|
|
|
OWA Function Allows Unauthenticated User to Enumerate Global Address List | Among the functions Outlook Web Access (OWA) in Exchange 5.5 offers is the ability to search the global address list (GAL). By design, this is an authenticated function, implemented as a two-tier architecture - a front tier that provides a user interface and a back-end tier that actually performs the search. However, only the front tier actually checks authentication. An attacker who sent a properly formatted request to the back-end function that actually performs the search could enumerate the GAL without authenticating. |
|
|
|
Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart | Microsoft Windows 2000 provides support for infrared-based connectivity. This support is provided through protocols developed by the Infrared Data Association (IRDA). Because of this, they are often called IRDA devices. These devices can be used to share files and printers with other IRDA-device capable systems. The software which handles IRDA devices in Windows 2000 contains an unchecked buffer in the code which handles certain IRDA packets. A security vulnerability results because it is possible for a malicious user to send a specially crafted IRDA packet to the victim's system. This could enable the attacker to conduct a buffer overflow attack and cause an access violation on the system, forcing a reboot. To be best of our knowledge, it cannot be used to run malicious code on the user's system |
|
|
|
ISA Server H.323 Gatekeeper Service Contains Memory Leak | There is a potential memory leak in the H323 ASN DLL, which is used by the Winsock Proxy service and the Gatekeeper service, which is fixed. Also included is a fix to prevent scripting in the error return pages. The problem is caused because the ISA server returns the complete original URL to the browser in the error message along with the description of the reason why it could not be accessed. If the request URL contains a script, the browser executes the script on receipt. |
|
|
|
15 August 2001 Cumulative Patch for IIS | Microsoft has released a cumulative patch for IIS 4.0 and 5.0. In addition to eliminating virtually all previously identified security vulnerabilities in IIS, it also eliminates several newly discovered ones. These include three denial of service vulnerabilities, one of which is exploited by the Code Red worm, and two vulnerabilities that could enable an attacker with the ability to load low-privilege code on the server to gain higher privileges. |
|
|
|
NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak | The NNTP (Network News Transport Protocol) service in Windows NT 4.0 and Windows 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by rebooting. |
|
|
|
Windows Media Player .NSC Processor Contains Unchecked Buffer | Windows Media Player provides support for audio and video streaming. Streaming media channels can be configured by using Windows Media Station (.NSC) files. An unchecked buffer exists in the functionality used to process Windows Media Station files. This unchecked buffer could potentially allow an attacker to run code of his choice on the machine of another user. The attacker could either send a specially malformed file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take. |
|
|
|
Malformed RPC Request Can Cause Service Failure | Several of the RPC servers associated with system services in Microsoft Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server. An attacker who sent such inputs to an affected RPC server could disrupt its service. The precise type of disruption would depend on the specific service, but could range in effect from minor (e.g., the service temporarily hanging) to major (e.g., the service failing in a way that would require the entire system to be restarted). |
|
|
|
Invalid RDP Data Can Cause Memory Leak in Terminal Services | The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server Edition contains a memory leak in one of the functions that processes incoming Remote Data Protocol data via port 3389. Each time an RDP packet containing a specific type of malformation is processed, the memory leak depletes overall server memory by a small amount. If an attacker sent a sufficiently large quantity of such data to an affected machine, he could deplete the machine's memory to the point where response time would be slowed or the machine's ability to respond would be stopped altogether. All system services would be affected, including but not limited to terminal services. Normal operation could be restored by rebooting the machine. |
|
|
|
Services for Unix 2.0 Telnet and NFS Services Contain Memory Leaks | Among the components provided by Services for Unix (SFU) 2.0 are services that implement the NFS (Network File System) and Telnet protocols. Both services contain memory leaks that could be triggered by a user request. An attacker who repeatedly sent such a request could deplete the kernel memory on the server to the point where performance slowed and the system could potentially fail. |
|
|
|
Outlook View Control Exposes Unsafe Functionality | The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine. |
|
|
|
Authentication Error in SMTP Service Could Allow Mail Relaying | This update addresses the "Windows 2000 SMTP Mail Relaying" security vulnerability in the Windows 2000 Simple Mail Transfer Protocol (SMTP) service and is discussed in Microsoft Security Bulletin MS01-037. Download now to prevent malicious users from relaying e-mail messages from your computer. |
|
|
|
Function Exposed via LDAP over SSL Could Enable Passwords to be Changed | This patch eliminates a vulnerability affecting Windows 2000 servers that provide LDAP services over SSL. A function that allows user to change data attributes of directory principals doesn't correctly check the credentials of the requester, in the specific case where the directory principal is a user and the data attribute is the password. This could enable an attacker to change another user's logon password without proper authorization. |
|
|
|
FrontPage Server Extension Sub-Component Contains Unchecked Buffer | Microsoft has released a patch that eliminates a security vulnerability in Visual Studio RAD (Remote Application Deployment) Support, an optional sub-component of FrontPage Server Extensions. This sub-component contains an unchecked buffer in a section that processes input information. By establishing a web session on with the server and passing a specially malformed packet to the server component, an attacker could cause code of his choice to run on the server. |
|
|
|
Malformed Word Document Could Enable Macro to Run Automatically | This update prevents Word from running macros without warning because the user has opened a document that has been maliciously modified. Once you have installed this update, you will still be able to use templates, macros in templates, or RTF documents with macros. This issue is addressed in the Microsoft Security Bulletin MS01-034: Malformed Word Document Could Enable Macro to Run Automatically. |
|
|
|
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise | This update resolves the "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" security vulnerability in Windows NT4.0 and Windows 2000 computers running Indexing Services 2.0 and IIS 5.0, and is discussed in Microsoft Security Bulletin MS01-033. Download now to prevent a malicious user from taking control of your Web server. |
|
|
|
SQL Query Method Enables Cached Administrator Connection to be Reused | One SQL query method contains a flaw that has the effect of making it possible for one user?s query to reuse a cached connection that belonged to the sa account. |
|
|
|
Predictable Named Pipes Could Enable Privilege Elevation via Telnet | This update addresses the "Predicatable Named Pipes Could Enable Privilege Elevation via Telnet" security vulnerability in the Windows 2000 Telnet service that is discussed in Microsoft Security Bulletin MS01-031. Download now to prevent a malicious user from launching programs on your computer, gaining access to your network, or initiating a denial of service attack against your computer. |
|
|
|
Incorrect Attachment Handling in Exchange OWA Can Execute Script |
|
|
|
|
Windows Media Player .ASX Processor Contains Unchecked Buffer | This update addresses two security vulnerabilities that are related to each other only by the fact that they both affect Windows Media Player. The two vulnerabilities are a buffer overrun in the functionality used to process Active Stream Redirector (.ASX) files, and a vulnerability affecting how Windows Media Player handles Internet shortcuts. In addition, this update addresses a potential privacy vulnerability that was recently identified. |
|
|
|
RTF Document Linked to Template Can Run Macros Without Warning | The Word 2000 Security Update: Macro Vulnerability prevents macros from opening without a security warning. After you have installed the update, you will be warned before you open an RTF document that contains a template or macro. After you have installed the update, you will still be able to use templates, macros in templates, or Rich Text Format (RTF) documents with macros. |
|
|
|
Flaws in Web Server Certificate Validation Could Enable Spoofing | This update resolves several security vulnerabilities in Internet Explorer, and is discussed in Microsoft Security Bulletins MS01-027, MS01-020, and MS01-015. Download now to eliminate multiple certificate validation vulnerabilities and to prevent malicious Web site operators from making it appear that the content from his or her Web site actually originated from another site, even a trusted or secure Web site. |
|
|
|
14 May 2001 Cumulative Patch for IIS | This cumulative update includes all the updates that have been released for Internet Information Service (IIS) 5.0, including three new updates, and is discussed in Microsoft Security Bulletin MS01-026. Download now to update IIS 5.0 with the latest security fixes. |
|
|
|
Index Server Search Function Contains Unchecked Buffer | This update addresses the "Malformed Hit-Highlighting" security vulnerability in Windows 2000 computers running Indexing Service, and is discussed in Microsoft Security Bulletin MS01-025. Download now to prevent a malicious user from reading files on your Web server. |
|
|
|
Malformed Request to Domain Controller Can Cause Memory Exhaustion | This update resolves the "Malformed Domain Controller Service Request" security vulnerability in Windows 2000, and is discussed in Microsoft Security Bulletin MS01-024. Download now to prevent a malicious user from temporarily disrupting service on your domain controller. |
|
|
|
Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server | This update resolves the "Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS01-023. Download now to prevent a malicious user from taking control of your Web server. |
|
|
|
WebDAV Service Provider Can Allow Scripts to Levy Requests as User | The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by script running in the user?s browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user. |
|
|
|
Web Request Can Cause Access Violation in ISA Server Web Proxy Service | The ISA Server Web Proxy service does not correctly handle a certain type of web request if it exceeds a particular length. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted. |
|
|
|
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment | This update resolves a security vulnerability in Internet Explorer, and is discussed in Microsoft Security Bulletin MS01-020. Download now to prevent a malicious user from running an executable e-mail attachment on your computer. |
|
|
|
Passwords for Compressed Folders are Recoverable | Windows Millennium Edition (Me) and Plus! 98 provide a data compression feature that provides the ability to password protect a compressed file. However, under certain conditions, the password may be recorded in a file on your computer. |
|
|
|
Visual Studio VB-TSQL Object Contains Unchecked Buffer | Visual Studio 6.0, Enterprise Edition includes a Microsoft Visual Basic feature for debugging T-SQL. This feature contains a problem that could cause a buffer overrun. Because the default installation of the Debugger object allows anyone to start the debugger and run as the logged-on interactive user, this bug potentially could be exploited with malicious intentions. |
|
|
|
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard | This update resolves the "Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" security vulnerability, and is discussed in Microsoft Security Bulletin MS01-017. Download now to prevent an unauthorized user from running code on your computer by digitally signing programs as Microsoft Corporation. |
|
|
|
Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources | This update resolves the "Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources" security vulnerability in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Security Bulletin MS01-016. Download now to prevent a malicious user from temporarily disrupting your Web services. |
|
|
|
IE Can Divulge Location of Cached Content | This update resolves a security vulnerability in Internet Explorer, and is discussed in Microsoft Security Bulletin MS01-015. Download now to prevent an unauthorized user from creating and executing programs on your computer. |
|
|
|
Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 | This update resolves the "Malformed URL can cause Service Failure in IIS 5.0 and Exchange 2000" security vulnerability in Internet Information Server (IIS) 5.0 and Exchange 2000, and is discussed in Microsoft Security Bulletin MS01-014. Download now to prevent a malicious user from causing IIS 5.0 to fail. |
|
|
|
Windows 2000 Event Viewer Contains Unchecked Buffer | This update resolves the "Malformed Event Record" security vulnerability in Windows 2000, and is discussed in Microsoft Security Bulletin MS01-013. Download now to prevent a malicious user from running unauthorized code on your computer. |
|
|
|
Outlook - Outlook Express VCard Handler Contains Unchecked Buffer | This update resolves the "Malformed vCard" security vulnerability in Outlook and Outlook Express. This vulnerability exists because the component in Outlook and Outlook Express that processes the vCard (virtual business card) has an unchecked buffer (a temporary data storage area without a string length limit). Download now to ensure that your e-mail service processes vCards correctly. |
|
|
|
Malformed Request to Domain Controller Can Cause CPU Exhaustion | Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. By sending a continuous stream of specially malformed packets to a domain controller, an attacker could consume most or all of the machine?s resources, potentially preventing it from authenticating users. |
|
|
|
Windows Media Player Skins Files Can Enable Java Code to Execute | Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows Media Player 7. This vulnerability could potentially enable a malicious user to cause a program of his choice to run on another user?s computer. |
|
|
|
Malformed PPTP Packet Stream Can Cause Kernel Exhaustion | This update resolves the "Malformed PPTP Packet Stream" security vulnerability in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-009. Download now to prevent a malicious user from causing your server to stop responding or fail. |
|
|
|
Malformed NTLMSSP Request Can Enable Code to Run with System Privileges | This update resolves the "NTLMSSP Privilege Elevation" security vulnerability present in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-008. Download now to prevent a malicious user from gaining administrative access to your computer. |
|
|
|
Network DDE Agent Requests Can Enable Code to Run in System Context | Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could, under certain conditions, allow an attacker to gain complete control over an affected machine. |
|
|
|
Invalid RDP Data Can Cause Terminal Server Failure | This update resolves the "Invalid RDP Data" security vulnerability in Windows 2000 terminal servers, and is discussed in Microsoft Security Bulletin MS01-006. Download now to prevent a malicious user from sending a specific series of data packets to your server, causing it to fail. |
|
|
|
Packaging Anomaly Could Cause Hotfixes to be Removed | Microsoft has released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English language versions of Microsoft Windows 2000. Under certain circumstances, these anomalies could cause the removal of some hotfixes, which could include some security patches, from a Windows 2000 system. |
|
|
|
Malformed .HTR Request Allows Reading of File Fragments | Microsoft has released a patch that eliminates a security vulnerability in the Microsoft Internet Information Service. The vulnerability could allow enable an attacker, under very unusual conditions, to read fragments of files from a web server. |
|
|
|
Weak Permissions on Winsock Mutex Can Allow Service Failure | This update resolves the "Winsock Mutex" security vulnerability in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-003. Download now to prevent a malicious user from running a special program to disable your network functionality. |
|
|
|
PowerPoint 2000 File Parser Contains Unchecked Buffer | The Microsoft PowerPoint 2000 SR-1 Extended Parsing Vulnerability Update protects you from a vulnerability in PowerPoint that could allow arbitrary code to be executed on your computer. Malicious hackers could lure users into opening a PowerPoint file that causes undesired and possibly damaging effects on a user's hard disk drive. This update replaces the Powerpoint.exe file and prevents unauthorized code from being executed. |
|
|
|
Web Client Will Perform NTLM Authentication Regardless of Security Settings | This update resolves the "Web Client NTLM Authentication" security vulnerability in Windows 2000 and Office 2000 and is discussed in Microsoft Security Bulletin MS01-001. Download now to ensure that your Web Extender Client (WEC) components are set to the recommended Internet Explorer security levels, to prevent a malicious Web site operator from capturing your logon credentials. |
|
|
|
Malformed Web Form Submission Vulnerability | This update resolves the "Malformed Web Form Submission" security vulnerability in FrontPage Server Extensions (FPSE) that ship as part of Internet Information Services (IIS) and is discussed in Microsoft Security Bulletin MS00-100. Download now to prevent a malicious user from disrupting the operation of your Web server. |
|
|
|
Directory Service Restore Mode Password Vulnerability | If the Configure Your Server tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine. |
|
|
|
Indexing Service File Enumeration Vulnerability | This update resolves the "Indexing Service File Enumeration" vulnerability in Indexing Service 3.0 and is discussed in |