Hello again!! I'm posting you the TrendMicro results,and please tell me wich infections i can remove savely.Specialy the is it save to remove the Cyboor from system32.(cd_clint.dll)
Transfering Data...
Collecting scan results...
Detected malware
Note: Complete removal of the malware listed below failed! If you require general hints and tips to solve the problem, please click here. Malware specific information is available from the relevant malware section.
TITLE_OF_MALWARE
0 Infections
Transfering more information about this malware...
General information about this type of malware.
There is currently no more information available for this malware...
General information about this type of malware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of malware.
Some infections of this malware could not be removed automatically! You can manually select "Remove" and perform another "cleanup" to try and solve this problem.
Alternatively, you may click here to receive detailed instructions on how to remove these infections manually.
Cleanup options Clean all detected Infections automatically
Select an individual action for each detected infection.
Infected operating systemChecking this line will take no action on the infection Checking this column will clean the infectionWarning: Checking this column will delete the infection (e.g. the infected file) from your hard disk.Files infected by this malwareThis will display all the files infected by the above malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
Detected signatures
EICAR signature
0 Signatures
The detected signature is not a security risk; it is designed to test antivirus scanners. The listed files are not infected. They only contain the EICAR signature.
Take no action on signatures on the machineDelete signatures. Warning! Deleting this column will remove all associated signature files.EICAR filesThis will display all file paths of the above signatureReasonno accessnot supported
Detected grayware/spyware
Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem, please click here. Grayware specific information is available from the relevant grayware section.
ADWARE_BESTOFFERS
1 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware may arrive on a system bundled with other free software, usually free ad-supported music and file sharing applications such as Kazaa. It may also be download...
Aliasnames: Win-Trojan/Clicker.83456 (Ahnlab), Adware.Bestofer (Ikarus), PAK:PE_Patch.PFD (Kaspersky), Adware-abetterintrnt (McAfee), Win32/Adware.BestOffer (Nod32), Trj|Downloader.FLS (Panda), The Best Offers Network (PestPatrol)
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware may arrive on a system bundled with other free software, usually free ad-supported music and file sharing applications such as Kazaa. It may also be downloaded from the Internet when users are visiting malicious Web sites.
Upon execution, it drops several .EXE and .DLL files in created folders in the Program Files and current user's Temp folders. The said files are also detected by Trend Micro as Adware_BestOffers.
It also creates the folder The Best Offers Network in the userВ’s Start Menu Programs folder that contains several shortcuts to certain links.
(Note: The Start Menu Programs folder is usually C:\Windows\Profiles\{user name}\Start Menu on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu on Windows NT and C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003.)
It registers itself as a Browser Helper Object (BHO) to enable its automatic execution whenever an instance of Internet Explorer (IE) is opened. It does this by creating a certain registry key.
It monitors a user's Internet browsing activities and logs keystrokes performed on a browser. It sends the gathered information to remote server to determine which advertisements to target.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
ADWARE_CYDOOR
1 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware may arrive on a system either through manual installation by a user, or as a downloaded file by another adware.
It displays an End User License Agreement (EULA) that a user must agree t...
Aliasnames: no more aliase names known
Platform: Windows 95, 98, ME, NT, 2000, XP
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware may arrive on a system either through manual installation by a user, or as a downloaded file by another adware.
It displays an End User License Agreement (EULA) that a user must agree to before installation. Upon execution, it drops certain files and folders in the Windows system folder. It then displays banner advertisements, commercial offers, news headlines, and other value added content.
It also creates registry entries that enable its automatic execution at every system startup.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
ADWARE_2NDTHOUGHT
1 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This adware has no End-User License Agreement (EULA) or has one that is deceptive. It also has no uninstall program, or has one that is defective. It runs every time the computer is turned on ...
Aliasnames: SecondThought (Ad-Aware); Win32:SecondThought (Alwil); SecThought.E (Grisoft); Trojan.Win32.SecondThought.C (Ikarus); Trojan.Win32.SecondThought.c/PAK:UPX, Trojan.Win32.SecondThought.t (Kaspersky); Free-Scratch-Cards/Adware-PortalScan (NAI)
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This adware has no End-User License Agreement (EULA) or has one that is deceptive. It also has no uninstall program, or has one that is defective. It runs every time the computer is turned on by modifying the Run key of the system registry. It runs generates pop-up advertisements. It has the ability to retrieve and install additional adware or spyware on your computer.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
ADW_CYDOOR.A
1 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
This grayware has been dropped.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
This grayware has been dropped.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections
Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.
Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
7 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities
(MS02-072) Unchecked Buffer in Windows Shell Could Enable System Compromise (329390)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused b...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability enables a remote attacker to execute arbitrary code by creating an .MP3 or .WMA file that contains a corrupt custom attribute. This is caused by a buffer overflow in the Windows Shell function in Microsoft Windows XP.
More information about this vulnerability and its elimination.
(MS03-001) Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for W...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000
Microsoft Windows NT 4.0
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows XP
Malware exploiting this vulnerability: AGOBOT FAMILY, WORM_GAOBOT.AC, WORM_MUMU.C, WORM_NACHI.B, WORM_NACHI.C, WORM_NACHI.D, WORM_NACHI.F, WORM_NACHI.G, WORM_NACHI.I, WORM_NACHI.K, WORM_RBOT.AA, WORM_RBOT.AB, WORM_RBOT.AF, WORM_RBOT.BZ, WORM_RBOT.R, WORM_RBOT.TW, WORM_RBOT.W, WORM_RBOT.WU, WORM_SDBOT.BV, WORM_SDBOT.DZ, WORM_SDBOT.FB, WORM_SDBOT.FC, WORM_SDBOT.FD, WORM_SDBOT.FE, wORM_SDBOT.FQ, WORM_SDBOT.G, WORM_SDBOT.GO, WORM_SDBOT.IG, WORM_SDBOT.IY, WORM_SDBOT.JG, WORM_SDBOT.
JS, WORM_SDBOT.JY, WORM_SDBOT.K, WORM_SDBOT.KY, WORM_SDBOT.M, WORM_SDBOT.ZY, WORM_SPYBOT.AP, WORM_SPYBOTER.CY, WORM_SPYBOTER.CZ
This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
More information about this vulnerability and its elimination.
(MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in N...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: AGOBOT FAMILY, BKDR_RBOT.B, BKDR_SDBOT.CC, TROJ_KAHT.A, TROJ_ROLARK.A, TROJ_WCOT.A, WORM_GAOBOT.AC, WORM_KIBUV.B, WORM_MUMU.C, WORM_NACHI.A, WORM_NACHI.B, WORM_NACHI.C, WORM_NACHI.D, WORM_NACHI.F, WORM_NACHI.G, WORM_NACHI.I, WORM_NACHI.K, WORM_RBOT.AA, WORM_RBOT.AB, WORM_RBOT.AE, WORM_RBOT.AF, WORM_RBOT.AJ, WORM_RBOT.BZ, WORM_RBOT.CC, WORM_RBOT.EM, WORM_RBOT.R, WORM_RBOT.TW, WORM_RBOT.W, WORM_RBOT.WU, WORM_RBOT.ZA, WORM_SDBOT.BV, WORM_SDBOT.CC, WORM_SDBOT.DZ, WORM_SDBOT.FB, WORM_SDBOT.FC, WORM_SDBOT.FD, WORM_SDBOT.FE, WORM_SDBOT.FQ, WORM_SDBOT.G, WORM_SDBOT.GO, WORM_SDBOT.IG, WORM_SDBOT.IY, WORM_SDBOT.JG, WORM_SDBOT.
JS, WORM_SDBOT.JT, WORM_SDBOT.JY, WORM_SDBOT.K, WORM_SDBOT.KY, WORM_SDBOT.M, WORM_SDBOT.MD, WORM_SDBOT.MG, WORM_SDBOT.MH, WORM_SDBOT.PF, WORM_SDBOT.WY, WORM_SDBOT.ZY, WORM_SPYBOT.AP, WORM_SPYBOT.CG, WORM_SPYBOTER.CY, WORM_SPYBOTER.CZ
This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
The World Wide Web Distributed Authoring and Versioning (WebDAV) is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet.
A vulnerability exists in an unchecked buffer in the Windows file, NTDLL.DLL. This file is involved in processing parameters coming from HTTP WebDAV requests.
Exploit Details
IMPORTANT: Users of Trend Micro PC-cillin Internet Security and Network VirusWall can protect their systems from any potential virus threats that use this exploit. Network Virus Pattern (NVP) 10118, or later, can detect this exploit at the network layer as MS03-007_WEBDAV_EXPLOIT.
This WebDAV vulnerability can be exploited by using it as an attack vector. This attack is composed of a very long parameter supplied to the WebDAV component. Due to improper bounds checking within NTDLL.DLL, this will result to a buffer overflow.
The said overflow can cause the server to crash, resulting to a denial of service. Furthermore, the attack could be crafted in such a way that an arbitrary code will be executed. The code would run with the same privilege as that of the IIS Service (i.e., Local System Privilege), allowing the attacker to perform almost anything on the compromised machine such as creating, deleting or editing files and registry entries.
More information about this vulnerability and its elimination.
(MS03-014) Cumulative Patch for Outlook Express (330994)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: BKDR_LORRAC.A, JS_CBASE.EXP1, JS_SEFEX.A, WORM_CASPID.A, WORM_CASPID.B, WORM_DARBY.C, WORM_DARBY.D, WORM_LORAC.A, WORM_MIMAIL.A, WORM_MIMAIL.D, WORM_BUGBEAR.C
This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer.
More information about this vulnerability and its elimination.
(MS03-023) Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a fl...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation.
More information about this vulnerability and its elimination.
(MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability in the Remote Procedure Call (RPC) service crashes it whenever a malformed message/packet is sent to an RPC-enabled port. This failure affec...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: AGOBOT FAMILY, BKDR_CIREBOT.A, BKDR_DONK.O, BKDR_RBOT.B, BKDR_RPCBOT.D, BKDR_SDBOT.CC, BKDR_SDBOT.GV, HKTL_DCOM.AI, HKTL_DCOM.L, HKTL_DCOM.U, HKTL_DCOM.V, HKTL_DCOM.X, HKTL_DCOM.Y, HKTL_DCOMDOS.A, HKTL_RPCDCOM.A, TROJ_EXPLTDCOM.A, WORM_BOBAX.C, WORM_BOLGI.A, WORM_DINKDINK.B, WORM_DONK.B, WORM_DONK.C, WORM_DONK.L, WORM_DONK.M, WORM_FRANCETTE.C, WORM_FRANCETTE.D, WORM_FRANCETTE.F, WORM_FRANCETTE.G, WORM_FRANCETTE.H, WORM_GAOBOT.AC, WORM_KIBUV.B, WORM_MSBLAST.A, WORM_MSBLAST.B, WORM_MSBLAST.C, WORM_MSBLAST.D, WORM_MSBLAST.E, WORM_MSBLAST.F, WORM_MSBLAST.G, WORM_MSBLAST.H, WORM_MSBLAST.I, WORM_MUMU.C, WORM_NACHI.A, WORM_NACHI.B, WORM_NACHI.C, WORM_NACHI.D, WORM_NACHI.F, WORM_NACHI.G, WORM_NACHI.I, WORM_NACHI.K, WORM_PLEXUS.B, WORM_RALEKA.A, WORM_RALEKA.B, WORM_RALEKA.C, WORM_RBOT.AA, WORM_RBOT.AB, WORM_RBOT.AE, WORM_RBOT.AF, WORM_RBOT.AJ, WORM_RBOT.BZ, WORM_RBOT.CC, WORM_RBOT.EM, WORM_RBOT.R, WORM_RBOT.TW, WORM_RBOT.W, WORM_RBOT.WU, WORM_RBOT.ZA, WORM_RPCDCOM.B, WORM_RPCSDBOT.A, WORM_RPCSDBOT.B, WORM_SDBOT.BV, WORM_SDBOT.CC, WORM_SDBOT.DZ, WORM_SDBOT.FB, WORM_SDBOT.FC, WORM_SDBOT.FD, WORM_SDBOT.FE, WORM_SDBOT.FQ, WORM_SDBOT.G, WORM_SDBOT.GO, WORM_SDBOT.IG, WORM_SDBOT.IY, WORM_SDBOT.JG, WORM_SDBOT.
JS, WORM_SDBOT.JT, WORM_SDBOT.JY, WORM_SDBOT.K, WORM_SDBOT.KY, WORM_SDBOT.L, WORM_SDBOT.M, WORM_SDBOT.MD, WORM_SDBOT.MG, WORM_SDBOT.MH, WORM_SDBOT.PF, WORM_SDBOT.WY, WORM_SDBOT.ZY, WORM_SPYBOT.AP, WORM_SPYBOT.CG, WORM_SPYBOT.S, WORM_SPYBOTER.CY, WORM_SPYBOTER.CZ
This vulnerability in the Remote Procedure Call (RPC) service crashes it whenever a malformed message/packet is sent to an RPC-enabled port. This failure affects the DCOM (Distributed Component Object Model) interface, which listens on an RPC-enabled port.
DCOM is a protocol that enables programs to communicate over the network, while RPC is a protocol used by a program to request services from another program on a remote machine.
This vulnerability, when exploited, enables an unauthorized user with local system privileges to execute any code on a target machine.
The following RPC-related ports can be attacked to exploit this vulnerability:
* 135
* 139
* 445
* 593
Note, however, that any other port number configured for an RPC service can be a target of attack.
More information about this vulnerability and its elimination.
(MS03-039) Buffer Overrun In RPCSS Service Could Allow Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
These newly-discovered vulnerabilities that affect Windows NT, 2000, XP, and Server 2003 are actually 3 security holes found in the Distributed Component Object Model (DCOM) inte...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: WORM_AGOBOT.AA, WORM_NEXIV.A
These newly-discovered vulnerabilities that affect Windows NT, 2000, XP, and Server 2003 are actually 3 security holes found in the Distributed Component Object Model (DCOM) interface within the RPCSS Service. Two of these vulnerabilities compromise system security by allowing the execution of arbitrary code, while the third could result in denial of service.
A heap overflow occurs when a DCOM object activation request packet with a malformed length field is received by a vulnerable machine. This enables an attacker to modify any memory location, which may result in an application error or the execution of arbitrary code.
Another heap overflow occurs when a DCOM RPC request contains a file name parameter longer than what is expected. This results in overwritten registers, which may also result in an application error or the execution of arbitrary code.
Both vulnerabilities allow an attacker to execute arbitrary code on a vulnerable machine with Local System account privileges, which allows them to have virtually total control over the remote system.
The third vulnerability causes a denial of service (DoS) attack on a vulnerable machine. The application SVCHOST.EXE crashes upon receipt of this malformed DCOM packet.
It displays the following error message:
The instruction at ''0x761ab27d'' referenced memory at ''0x00000030''. The memory could not be read.
To exploit these vulnerabilities, the attacker sends a specially crafted RPC message to a vulnerable system.
Once the system is exploited, it allows a predefined code with a Local System account privilege to be executed on the affected host and could also cause the RPCSS service to fail.
Microsoft has released an advisory and a corresponding patch for these vulnerabilities in the following Microsoft page:
Microsoft Security Bulletin MS03-039
Note that this newly-released patch supersedes the earlier patch in Microsoft Security Bulletin MS03-026.
Affected users who have already applied the MS03-026 patch are strongly advised to apply the new patch.
More information about this vulnerability and its elimination.
(MS03-040) Cumulative Patch for Internet Explorer (828750)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
These vulnerabilities, which are due to Internet Explorer not properly determining an object type returned from a Web server in a popup window or during XML data binding, ...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: BKDR_LIDUAN.A, HTML_ALPHX.A, HTML_ALPHX.C, HTML_ALPHX.E, PE_BAGLE.Q, TROJ_QHOSTS.A, VBS_DELUD.A, VBS_SHOWPOP.A, WORM_ALPHX.A, HTML_BAGLE.Q-1, PE_BAGLE.R, PE_BAGLE.S, PE_BAGLE.T, HTML_SNAPPER.A, WORM_SNAPPER.A, HTML_DELPLAYER.A, TROJ_MINIT.A, HTML_MINIT.A, HTML_LEGENDMIR.I, WORM_NETSKY.V, HTML_IWILL.D, HTML_OBJECTTAG.A
These vulnerabilities, which are due to Internet Explorer not properly determining an object type returned from a Web server in a popup window or during XML data binding, respectively, could allow an attacker to run arbitrary code on a user's system.
More information about this vulnerability and its elimination.
(MS03-041) Vulnerability in Authenticode Verification Could Allow Remote Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability in Authenticode is present only under certain low memory conditions. It allows the download and installation of ActiveX controls without prior user appro...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability in Authenticode is present only under certain low memory conditions. It allows the download and installation of ActiveX controls without prior user approval. It also allows the installed ActiveX control to run with the same privileges as the user.
This vulnerability can be exploited through specially crafted Web pages or HTML email messages.
Additional information on this vulnerability is available at Microsoft Security Bulletin MS03-041.
More information about this vulnerability and its elimination.
(MS03-043) Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability may allow remote attackers to execute arbitrary code on vulnerable systems, granting these malicious users administrator privileges. It involves the inability of the Messenger ...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: WORM_KIBUV.B
This vulnerability may allow remote attackers to execute arbitrary code on vulnerable systems, granting these malicious users administrator privileges. It involves the inability of the Messenger Service to properly validate the length of a sent message before it is passed to the allocated buffer, thereby facilitating the rapid spread of such worms as MS Blast/Blaster, Nachi, SQL Slammer, and Randex.
The Messenger Service can be reached via MS RPC (Microsoft Remote Procedure Call), similar to the DCOM RPC vulnerability. However, while the DCOM service cannot be safely removed from the infected system, users can easily disable the Messenger Service to protect themselves from the MESSENGER_SERVICE_BUFFER_OVERRUN vulnerability. It is also notable that while the Messenger Service runs over MS RPC, it can also run over SMB (Server Message Block).
Server Message Block (SMB) can be used on networks using non-Internet protocols (e.g. Novell IPX/SPX, DECnet, Banyan Vines, and NetBEUI). Since these non-Internet protocols are not typically controlled by firewalls, exploit tools or worms can easily reach companies and individuals that use these protocols.
The MS RPC interface to the Messenger Service also runs on ports typically used for MS RPC traffic, mainly over UDP port 135 and opens a dynamic port above UDP port 1024. The use of this UDP port emphasizes this vulnerability's intent to use broadcast system messages.
Additional information on this vulnerability is available at Microsoft Security Bulletin MS03-043.
More information about this vulnerability and its elimination.
(MS03-045) Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in USER32.DLL. Any program that implements the ListBox control or the ComboBox ...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in USER32.DLL. Any program that implements the ListBox control or the ComboBox control could allow arbitrary code to be executed at the same privilege level. This vulnerability cannot be exploited remotely.
Additional information on this vulnerability is available at Microsoft Security Bulletin MS03-045.
More information about this vulnerability and its elimination.
(MS04-004) Cumulative Security Update for Internet Explorer (832894)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
On February 2, 2004, Microsoft released a security bulletin which tackles the vulnerabilities found in Internet Explorer. It can be viewed in the followi...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: HTML_BAYFRAUD.B; HTML_PACHFRAUD.A; HTML_PAYPFRAUD.A; HTML_PAYPFRAUD.B; HTML_SWENFRAUD.A; HTML_VISAFRAUD.A; TROJ_STRTPAGE.FI; HTML_GOLDFRAUD.A
On February 2, 2004, Microsoft released a security bulletin which tackles the vulnerabilities found in Internet Explorer. It can be viewed in the following Web page:
http://www.microsoft.com/technet/sec.../ms04-004.mspx
The security bulletin is entitled "Cumulative Security Update for Internet Explorer (832894)," and discusses previous vulnerabilities of several exploits, which were first published by Microsoft last year (2003). However as vulnerabilities are still prevalent and discovery of new ones are not uncommon, Microsoft released a cumulative patch to cover the following vulnerabilities:
* Internet Explorer URL parsing vulnerability
* Cross-domain security model vulnerability
* Drag and Drop Operation vulnerability
Internet Explorer URL parsing vulnerability (a.k.a Improper URL Canonicalization)
The original vulnerability was discovered by a certain Sam Greenhalgh on December 2003.
This vulnerability points to a flaw in the way IE parses the URL, containing special characters. It leads the IE browser to display the URL incorrectly in the address bar of the IE window.
By adding a special non-printable character, particularly %01 to URL
http://:@ before '@' sign, the attacker is able to hide the real location of the Web page. Thus, it redirects the unsuspecting user to a target malicious Web site. With this his exploit, Internet Explorer is unable to display the rest of the authentic URL or the part of the URL from the %01 character.
For example, given the code below:
href='http://www.authentic-site.com%01@hiddensite.com/malicious.htm';
Once executed, IE loads the page in the URL but the address bar only displays:
http://www.authentic-site.com.
In order to exploit this vulnerability, an attacker creates a malicious Web page or an HTML-based email that contains the exploit code. He then lures his intended victim (an unsuspecting user) to click the link.
Cross-Domain Security Model Vulnerability
Internet Explorer uses the Cross-Domain Security Model to handle information-sharing windows from different domains. This security model avoids interaction or data access of different browser frames from different sources or domains.
Remote attackers exploit this vulnerability by utilizing the ExecCommand function. It can be used to execute commands on the current document, which then allows the attacker to bypass security zone restrictions and gain access to resources on a target user's machine.
Similar to the first vulnerability, the attacker aims to convince the victim to view an HTML-based email or Web page. After employing the exploit, an attacker is able to do the following:
* Read files on the user's machine
* Access information from other Web sites
* Run arbitrary codes on the remote system under the security context of the active user
Drag and Drop Operation Vulnerability
This exploit allows an attacker to save a file on the target user�s machine without user intervention. It has some connection to the drag-and-drop operation, which forces the execution of the malicious script. An attacker is able to �hijack� the mouse events or clicks to exploit this vulnerability.
Affected Windows Versions
The following are the affected Windows versions:
* Microsoft Windows NT� Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1 Microsoft Windows
* XP 64-Bit Edition Version 2003
* Microsoft Windows Server� 2003
* Microsoft Windows Server 2003, 64-Bit Edition
For more information on this vulnerability, read the posted security bulletin from Microsoft in the following Web page:
http://www.microsoft.com/technet/sec.../ms04-004.mspx
More information about this vulnerability and its elimination.
(MS04-011) Security Update for Microsoft Windows (835732)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This cumulative release from Microsoft covers the following newly discovered vulnerabilities:
* LSASS Vulnerability
* LDAP Vulnerability
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: WORM_SASSER.A, WORM_SASSER.B, WORM_SASSER.C, WORM_AGOBOT.RZ, WORM_AGOBOT.YG, WORM_AGOBOT.TG, WORM_AGOBOT.WW, WORM_BOBAX.C, WORM_AGOBOT.JF, WORM_AGOBOT.IM, WORM_SASSER.D, WORM_SASSER.GEN, WORM_SASSER-1, WORM_SASSER.E, WORM_SDBOT.KW, WORM_CYCLE.A, WORM_SASSER.F, WORM_BOBAX.A, WORM_KIBUV.A, WORM_BOBAX.B, WORM_BOBAX.D, WORM_KORGO.A, WORM_KORGO.B, WORM_KORGO.C, WORM_KIBUV.B, WORM_RBOT.AE, WORM_SPYBOT.CG, WORM_RBOT.AF, WORM_RBOT.BZ, WORM_RBOT.CC, WORM_RBOT.EM, WORM_PLEXUS.B, WORM_SDBOT.WY, WORM_KORGO.D, WORM_KORGO.E, WORM_KORGO.F, WORM_KORGO.D, WORM_KORGO.H, WORM_KORGO.GEN, WORM_KORGO.I
This cumulative release from Microsoft covers the following newly discovered vulnerabilities:
* LSASS Vulnerability
* LDAP Vulnerability
* PCT Vulnerability
* Winlogon Vulnerability
* Metafile Vulnerability
* Help and Support Center Vulnerability
* Utility Manager Vulnerability
* Windows Management Vulnerability
* Local Descriptor Table Vulnerability
* H.323 Vulnerability
* Virtual DOS Machine Vulnerability
* Negotiate SSP Vulnerability
* SSL Vulnerability
* ASN.1 �Double-Free� Vulnerability
LSASS Vulnerability
This buffer overrun vulnerability allows remote code execution. Once successfully exploited, a remote attacker is able to gain full control of the affected system. It may be used by a malware to perform malicious activities, such as accessing and modifying the file system and replication.
This vulnerability exists due to an unchecked buffer in the Local Security Authority Subsystem Service (LSASS).
LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for both the client and the server. It also contains features used to support Active Directory utilities.
This vulnerability affects the following software:
* Windows 2000
* Windows XP
* Windows Server 2003
Only Windows 2000 and XP may be remotely attacked by an anonymous user using an exploit to this vulnerability. While Windows Server 2003 and Windows XP 64-Bit Edition Version 2003 contain this vulnerability, only a local administrator may exploit it on such systems.
This vulnerability is exploited by sending specially-crafted message to an affected system, which may then execute arbitrary code.
LDAP Vulnerability
This Denial of Service (DoS) vulnerability causes the service in a Windows 2000 domain controller responsible for authenticating users in an Active Directory domain to stop responding.
This vulnerability is due to the way LDAP queries are handled. It only exists in Windows 2000 Server systems performing the role of a domain controller.
An attacker is able to exploit this vulnerability by sending a specially-crafted LDAP message to all the domain controllers in single or multiple forests. The attacker can potentially cause a DoS scenario to the domain authentication process throughout an enterprise.
During an exploit, the affected system may display a warning message stating that it would automatically restart after a 60-second countdown.
PCT Vulnerability
This buffer overrun vulnerability in the Private Communications Transport (PCT) protocol, a part of the SSL library, allows remote code execution. If successfully exploited, a remote attacker may take complete control of the affected machine. It may also be used by a malware to perform malicious activities, such as accessing and modifying the file system and replication.
Private Communication Technology (PCT) is a protocol developed by Microsoft and Visa International for secure communication on the Internet. The SSL library, on the other hand, contains support for several secure communication protocols, including Transport Layer Security 1.0 (TLS 1.0), Secure Sockets Layer 3.0 (SSL 3.0) as well as the older and seldom-used Secure Sockets Layer 2.0 (SSL 2.0) and Private Communication Technology 1.0 (PCT 1.0) protocol.
This vulnerability exists due to SSL Library�s improper message input checks under certain circumstances.
This vulnerability exists on the following platforms:
* Windows NT 4.0
* Windows 2000
* Windows XP
* Windows Server 2003
Only systems that have SSL enabled are affected, which are typically only server systems. SSL support is not enabled by default on any of the affected systems; however, SSL is commonly used on Web servers to support electronic commerce applications, online banking, and other applications that require secure communications.
This vulnerability is exploited by sending a specially-crafted TCP message through an SSL enabled service, which may then cause the affected system to execute code.
Winlogon Vulnerability
This buffer overrun vulnerability in the Windows logon process (winlogon) allows remote code execution. When successfully exploited, a remote attacker is able to gain full control of the affected system. It may be used by a malware to perform malicious activities such as accessing and modifying the file system and replication.
This vulnerability is due to the Windows logon process of reading data from Active Directory, wherein it fails to check the size of the data before inserting it into the allocated buffer.
This vulnerability exists on the following platforms:
* Windows NT 4.0
* Windows 2000
* Windows XP
Only Windows NT 4.0, Windows 2000, Windows XP systems, and all members of an Active Directory domain, are affected by this vulnerability. Windows Server 2003 is not affected by this vulnerability. Additionally, an attacker may need permission to modify user objects in the Active Directory to attempt to exploit this vulnerability.
This vulnerability is exploited by specifically modifying an Active Directory attribute to include malicious data. When this attribute is passed to an unchecked buffer in Winlogon during the logon process, Winlogon may allow malicious code to be executed.
Metafile Vulnerability
This buffer overrun vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. It allows remote code execution. It may be used by a malware to access and modify the file system and to replicate.
This vulnerability exists due to the use of an unchecked buffer in the parsing of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
This vulnerability exists on the following platforms:
* Windows NT 4.0
* Windows 2000
* Windows XP
Any application that renders WMF or EMF images on the affected systems is vulnerable to this attack.
To exploit this vulnerability, an attacker has to persuade the user to open or view the specially-crafted image. The attacker may also create a Web page designed to exploit this vulnerability, and then force a user to view the said page.
Help and Support Center Vulnerability
This remote code execution vulnerability exists in the Help and Support Center. When successfully exploited, this vulnerability allows attackers full control of the system. It may also be used to access and modify the file system and by malware for replication purposes.
Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, and get assistance from Microsoft.
HCP, on the other hand, is similar to the HTTP protocol and is used to execute URLs to open a Web browser. The HCP protocol may be used to execute URLs to open the Help and Support Center feature.
Users and programs may execute URLs to Help and Support Center by using the hcp:// prefix in a URL link, instead of
http://.
This vulnerability exists because of the way Help and Support Center handles HCP URL validation.
This vulnerability exists on the following platforms:
* Windows 98, SE, ME
* Windows XP
* Windows Server 2003
To exploit this vulnerability, an attacker has to host a malicious Web page and persuade a user to view the said page. An attacker may also create an email in HTML format, which contains a specially-crafted link, and then persuade a user to view the HTML email message and click the malicious link.
Utility Manager Vulnerability
This privilege elevation vulnerability exists due to the way that Utility Manager launches applications. A logged on user is able to force Utility Manager to launch applications with system privileges and take control of the system. It may be used by a malware to elevate its privilege and, eventually, modify the file system or perform replication functions.
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (for example, Microsoft Magnifier, Narrator, or On-screen keyboard) and to start or terminate them.
This vulnerability exists only on Windows 2000, and an attacker must have valid logon credentials to exploit it. This vulnerability may not be exploited by anonymous users.
To exploit this vulnerability, an attacker must first start Utility Manager on Windows 2000 and then run a specially-designed application that exploits this vulnerability.
Windows Management Vulnerability
This privilege elevation vulnerability, when successfully exploited, allows a local attacker to take complete control of a system by executing commands at the system privilege level.
It exists due to the way Windows XP allows users to create tasks. It allows a non-privileged user to create tasks with system permissions under certain circumstances. In effect, it grants unprivileged users the ability to control the affected machine.
Only Windows XP is affected by this vulnerability.
Since this is only a local vulnerability, malware authors may only use this vulnerability to infect systems that are locally accessible. Further propagation to other systems requires logon credentials on the remote systems.
Local Descriptor Table Vulnerability
This privilege elevation vulnerability, when successfully exploited, allows a local attacker to take complete control of a system by executing commands at with system privileges.
By exploiting the way an application programming interface (API)accesses the Local Descriptor Table (LDT), an attacker is able to gain sensitive system information and modify the structure to gain system-level privileges.
Since this is only a local vulnerability, malware authors may only use this vulnerability to infect systems that are locally accessible. Further propagation to other systems requires logon credentials on the remote systems.
H.323 Vulnerability
This remote code execution vulnerability exists in Microsoft�s H.323 protocol handling. When successfully exploited, a remote attacker can gain full control of a system by arbitrarily executing commands with system privileges.
A buffer overflow exists in the way that the Microsoft�s H.323 protocol implementation handles malformed requests. This vulnerability enables an attacker to gain access to systems that have running applications utilizing the H.323 protocol. These applications include the following:
* Telephony Application Programming Interface (TAPI) Applications
* Microsoft NetMeeting
* Internet Connection Firewall (ICF)
* Internet Connection Sharing (ICS)
* Microsoft Remote and Routing Access Service (RRAS)
Since this is a remote code execution vulnerability, malware may use this vulnerability to remotely propagate into and infect remote systems. No additional requirement is needed as long as the target system is running an application affected by this vulnerability.
Virtual DOS Machine Vulnerability
This privilege elevation vulnerability, when successfully exploited, allows a local attacker to gain full control of a system by executing commands with system privileges.
This vulnerability is due to the way the operating system handles the Virtual DOS Machine or VDM, which under certain circumstances, allows applications running inside the VDM to bypass validations for some privileged operating system functions. This results in the execution of system-level commands, even by non-privileged users.
A VDM is created whenever a user starts an MS-DOS application.
Since this is only a local vulnerability, malware authors may only use it to infect systems that are locally accessible. Further propagation to other systems requires logon credentials on the remote systems.
Negotiate SSP Vulnerability
This remote code execution vulnerability, which exists in Microsoft�s Negotiate Security Service Provider (SSP) interface, grants a remote attacker complete control of a system. It allows the execution of arbitrary commands at the system privilege level.
Negotiate SSP is one of the many authentication methods used by Windows operating systems to validate client/server negotiations. Internet Information Services (IIS) also uses this method of negotiation, and is affected as well.
This vulnerability is due to an unchecked buffer used by Negotiate SSP when handling requests.
Since this is a remote code execution vulnerability, malware may use this vulnerability to remotely propagate into and infect other remote systems. No additional requirement is needed as long as the target system is running an application affected by this vulnerability.
SSL Vulnerability
This Denial of Service (DoS) vulnerability affects the Microsoft Secure Sockets Layer (SSL) library implementation on Windows 2000 and Windows XP. It causes the affected system to stop responding to SSL connection requests. On Windows 2003, this vulnerability may cause the server to restart.
This vulnerability exists due to the way SSL packets are handled. It affects the following systems:
* Windows 2000
* Windows XP
* Windows 2003
This DoS vulnerability can be used to impair the ability of the affected machine to handle SSL connections.
ASN.1 �Double-Free� Vulnerability
This remote code execution vulnerability, which exists in Microsoft�s Abstract Syntax Notation One (ASN.1) Library, allows a remote attacker to gain full control of a system. It allows the execution of remote commands at the system level.
The ASN.1 library is used by many applications for definitions of standards. If an application uses the Microsoft ASN.1 library, it becomes vulnerable to a double-free exploit. Exploitation methods on vulnerable applications may vary. However, they are likely DoS attacks rather than any other system compromised attacks.
Since this is a remote code execution vulnerability, a malware may use this vulnerability to remotely propagate into and infect other remote systems. No additional requirement is needed as long as the target system is running an application affected by this vulnerability.
The following malware are known to exploit this vulnerability:
* SASSER worms
* WORM_AGOBOT.IM
* WORM_CYCLE.A
More information about this vulnerability and its elimination.
(MS04-012) Cumulative Update for Microsoft RPC/DCOM (828741)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security bulletin explains four newly-discovered vulnerabilities in Remote Procedure Call (RPC) Distributed Component Object Model (DCOM). An attacker who succe...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This security bulletin explains four newly-discovered vulnerabilities in Remote Procedure Call (RPC) Distributed Component Object Model (DCOM). An attacker who successfully exploits the most severe of these vulnerabilities is able to take control of the affected system.
A malware may then use these vulnerabilities in order replicate or perform other malicious actions, such as: denial of service (DoS) attacks, access/modification of the file system, and execution of arbitrary code.
The following are the new vulnerabilities discovered:
* RPC Runtime Library Vulnerability
* RPCSS Service Vulnerability
* COM Internet Services (CIS) � Remote Procedure Call (RPC) over HTTP Vulnerability
* Object Identity Vulnerability
* Vulnerability Details
This remote code execution vulnerability allows a malicious user or malware to take complete control of the affected system. Remote users and several malware may take advantage of this vulnerability to perform denial of service (DoS) attacks, which is the most likely attack scenario given the nature of this security hole. It enables a remote attacker or a malware to execute arbitrary codes on the affected system. It may be used to grant an attacker control of the system or allow a malware to replicate.
It is exploited by sending a series of specially-crafted messages to the affected system via network. It may also be exploited by passing parameters to the vulnerable component, locally or remotely, by logging interactively or using another application.
It is difficult to exploit this vulnerability by repeatedly executing arbitrary codes. Thus, it will likely be exploited to perform DoS attacks.
This vulnerability exists due to a race condition resulting from how RPC Runtime Library processes specially-crafted messages. The race condition occurs when two separate operating system threads attempt to process certain specially-crafted messages within a given time frame. The event is considered a race condition because it depends on the relative timing of the said threads. The race condition may then cause the RPC Runtime Library to modify internal data structures incorrectly, which then results to unpredictable behavior.
This vulnerability exists on the following software:
* Windows 2000
* Windows XP
* Windows Server 2003
RPCSS Service Vulnerability
This denial of service (DoS) vulnerability allows a malicious user or malware to send specially-crafted messages to a vulnerable system, which causes the RPCSS Service to stop responding. This security hole cannot be used by a malware for replication purposes. It exists due to the RPCSS Service�s improper checking of message inputs under certain circumstances. This method eventually makes RPCSS Service unable to reclaim discarded memory.
This vulnerability exists on the following platforms:
* Windows 2000
* Windows XP
* Windows Server 2003
This vulnerability may be exploited by sending a series of specially-crafted messages to the affected system via network. It may also be exploited by passing parameters to the vulnerable component, locally or remotely, through logging interactively or using another application.
CIS � RPC Over HTTP Vulnerability
This vulnerability may be used to launch a denial of service (DoS) attack against a system with CIS or RPC over HTTP Proxy enabled. This can include Windows NT, Windows 2000, or Windows 2003 Servers systems. RPC over HTTP (Remote Procedure Call over HyperText Transfer Protocol) allows RPC to operate port 80 and 443 (version 2). CIS (COM Internet Services), on the other hand, allows DCOM to use RPC over HTTP to communicate between DCOM clients and DCOM servers.
This vulnerability exists due to improper validation message inputs under certain circumstances.
This vulnerability exists on the following platforms:
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000
* Windows Server 2003
Default installations of the said operating systems are invulnerable to this exploit attack. On Windows NT, an administrator has to install the Windows NT 4.0 Option Pack and enable the feature explicitly. On Windows 2000 and Windows 2003 servers, an administrator has to manually install and enable the components for CIS or RPC over HTTP to become vulnerable to this type of attack.
An attacker is able to exploit this vulnerability using two methods:
* By determining when a vulnerable system is waiting for a response, then sending a malicious response that exploits the vulnerability.
* By locating a system used to forward CIS or RPC over HTTP requests, and then sending a malicious request through it to exploit the vulnerability.
Object Identity Vulnerability
When successfully exploited, this local attack vulnerability allows an attacker to force currently running applications to open network communication ports, thereby opening a system to remote attacks. This vulnerability may be used by malware authors to create a backdoor after compromising the system. This backdoor may then reside on any active application, making detection tricky and more difficult.
Software firewalls that filter Internet connection based on application names may be bypassed using this mechanism, allowing rogue connections to the Internet.
This vulnerability exists due to a flaw in using object identifiers, which is a unique number identifying an application in the operating system.
This vulnerability exists on the following software:
* Windows 98, SE, ME
* Windows NT Workstation 4.0
* Windows NT Server 4.0
* Windows NT Server 4.0, Terminal Server Edition
* Windows 2000 Windows XP
* Windows Server 2003
To exploit this vulnerability, an attacker needs to run a specially-designed application locally or convince a user to run the application.
More information about this vulnerability and its elimination.
(MS04-013) Cumulative Security Update for Outlook Express (837009)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This Microsoft release is cumulative and includes previously-released updates for Outlook Express 5.5 and Outlook Express 6.0. It also addresses a new vulner...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: WORM_WALLON.A, HTML_JACKLER.A, VBS_PSYME.E, HTML_REDIR.B, BKDR_ZGOO.A, HTML_MHTREDIR.C, HTML_MHTREDIR.B, HTML_REDIR.AC, HTML_MHTREDIR.D
This Microsoft release is cumulative and includes previously-released updates for Outlook Express 5.5 and Outlook Express 6.0. It also addresses a new vulnerability that exists due to the process by which MIME Encapsulation of Aggregate HTML (MHTML) URLs are parsed.
The new vulnerability allows automatic code execution and may be used by a malware, in combination with other exploits, to perform malicious actions such as accessing files in the system and executing arbitrary code.
The vulnerability can be exploited by a remote attacker, who has to host a Web site containing a malicious Web page designed to take advantage of this security hole. The parsing of specially-crafted MHTML URLs designed to exploit this vulnerability can result in the execution of arbitrary code, which may be specified by the remote attacker. The code is executed in the Internet Explorer local machine security zone.
The remote attacker may also create a specially-crafted email in HTML format that exploits this vulnerability when opened. The exploit can be designed to cause the execution of malicious code in the context of the logged on user.
For more information on the vulnerabilities and this security update, visit the following Web site:
http://www.microsoft.com/technet/sec.../ms04-013.mspx
More information about this vulnerability and its elimination.
(MS04-015) Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability in the Help and Support Center (HCP) allows remote code execution. It exists due to the process by which HCP handles URL vali...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability in the Help and Support Center (HCP) allows remote code execution. It exists due to the process by which HCP handles URL validation.
This vulnerability could enable an attacker to remotely execute code of choice with Local System privileges through the use of a specially crafted HCP URL. It facilitates remote code execution whenever users visit a malicious Web site or views an email message that contains the specially crafted HCP URL. Note that user interaction is necessary to exploit this vulnerability.
This vulnerability allows an attacker to take complete control of the affected system and perform the following:
* Run programs
* View/modify/delete data
* Create new accounts with full privileges
Operating systems affected by this vulnerability are Windows XP and Windows Server 2003 since they contain the affected version of the Help and Support System.
This vulnerability is discussed in detail in the following Microsoft page:
Microsoft Security Bulletin MS04-015
More information about this vulnerability and its elimination.
(MS04-018) Cumulative Security Update for Outlook Express (823353)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A specially crafted email message containing malformed email headers could cause Outlook Express to fail. The email headers contain information such as the sender�s email address, the r...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
A specially crafted email message containing malformed email headers could cause Outlook Express to fail.
The email headers contain information such as the sender�s email address, the recipient�s e-mail addresses, the time that the email message was sent, and the name of the mail server that received the said message.
These fields can be exploited in such a way that it may contain very long field values.
For more information on the vulnerability and the security patch, visit the following Web site:
http://www.microsoft.com/technet/sec.../ms04-018.mspx
More information about this vulnerability and its elimination.
(MS04-022) Vulnerability in Task Scheduler Could Allow Code Execution (841873)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability lies in the way the Task Scheduler component validates the Application names that are passed to the component. An unchecked buffer within this va...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This vulnerability lies in the way the Task Scheduler component validates the Application names that are passed to the component. An unchecked buffer within this validation process is the cause of the vulnerability.
This remote code execution vulnerability could allow a malicious user or a malware to take complete control of an affected system, if the affected user is currently logged on with administrative privileges. A malware or a malicious user can execute arbitrary code on the system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
Execution of an attack, however, requires user intervention. Remote exploitation of this vulnerability requires the creation of a specially crafted .JOB file and persuading the user open this file.
Probable attack vectors are persuading a user to access a Web site that contains a specially crafted .JOB file, and sending the file as an attachment via email.
More information about this vulnerability and its elimination.
(MS04-023) Vulnerability in HTML Help Could Allow Code Execution (840315)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
showHelp Vulnerability This remote code execution vulnerability could allow an attacker to gain the same privileges as the user. Users with limited privileges are...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
showHelp Vulnerability
This remote code execution vulnerability could allow an attacker to gain the same privileges as the user. Users with limited privileges are less at risk than users with administrative rights.
HTML Help is used by Windows as its standard Help system. The showHelp method is used to display help files, which can either be .HTM or .CHM files. This vulnerability occurs because the HTML Help protocol does not properly validate .CHM files. Once successfully exploited, this vulnerability allows an attacker to execute a program in the Local Security Zone, within the context of the currently logged in user, giving the attacker control of the compromised system.
An exploit could open any file as long as the file�s location in the local machine is known. An attacker could, therefore, use any exploit to download an executable file to a known location in the local computer. It can then use the showHelp exploit to open the downloaded executable as a .CHM file. For this particular exploit, opening an .EXE file as a .CHM is tantamount to an execution of the .EXE file.
An attacker would have to host a Web site containing the malicious code, and then persuade the user to visit the site. An attacker could also create a specially crafted HTML-formatted email message, containing a link to the Web site, and then persuade the user to click on the link. An attacker has no way of forcing the user to visit the malicious Web page.
HTML Help Vulnerability
This remote code execution vulnerability could allow an attacker to gain the same privileges as the user. Users with limited privileges are less at risk than users with administrative rights.
Once successfully exploited, this vulnerability allows an attacker to execute a program in the Local Security Zone, within the context of the currently logged in user. This gives the attacker control of the compromised system.
This vulnerability occurs because the HTML Help protocol does not properly check the validity of the input data. The attacker could send a specially crafted message to the target system, causing a heap overflow, making it possible for the attacker to execute arbitrary code on the target system.
An attacker would have to host a Web site containing the malicious code, and then persuade the user to visit the site. An attacker could also create a specially crafted HTML-formatted email message, containing a link to the Web site, and then persuade the user to click on the link. An attacker has no way of forcing the user to visit the malicious Web page.
For more information on the vulnerability and the security patch, visit the following Web site:
http://www.microsoft.com/technet/sec.../ms04-023.mspx
More information about this vulnerability and its elimination.
(MS04-025) Cumulative Security Update for Internet Explorer (867801)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This bulletin explains three newly discovered, publicly disclosed vulnerabilities in certain versions of Microsoft Internet Explorer. Navigation Meth...
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
This bulletin explains three newly discovered, publicly disclosed vulnerabilities in certain versions of Microsoft Internet Explorer.
Navigation Method Cross-Domain Vulnerability
This remote code execution vulnerability lies in the way the Internet Explorer cross-domain security model validates navigation methods. This is security functionality within Microsoft Internet Explorer that prevents windows opened by different Web sites from interacting with each other. Once exploited, this vulnerable routine allows an attacker to execute malicious script code in the Local Machine security zone of Internet Explorer.
This vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute a code on the system giving them the ability to install/run programs and view/edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
Remote exploitation of this vulnerability requires the user to visit a specially crafted Web page that uses the said exploit. Upon viewing the page, the exploit allows execution of code in the Local security context via the showModalDialog.
An HTML email-based attack vector can be exploited by simply sending a crafted HTML email to the target. However, this attack vector is mitigated by the fact that on Outlook Express 6, Outlook 2002, and Outlook 2003, the email is opened in the Restricted Sites Zone. Also, previous security patches for Outlook 98 and 2000 have set the product to open HTML email on the Restricted Sites Zone by default.
Since this vulnerability has been publicly disclosed, there is high probability that this will be used by a future malware. Note that there are already reports that this vulnerability is being exploited.
The following versions of Microsoft Internet Explorer are not affected by this vulnerability:
* Internet Explorer 5.01 Service Pack 4
* Internet Explorer 5.01 Service Pack 3
* Internet Explorer 5.01 Service Pack 2
Malformed BMP File Buffer Overrun Vulnerability
This remote code execution vulnerability lies in the way the Internet Explorer processes BMP image files. An unchecked buffer within this process is the cause of the said vulnerability.
This vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install/run programs and view/edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
Remote exploitation of this vulnerability requires the user to visit a specially crafted Web page that uses the said exploit.
An HTML email-based attack vector can be exploited by a simply sending a crafted HTML email to the target. Opening or previewing the said email launches the exploit.
Another attack vector is to place a copy of the crafted BMP file within a local network share. Previewing the contents of this share then triggers the exploit.
Since this vulnerability has also been publicly disclosed, it is highly probabile that this will be used by a future malware. Note that there are already reports that this vulnerability is being exploited.
The following versions of Microsoft Internet Explorer are not affected by this vulnerability:
* Internet Explorer 6 SP1 (All versions earlier than Windows Server 2003)
* Internet Explorer 6 for Windows Server 2003 (including 64-bit Edition)
Malformed GIF File Double Free Vulnerability
This remote code execution vulnerability lies in the way the Internet Explorer processes GIF image files.
It could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install/run programs and view/edit data with full privileges.
However, this exploit is based on a "double-free" condition wherein an attempt is made to "free" a memory area that has been previously released or freed. This usually results in memory corruption and, in rare instances, execution of arbitrary code.
Remote exploitation of this vulnerability requires the user to visit a specially crafted Web page that uses the said exploit.
An HTML email-based attack vector can be exploited by a simply sending a crafted HTML e-mail to the target. Opening or previewing the said email launches the exploit.
Another attack vector is to place a copy of the crafted BMP file within a local network share. Previewing the contents of this share then triggers the exploit.
However, due to the unpredictable nature of this vulnerability, it is more likely that this will be used to trigger a denial of service (DoS) attack rather than to execute an arbitrary code. Nevertheless, it is advisable that users apply the necessary updates to resolve this issue.
*****
Microsoft recommends customers apply the updates immediately. For more information, refer to the following Microsoft page:
http://www.microsoft.com/technet/sec.../ms04-025.mspx
More information about this vulnerability and its elimination.
(MS04-028) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability lies in the way the affected components, as listed below, process JPEG image files. An unchecked buffer within this process is the cause ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Excel 2002
Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft Office XP Service Pack 2
Microsoft Visual Studio .NET 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Microsoft Word 2002
Microsoft Office XP Service Pack 3
Microsoft Office 2003
Microsoft Publisher 2003
Microsoft FrontPage 2003
Microsoft Word 2003
Microsoft FrontPage 2002
Microsoft Publisher 2002
Microsoft Excel 2003
Microsoft InfoPath 2003
Microsoft Digital Image Pro version 7.0
Microsoft Digital Image Pro version 9.0
Microsoft Digital Image Suite version 9.0
Microsoft Greetings 2002
Microsoft Picture It! version 7.0
Microsoft Picture It! version 9.0
Microsoft Picture It! 2002
Microsoft Project 2002 Service Pack 1
Microsoft Project 2003
Microsoft Powerpoint 2002
Microsoft Powerpoint 2003
Microsoft Outlook 2002
Microsoft Outlook 2003
Microsoft OneNote 2003
Microsoft Visual Studio .NET 2002
Microsoft Visual Basic .NET Standard 2002
Microsoft Visual Basic .NET Standard 2003
Microsoft Visual C# .NET Standard 2002
Microsoft Visual C# .NET Standard 2003
Microsoft Visual C++ .NET Standard 2002
Microsoft Visual C++ .NET Standard 2003
Microsoft Visual J# .NET Standard 2003
Microsoft Visio 2002 Service Pack 2
Microsoft Visio 2003
Microsoft .NET Framework version 1.0 SDK Service Pack 2
Microsoft Platform SDK Redistributable: GDI+
Microsoft Producer 1.1 (Microsoft Powerpoint 2002)
Microsoft Producer 2003 (Microsoft Powerpoint 2003)
Microsoft .NET Framework version 1.1
Microsoft .NET Framework version 1.0 Service Pack 2
Malware exploiting this vulnerability: unknown
This vulnerability lies in the way the affected components, as listed below, process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.
This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
Remote exploitation of this vulnerability requires the user to visit a specially crafted Web page that uses this exploit.
An e-mail based attack vector can be exploited by simply sending a modified JPEG file as an attachment to the target. Opening the said attachment will launch the exploit.
Another attack vector is to place a copy of the crafted JPEG file within a local directory or network share. Previewing the contents of this share, or even simply moving the mouse cursor over the crafter JPG file, will trigger the exploit.
Additional information on this vulnerability is available at:
Microsoft Security Bulletin MS04-028
Exploit Detection
Trend Micro's generic detection for JPEG file with this vulnerability is EXPLOIT-MS04-028.
More information about this vulnerability and its elimination.
(MS04-031) Vulnerability in NetDDE Could Allow Remote Code Execution (841533)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
An unchecked buffer exists in the NetDDE services that could allow remote code execution. An attacker who is able to successfully exploit this vulnerability is capab...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
An unchecked buffer exists in the NetDDE services that could allow remote code execution. An attacker who is able to successfully exploit this vulnerability is capable of gaining complete control over an affected system.
However, the NetDDe services are not automatically executed, and so would then have to be manually started for an attacker to exploit this vulnerability.
This vulnerability also allows attackers to perform a local elevation of privilege, or a remote denial of service (DoS) attack.
More information about this vulnerability and its elimination.
(MS04-032) Security Update for Microsoft Windows (840987)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This cumulative release from Microsoft covers four newly discovered vulnerabilities:
* Windows Management Vulnerability This vulnerability in the Windows Management API...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This cumulative release from Microsoft covers four newly discovered vulnerabilities:
* Windows Management Vulnerability
This vulnerability in the Windows Management APIs may allow an elevation of privilege, which may give a logged-on user total control of the affected system.
* Virtual DOS Machine Vulnerability
The operating system component that handles the Virtual DOS Machine subsystem contains a vulnerabilty that may allow a logged on user to take complete control of the affected system.
* Graphics Rendering Engine Vulnerability
This vulnerability in the rendering of .WMF and .EMF image files may allow remote code execution on an affected system. Any application that renders these image formats on the affected system is prone to this attack. If successfully exploited, this vulnerability may give an attacker complete control over the affected system.
* Windows Kernel Vulnerability
A vulnerability exists in the Windows kernel that may cause local denial of service (DoS) attacks. An attacker could then locally run a program that could cause the affected system to stop responding.
More information about this vulnerability and its elimination.
(MS04-034) Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This is another privately reported vulnerability about Windows Compressed Folders. There is a vulnerability on the way that Windows processes Compressed (zipped...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This is another privately reported vulnerability about Windows Compressed Folders.
There is a vulnerability on the way that Windows processes Compressed (zipped) Folders that could lead to remote code execution.
Windows can not properly handle the extraction of the .ZIP folder with a very long file name. The affected library, DUNZIP32.DLL, does not properly check the destination buffer when it attempts to convert the file name from DOS/OEM to Windows/ANSI character format during extraction. Opening a specially crafted compressed file, a stack-based overflow occurs, enabling the remote user to execute arbitrary code.
To trigger the attack, a malicious user or a malware should either host a Web page or send an HTML-based email that contain the crafted .ZIP file, and lure a target user to visit the page or click the link. There is no better way to force the affected user to view the malicious Web page.
Please note that neither WinZip nor Compressed Zip Folder can easily create a malformed .ZIP file that is susceptible to this attack.
More information about this vulnerability and its elimination.
(MS04-037) Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security bulletin focuses on the following vulnerabilities:
* Shell Vulnerability This vulnerability exists on the way Windows Shell launches applications that could enable remote...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This security bulletin focuses on the following vulnerabilities:
* Shell Vulnerability
This vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer.
When an attacker has successfully exploited this vulnerability on a target user who has logged on with Administrative privileges, the attacker�s code would run with the Administrative privileges. The payload may include installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, it requires user interaction to exploit this vulnerability.
To trigger the attack, a malicious user or a malware should either host a Web site or send an HTML-based email that contains an object, usually script, to exploit the vulnerability when the affected user visits or click the URL or Web site link. This vulnerability has no way to force the victim to view the malicious Web site or click the link. It needs other factors or technique such as social engineering or possibly other exploits, to lure the affected user of producing the needed event.
* Program Group Converter Vulnerability
Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems.
It is also utilized by third party application through the installation of other miscellaneous applications or devices.
The vulnerability lies in an unchecked buffer within the Group Converter Utility.
An attacker could exploit this vulnerability using any of the following methods:
o An attacker would have to host a malicious Web site and then convince users to visit the said site.
o An attacker would also have to create an HTML email message that contain specially crafted link and then convince users to view the HTML email message and click the link.
o An attacker would have send a specially crafted .GRP file to a user, and then persuade the user to open the file.
o An attacker would have to use another program that passes parameter to the vulnerable component.
Note that to exploit this vulnerability requires user interaction.
An attacker who successfully exploits this vulnerability could execute remote code and possibly gain the same privileges as the logged-on user. User accounts with less privilege on the system would be at less risk than user account with administrative privileges.
More information about this vulnerability and its elimination.
(MS04-038) Cumulative Security Update for Internet Explorer (834707)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system. An attacker could exploit this vulnerabi...
More information about this vulnerability and its elimination.
Affected programs and services: Internet Explorer 6 (Microsoft Windows Server 2003)
Internet Explorer 6 (Microsoft Windows Server 2003 64-Bit Edition)
Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows ME
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Windows XP Service Pack 1 (64-Bit Edition)
Internet Explorer 6 for Windows XP Service Pack 2
Internet Explorer 6 for Microsoft Windows XP
Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP 64-Bit Edition Version 2003
Malware exploiting this vulnerability: unknown
This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system.
An attacker could exploit this vulnerability by constructing a malicious Web page. The said routine could allow remote code execution if a user visits the malicious Web page.
An attacker who successfully exploits this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS04-040) Cumulative Security Update for Internet Explorer (889293)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution. A Web page can be crafted to exploit this vulnerability such...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: WORM_BOFRA.B, WORM_BOFRA.C
This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution.
A Web page can be crafted to exploit this vulnerability such that an arbitrary application can be executed on visiting systems with the same priviledge as the currently logged on user.
This exploit technique is used by WORM_BOFRA.B and WORM_BOFRA.C to propagate. Both worms send out email messages that contains a link to a similarly crafted Web page. The page automatically downloads and executes a worm copy on computers where recipients have clicked the email link.
Note that this update is cumulative, and replaces the update that is included in the following bulletin: Microsoft Security Bulletin MS04-038 MS04-038_INTERNET_EXPLORER
Read more about this vulnerability on the following Microsoft page: Microsoft Security Bulletin MS04-040
More information about this vulnerability and its elimination.
(MS04-041) Vulnerability in WordPad Could Allow Code Execution (885836)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Wo...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Malware exploiting this vulnerability: unknown
This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Word 6.0 to WordPad file format.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs. It also allows viewing or editing of data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
The following are the discovered vulnerabilities:
* Font Conversion Vulnerability
* Table Conversion Vulnerability
Both the vulnerabilities are caused by an unchecked buffer in Microsoft Word for Windows 6.0 Converter. This vulnerability can be exploited by a remote malicious attacker or a malware by using the following methods:
* Web-based attack involves an attacker who needs to host a Web site that contains a Web page that is used to exploit this vulnerability. This attacker has no way of forcing users in visiting a malicious Web site. Instead, an attacker persuades these users to visit the Web site usually by getting them to click a link the attacker's site. After clicking the link, users are prompted to perform several actions. An attack could only occur after these users perform the said actions.
* Email attack involves a user opening an attachment sent via email. A malware or an attacker who successfully exploits this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
More information about this vulnerability and its elimination.
(MS04-043) Vulnerability in HyperTerminal Could Allow Code Execution (873339)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in HyperTerminal because of a buffer overrun. If a user is logged on with administrator privileges, an attacker could exploit the vulnerability by constructing ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in HyperTerminal because of a buffer overrun.
If a user is logged on with administrator privileges, an attacker could exploit the vulnerability by constructing a malicious HyperTerminal session file that could potentially allow remote code execution and then persuade a user to open this file. This malicious file may enable the attacker to gain complete control of the affected system.
This vulnerability could also be exploited through a malicious Telnet URL if HyperTerminal had been set as the default Telnet client.
Users with fewer privileges on a system are less at risk than those with administrator privilieges. However, user interaction is required for this vulnerability to be exploited.
Affected Software
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
More information on this vulnerability is available on the Microsoft Security Bulletin MS04-043.
This advisory is one of five security advisories posted by Microsoft for December. You can view the other postings here:
* Microsoft Security Bulletin MS04-041
* Microsoft Security Bulletin MS04-042
* Microsoft Security Bulletin MS04-044
* Microsoft Security Bulletin MS04-045
More information about this vulnerability and its elimination.
(MS04-044) Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security update addresses and resolves two Windows vulnerabilites, both of which may enable the current user to take control of the affected system: ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Trend Micro InterScan Web Security Suite for Solaris
Malware exploiting this vulnerability: unknown
This security update addresses and resolves two Windows vulnerabilites, both of which may enable the current user to take control of the affected system:
* Windows Kernel Vulnerability
A privilege elevation vulnerability exists in the way that the Windows Kernel launches applications. This vulnerability could allow the current user to take complete control of the system.
An attacker who successfully exploits this vulnerability could take complete control of the affected system, including installing programs, viewing, changing, or deleting data, or creating new accounts that have full privileges.
Attempts to exploit this vulnerability on systems running Windows XP Service Pack 2 or Windows Server 2003 will most likely result in a denial of service (DoS) attack.
* LSASS Vulnerability
A privilege elevation vulnerability exists in the way that the LSASS validates identity tokens. This vulnerability could allow the current user to take complete control of the affected system.
An attacker who successfully exploits this vulnerability could take complete control of the affected system, including installing programs, viewing, changing, or deleting data, or creating new accounts that have full privileges.
Both of these vulnerabilites require that the curernt user be able to log on locally and execute programs. They cannot be exploited remotely, or by anonymous users.
More information about this vulnerability and its elimination.
(MS05-001) Vulnerability in HTML Help Could Allow Code Execution (890175)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security update from Microsoft resolves a newly-discovered vulnerability in the HTML Help ActiveX control in Windows, which could allow information discl...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: HLP_HEAPINTX.A
This security update from Microsoft resolves a newly-discovered vulnerability in the HTML Help ActiveX control in Windows, which could allow information disclosure or remote code execution on an affected system.
This vulnerability exists in HTML Help ActiveX control that could allow information disclosure or remote code execution on an affected system. An attacker exploits this vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page.
If a user is logged on with administrative privileges, an attacker who successfully exploits this vulnerability gains the same privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
Trend Micro currently detects code that exploits this vulnerability as HLP_HEAPINTX.A.
More information about this vulnerability and its elimination.
(MS05-002) Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security update from Microsoft explains the following discovered vulnerabilities:
* Cursor and Icon Format Handling Vulnerability A remote code execution vulnerability exists in the way that cursor, animated cursor, and ic...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP 64-Bit Edition Version 2003 Service Pack 1
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This security update from Microsoft explains the following discovered vulnerabilities:
* Cursor and Icon Format Handling Vulnerability
A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could allow remote code execution if a user visits a malicious Web site or views a malicious e-mail message. An attacker who successfully exploits this vulnerability could take complete control of an affected system.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that exploits this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
* Windows Kernel Vulnerability
A denial of service vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially cause the operating system to become unresponsive. The operating system would have to be restarted to restore functionality.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Trend Micro currently detects code that exploits this vulnerability as the following:
* TROJ_LOADIMG.A
* EXPL_IMG_ANI.GEN
More information about this vulnerability and its elimination.
(MS05-003) Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This remote code execution vulnerability exists in the way they Indexing Service handles query validation. An attacker could exploit the vulnerability by constructing a mali...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This remote code execution vulnerability exists in the way they Indexing Service handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system.
An attacker who successfully exploits this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition.
More information about this vulnerability and its elimination.
(MS05-004) ASP.NET Path Validation Vulnerability (887219)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A canonicalization vulnerability exists in ASP.NET, which could allow a malicious user to access secure and protected files. The security mechanisms of an ASP.N...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft .NET Framework 1.0
Microsoft .NET Framework 1.1
Malware exploiting this vulnerability: unknown
A canonicalization vulnerability exists in ASP.NET, which could allow a malicious user to access secure and protected files. The security mechanisms of an ASP.NET Web site can be bypassed to allow the malicious user unauthorized access.
More information about this vulnerability and its elimination.
(MS05-007) Vulnerability in Windows Could Allow Information Disclosure (888302)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The security descriptor for NetSessionEnum could allow an anonymous user to list all the currently logged-on users on a share. This would enable the attacker to determine the list of us...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Malware exploiting this vulnerability: unknown
The security descriptor for NetSessionEnum could allow an anonymous user to list all the currently logged-on users on a share. This would enable the attacker to determine the list of users who have access to the share and thereby getting access to half the information to get access to the shares themselves.
Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous login using a named pipe that is not properly authenticated, a.k.a. the "Named Pipe Vulnerability".
An attacker who successfully exploits this vulnerability can remotely read the user names for users who have an open connection to an available shared resource. Malware programs, especially worms, can utilize this vulnerability by getting the list of legitimate users of the share and attacking its password using dictionary or brute force attacks. Obtaining the list of legitimate users of the shared resource would lessen the attack time of the malware to compromise the system.
More information about this vulnerability and its elimination.
(MS05-008) Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This is a privilege escalation vulnerability. Normally, Web pages are opened in the restricted Internet Zone. Exploitation of this vulnerability would allow zone elevation from Int...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
This is a privilege escalation vulnerability. Normally, Web pages are opened in the restricted Internet Zone. Exploitation of this vulnerability would allow zone elevation from Internet to Intranet Zone. This could be leveraged by an attacker to drop files on the system in locations chosen by the attacker.
In a Web-based attack scenario, an attacker would have to host a Web site specifically created to exploit this vulnerability. The attacker then would have to persuade a user to visit the site, typically done by persuading users to click on a link, which would then redirect users to the malicious site. This vulnerability would allow an attacker to drop files on the user�s system in specified locations. The attack proper only occurs when the dropped file are executed by logging off and on the system, restarting the system, or by unintentionally executing the dropped file.
More information about this vulnerability and its elimination.
(MS05-009) Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This advisory discusses the vulnerability found in the processing of .PNG files. A specially-crafted PNG .files with excessive width and height values cau...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft MSN Messenger 6.0
Microsoft MSN Messenger 6.1
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Media Player 9 Series
Microsoft Windows Messenger version 5.0
Microsoft Windows Messenger version 4.7.0.2009
Microsoft Windows Messenger version 4.7.0.3000
Malware exploiting this vulnerability: unknown
This advisory discusses the vulnerability found in the processing of .PNG files. A specially-crafted PNG .files with excessive width and height values causes remote code execution.
More information about this vulnerability and its elimination.
(MS05-011) Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers t...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
The Server Message Block (SMB) implementation for Windows 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code using certain broadcast packets, a.k.a. the "Server Message Block Vulnerability."
An attacker who successfully exploits this vulnerability could gain complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
More information about this vulnerability and its elimination.
(MS05-012) Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This advisory discusses the following vulnerabilities affecting Windows:
* COM Structured Storage Vulnerability. This privilege elevation vulnerability exists in the way that the affecte...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Exchange Server 2003
Microsoft Exchange Server 5.0 Service Pack 2
Microsoft Exchange Server 5.5 Service Pack 4
Microsoft Office XP
Microsoft Office XP Service Pack 2
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Exchange Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 1
Microsoft Office 2003
Malware exploiting this vulnerability: unknown
This advisory discusses the following vulnerabilities affecting Windows:
* COM Structured Storage Vulnerability. This privilege elevation vulnerability exists in the way that the affected operating systems and programs access memory when they process COM structured storage files. This vulnerability could grant a currently logged-on user to take complete control of the system.
* Input Validation Vulnerability. This remote code execution vulnerability exists in OLE because of the way that it handles input validation. An attacker could exploit the vulnerability by constructing a malicious document that could potentially allow remote code execution.
An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. However, user interaction is required to exploit this vulnerability on Windows 2000, Windows XP, and Windows Server 2003.
More information about this vulnerability and its elimination.
(MS05-013) Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains the that exists in DHTML Editing Component ActiveX Control. DHTML Editing Control is an ActiveX control that provides a user the ability...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
This security advisory explains the that exists in DHTML Editing Component ActiveX Control.
DHTML Editing Control is an ActiveX control that provides a user the ability to perform text and HTML editing functions. Combined with certain script commands, the DHTML Editing Control can open the content of a Web page in any domain, regardless of the domain of the host page.
A cross-domain violation vulnerability exists in DHTML Editing Control, allowing a Web site to access information in another domain or zone. Once successfully exploited, it could allow information disclosure or remote code execution on an affected system. An attacker may then be able to execute arbitrary scripts in the Local Machine Zone, or read or modify data in other domains.
A typical scenario of exploiting this vulnerability could be any one of the following:
* An attacker creates a malicious Web page and using social engineering, persuades a user to visit this page. When the user visits the page, the attacker would be able to access information from other Web sites, local files on the system, or cause script to run in the security context of the Local Machine zone.
* A malware creates a specially crafted email message that contains a link to the malicious web page. When the user clicks on the link, the attacker would be able to access information from other Web sites, local files on the system, or cause script to run in the security context of the Local Machine zone.
More information about this vulnerability and its elimination.
(MS05-014) Cumulative Security Update for Internet Explorer (867282)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory replaces the update that is included with Microsoft Security Bulletins MS04-038 and MS04-040. This also includes several hotfix...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Internet Explorer 5.01 Service Pack 3
Microsoft Internet Explorer 5.01 Service Pack 4
Microsoft Internet Explorer 5.5 Service Pack 2
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003)
Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Internet Explorer 6.0 (Microsoft Windows XP 64-Bit Edition Version 2003)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 64-Bit Edition)
Microsoft Internet Explorer 6.0 (Microsoft Windows XP 64-Bit Edition Service Pack 1)
Malware exploiting this vulnerability: unknown
This security advisory replaces the update that is included with Microsoft Security Bulletins MS04-038 and MS04-040. This also includes several hotfixes since the release of Microsoft Security Bulletins MS04-004 or MS04-025.
This update resolves the following vulnerabilities affecting Internet Explorer:
* Drag-and-Drop Vulnerability
A privilege elevation vulnerability exists in Internet Explorer because of the way that Internet Explorer handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow an attacker to save a file on the user�s system if a user visited a malicious Web site or viewed a malicious e-mail message.
* URL Decoding Zone Spoofing Vulnerability
A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain encoded URLs. An attacker could exploit the vulnerability by constructing a malicious URL. This malicious URL could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The URL could be made to look like a link to another Web site in an attempt to trick a user into clicking it.
* DHTML Method Heap Memory Corruption Vulnerability
A remote code execution vulnerability exists in Internet Explorer because of the way that it handles certain DHTML methods. An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message.
* Channel Definition Format (CDF) Cross Domain Vulnerability
A cross-domain vulnerability exists in Internet Explorer that could allow information disclosure or remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page. The malicious Web page could potentially allow remote code execution if viewed by a user.
An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
More information about this vulnerability and its elimination.
(MS05-015) Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks. An attacker could exploit the vulner...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks. An attacker could exploit the vulnerability by constructing a malicious hyperlink, which could potentially lead to remote code execution if a user clicks a malicious link within a Web site or email message.
An attacker who successfully exploits this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. User interaction is required to exploit this vulnerability.
Mitigating factors:
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it display a Web page with malicious content. An attacker would have no way to force users to click on the malicious link. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
* An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* The vulnerability could not be exploited automatically through email. For an attack to be successful, a user must click on a link within an email message.
* Customers running Microsoft ISA 2004 as their corporate Web proxy are at less risk from this vulnerability, as ISA 2004 rejects the URL in question by default when handling proxy client requests. This ISA configuration requires an HTTP Filter Signature in order to effectively mitigate this vulnerability. For information on HTTP Filtering in ISA 2004, visit the Microsoft TechNet Web site.
More information about this vulnerability and its elimination.
(MS05-016) Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains the newly-discovered vulnerability in the way Windows handles a file�s associated application extension. A file with an unknown or unregistered ext...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
This security advisory explains the newly-discovered vulnerability in the way Windows handles a file�s associated application extension.
A file with an unknown or unregistered extension can be manipulated so that the operating system will open the file and execute the code in the said file.
Once exploited, this vulnerability allows a malicious user or malware to take control over the affected system. However, the level of control available to the malicious user or malware is limited to the access rights of the exploited user. If a user has administrator rights, then successful exploitation will allow the malicious user or malware complete control over the system.
The malicious user or malware can execute code on the system, giving them the ability to install or run programs and view or edit data. Thus, this vulnerability can be used by malware programs for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or malware using any of the following attack scenarios:
* Web-based attack scenario. An attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
* Email attack scenario. A user must open an attachment that is sent in an e-mail message for an attack to be successful through email.
An attacker or malware that successfully exploits this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
However, the vulnerability would generally be exploited through unregistered file name extension types. Systems that block unknown file name extension types or only allow known valid file name extension types would be at a reduced risk from this vulnerability.
More information about this vulnerability and its elimination.
(MS05-018) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains the four newly discovered vulnerabilities in Windows. Once exploited, they could allow a currently logged on user to take complete...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
This security advisory explains the four newly discovered vulnerabilities in Windows. Once exploited, they could allow a currently logged on user to take complete control over the affected system.
The malicious user can execute code on the system, giving him the ability to install or run programs, and view or edit data with full privileges. Thus, these vulnerabilities need a user with valid login credentials before they can be exploited.
The following are the four newly-discovered vulnerabiltiies:
* Font Vulnerability. An unchecked buffer in the processing of malicious fonts exists in affected operating systems.
* Windows Kernel Vulnerability. The vulnerable process used to validate certain access requests exists on affected operating system versions.
* Object Management Vulnerability. An unchecked buffer exists in affected operating systems. When exploited by a logged-on user, it can cause the system to stop responding and automatically restart. A remote user or a remotely-deployed malware could not exploit this vulnerability.
* CSRSS Vulnerability. The process used by the Client Server Runtime System (CSRSS) to validate certain messages contains a vulnerability.
Once exploited, these vulnerabilities can lead to elevation of privileges in the system. They can allow a logged-on user to take full control of the system. The user has to be logged into the system and run a specially-designed application to exploit these vulnerabilities. A remote user or a remotely-deployed malware could not exploit them.
More information about this vulnerability and its elimination.
(MS05-019) Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
* IP Validation Vulnerability - CAN-2005-0048 A remote code execution vulnerability exists that could allow an attacker to send a specially crafted IP message to an affected...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 2000 Service Pack 3
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows XP Home Edition SP1
Microsoft Windows XP Home Edition SP2
Microsoft Windows XP Media Center Edition 2002
Microsoft Windows XP Media Center Edition 2005
Microsoft Windows XP Professional SP1
Microsoft Windows XP Service Pack 1a
Microsoft Windows XP Professional SP2
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition (Itanium)
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition for Itanium-based Systems
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Malware exploiting this vulnerability: unknown
* IP Validation Vulnerability - CAN-2005-0048
A remote code execution vulnerability exists that could allow an attacker to send a specially crafted IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to remotely execute code.
However, attempts to exploit this vulnerability would most likely result in a denial of service.
--
Malformed or Specially crafted TCP Packet with a malformed IP Option can create a Denial of service to a target machine. This malformed packet can also cause a heap-based overflow that could cause a remote code execution.
Once this vulnerability is exploited, the execution of a remote code could allow a malicious user or a malware to take complete control of the affected system if an affected user is currently logged on with administrative privileges.
The malicious user or a malware can execute code on the system giving them the capability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
* Spoofed Connection Request Vulnerability - CAN-2005-0688
A denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP/IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
--
Malware authors or malware applications can take advantage of this vulnerability by attacking target hosts with a specially crafted TCP message to create a Denial Of Service. Trojan applications may use this DoS attack to Web sites or Hosts.
* ICMP Connection Reset Vulnerability - CAN-2004-0790
A denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.
* ICMP Path MTU Vulnerability - CAN-2004-1060
A denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system that could cause network performance to degrade and potentially stop the affected system from responding to requests.
--
ICMP used in Internet Architecture performs fault-isolation functions with hosts and routers. If there�s a problem in forwarding a packet, the host and router will try to negotiate. The router will send an ICMP error message to the host. A host may also generate an ICMP error message if there�s an error processing a datagram.
Malware authors or malware applications can take advantage of this vulnerability by attacking target hosts with a specially crafted ICMP message to trigger the fault recovery policy of ICMP thus creating a Denial Of Service. Trojan applications may use this DoS attack to Web sites or Hosts.
* TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.
--
By repeatedly sending TCP RST Packets using guessed sequence numbers on a segment may cause DoS. Malware authors or malware applications can send spoofed TCP RST or SYN segments to abort a TCP connection on the server and make the connection accept spurious segments.
Malware authors or malware applications can take advantage of this vulnerability by attacking target hosts with a specially crafted TCP RST packet to create a Denial Of Service.
More information about this vulnerability and its elimination.
(MS05-020) Cumulative Security Update for Internet Explorer (890923)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory is a cumulative update on three vulnerabilities in Internet Explorer. DHTML Object Memory Corruption Vulnerability...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: HTML_BINDSHELL.A
This security advisory is a cumulative update on three vulnerabilities in Internet Explorer.
DHTML Object Memory Corruption Vulnerability
This remote code execution vulnerability exists in Internet Explorer because of the way it handles certain DHTML objects. An attacker could exploit this vulnerability by constructing a malicious Web page. This malicious Web page could then allow remote code execution if a user visited the malicious Web site. An attacker who successfully exploits this vulnerability could take complete control of an affected system.
This vulnerability can be exploited by a malware or a malicious user by the following scenarios:
* Web-based attack scenario:An attacker hosts a Web site that contains a Web page used to exploit this vulnerability. This malicious Web site then entices the user to click on a link to the attacker's Web site. After a successful connection, the user is then prompted to perform several actions.
* E-mail attack scenario: A user opens an attachment that is sent in an email message. The user may also click on a link in the email message.
URL Parsing Memory Corruption Vulnerability
This remote code execution vulnerability exists in Internet Explorer because of the way it handles certain URLs. An attacker exploits this vulnerability by constructing a malicious Web page. This malicious Web page could then potentially allow remote code execution if a user visited this malicious Web site. An attacker who successfully exploits this vulnerability could take complete control of an affected system.
This vulnerability can be exploited by a malware or a malicious user by the following scenarios:
* Web-based attack scenario: An attacker hosts a Web site that contains a Web page used to exploit this vulnerability. This malicious Web site then entices a user to click on a link to the attacker's Web site. After a successful connection, the user is then prompted to perform several actions.
* Email attack scenario: This vulnerability is not exploited automatically through email. For an attack to be successful, a user must click a malicious link that is sent to an email message.
Content Advisor Memory Corruption Vulnerability
This remote code execution vulnerability exists in Internet Explorer because of the way it handles Content Advisor files. An attacker could exploit this vulnerability by constructing a specially crafted Content Advisor file. This malicious Content Advisor file could then potentially allow remote code execution if a user visited a malicious Web site, viewed a malicious email message, or accepted the installation of the file. An attacker who successfully exploits this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.
This vulnerability can be exploited by a malware or a malicious user by the following scenarios:
* Web-based attack scenario: An attacker hosts a Web site that contains a Web page used to exploit this vulnerability. The attacker also tries to compromise a Web site and have it display malicious content. This malicious Web site then entices a user to click on a link to the attacker's Web site. The user has to click through a series of Content Advisor setup windows for an attack to be successful.
* Email attack scenario: This vulnerability could not be exploited automatically through email. For an attack to be successful, a user must open an attachment this is sent in an email message and then click through a series of Content Advisor setup windows.
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.
(MS05-025) Cumulative Security Update for Internet Explorer (883939)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security bulletin resolves vulnerabilities affecting Internet Explorer 5.1, 5.5, and 6. It replaces MS05-020, and is also a cumulative update.
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security bulletin resolves vulnerabilities affecting Internet Explorer 5.1, 5.5, and 6. It replaces MS05-020, and is also a cumulative update.
It addresses the following vulnerabilities:
* PNG Image Rendering Memory Corruption Vulnerability
A flaw exists in the way Internet Explorer handles PNG images. An attacker can create a specially crafted PNG file which allows for remote code execution.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
o Web-based attack scenario:
An attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
o E-mail attack scenario:
An attacker can send an HTML-formatted email which displays the malicious image.
A malware or an attacker who successfully exploits this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
* XML Redirect Information Disclosure Vulnerability
A flaw exists in the way Internet Explorer handles certain requests for XML content.
Once exploited, this vulnerability could allow an attacker to view XML data on systems other than that of the malicious Web site.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
o Web-based attack scenario:
An attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
o E-mail attack scenario:
An attacker can send an email containing a link to the malicious Web site.
It is most likely that hackers, instead of malwares will use this exploit since this is an information disclosure vulnerability. And as such, it cannot be used directly for replication. However, a malware may still use this vulnerability for the following reasons:
o attempt to gather email addresses from the XML files
o get all the accessed XML files and send to the malware author
This security advisory contains the following updates as well:
* Updates the Pop-up blocker of Internet Explorer
* Changes the parsing of certain image file formats by Internet Explorer
* Addresses an issue in DigWebX ActiveX control
More information about this vulnerability and its elimination.
(MS05-026) Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly-discovered vulnerability in Microsoft HTML Help. HTML Help is the standard help system for the Windows platform. Authors can ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly-discovered vulnerability in Microsoft HTML Help. HTML Help is the standard help system for the Windows platform. Authors can use it to create online Help files for a software application or content for a multimedia title or a Web site.
HTML Help can be exploited because it does not completely validate input data. A specially crafted Compiled Windows Help (CHM) file can cause a help overflow, which can be exploited in order to execute arbitrary code.
The malicious CHM file can be opened via Internet Explorer using the "ms-its" protocol. This method of opening a CHM file no longer requires user interaction, and could lead to the automatic execution of the malicious CHM file and the accompanying exploit code. The "ms-its" protocol is part of the InfoTech protocol, which is implemented by ITSS.DLL, or the Microsoft InfoTech Storage System Library. However, a certain malware cannot propagate on its own merely by exploiting this vulnerability It still needs a user to visit a malicious CHM file in a specified location using Internet Explorer and the "ms-its" protocol.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware via any of the following scenarios:
* Web-based attack scenario: An attacker hosts a Web site that contains a page that is used to exploit this vulnerability. He/she attempts to compromise a Web site to have it deliver a Web page with malicious content. Since there is no way to force users to visit a Web site, an attacker would have to persuade target users to visit the site, typically by getting them to click a link that takes them to the attacker's site or to a compromised site.
* Email attack scenario: By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML email messages in the Restricted Sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML email also have the same capability if the Outlook Email Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML email messages in the same zone if Microsoft Security Bulletin MS04-018 has been installed. The Restricted Sites zone helps reduce attacks that could try to exploit this vulnerability.
The risk of attack from the HTML email vector can be significantly reduced if all of the following conditions are met:
* Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
* Use Internet Explorer 6 or a later version.
* Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook Express 6 or a later version, or use Microsoft Outlook 2000 Service Pack 2 or a later version in its default configuration.
However, in a system that does not satisfy the above conditions, an email in HTML format containing a code to exploit this vulnerability will be automatically processed and executed.
More information about this vulnerability and its elimination.
(MS05-027) Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in the Microsoft�s implementation of the Server Message Block (SMB) protocol, which could allow an attacker to execute ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in the Microsoft�s implementation of the Server Message Block (SMB) protocol, which could allow an attacker to execute arbitrary codes to take complete control over a target system.
This vulnerability could be exploited over the Internet. An attacker would have to transmit a specially crafted SMB packet to a target system to exploit it. However, failure to successfully exploit the vulnerability could only lead to a denial of service.
A firewall blocking unsolicited SMB traffic could help mitigate the risk involved.
More information about this vulnerability and its elimination.
(MS05-028) Vulnerability in Web Client Service Could Allow Remote Code Execution (896426)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Web Client service enables Win32 applications to access documents over the Internet, allowing them to create, read, and write files on Internet file s...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Malware exploiting this vulnerability: unknown
The Web Client service enables Win32 applications to access documents over the Internet, allowing them to create, read, and write files on Internet file servers via the WebDAV protocol.
A remote code execution vulnerability exists in the Web Client service, which could allow attackers to execute arbitrary code and gain complete control over the affected system. In order to exploit this vulnerability, the attacker must have valid logon credentials. Anonymous users cannot exploit this vulnerability. However, if the Guest account is enabled, then it could be exploited by any user.
An attacker would have to first authenticate to an affected system. The attacker would then send a series of specially-crafted packets over the network to the vulnerable system. These packets would cause the target system to execute code.
More information about this vulnerability and its elimination.
(MS05-030) Cumulative Security Update in Outlook Express (897715)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious news...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Outlook Express 6.0 Service Pack 1 (Microsoft Windows 2000 Service Pack 3)
Microsoft Outlook Express 6.0 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Microsoft Outlook Express 6.0 Service Pack 1 (Microsoft Windows XP Service Pack 1)
Microsoft Outlook Express 5.5 Service Pack 2 (Microsoft Windows 2000 Service Pack 3)
Microsoft Outlook Express 6.0 Service Pack 1 (Microsoft Windows XP 64-Bit Edition Service Pack 1 -- Itanium)
Microsoft Outlook Express 6.0 (Microsoft Windows XP 64-Bit Edition Service Pack 1 -- Itanium)
Microsoft Outlook Express 6.0 (Microsoft Windows Server 2003 for Itanium-based Systems)
Microsoft Outlook Express 6.0 (Microsoft Windows Server 2003)
Microsoft Outlook Express 5.5 Service Pack 2 (Microsoft Windows 2000 Service Pack 4)
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news.
This vulnerability provides malware or malicious users control of the affected system similar to the privileges of the current user. Decoding News Network Transfer Protocol (NNTP) responses causes an unchecked buffer, which allows for this vulnerability.
This vulnerability can be exploited by a malware or a malicious user by the following scenarios:
* Server-based attack scenario: An attacker creates a malicious NNTP server. Since connection cannot be remotely established, users are enticed to visit the server, typically by clicking a link. The user is then prompted to perform several actions.
* Email attack scenario: A user opens clicks on a link to the malicious NNTP server that is sent in an email message. The user may also click on a link in the email message.
More information about this vulnerability and its elimination.
(MS05-032) Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory addresses the discovered vulnerability in Microsoft Agent. Microsoft Agent is a software technology that used to enhance the user interface of applications and Web pages ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 3
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Malware exploiting this vulnerability: unknown
This security advisory addresses the discovered vulnerability in Microsoft Agent. Microsoft Agent is a software technology that used to enhance the user interface of applications and Web pages through the use of animated characters. These characters can move freely within the computer display, speak aloud, display text onscreen, and even listen for voice commands.
This software can be spoofed since security prompts can be disguised as legitimate Microsoft Agent characters. Thus, this could convince the user to allow the installation of a malware. However, a certain malware cannot propagate on its own merely by exploiting this vulnerability, it still needs a user to interact with Microsoft Agent and the spoofed security prompts in order to install itself or another file on the system.
The malware can spoof trusted Internet content. Upon convincing the user, it executes a code on the system giving the ability to install or run programs. An attacker who successfully exploits this vulnerability gains the same user rights as the currently logged-on user. Thus, this vulnerability can conceivably used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
Web-based attack scenario: In a Web-based attack scenario, an attacker hosts a Web site that contains a Web page used to exploit this vulnerability. An attacker has no way to force users to visit a malicious Web site. Instead, an attacker persuades them to visit the Web site, typically by getting them to click a link that takes them to a trap. After they click the link, they would be prompted to perform an action. An attack could only occur after they performed these actions.
More information about this vulnerability and its elimination.
(MS05-033) Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains a vulnerability in the Microsoft Telnet client that could allow an attacker to gain sensitive information about the victim�...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Services for UNIX 3.5 on Windows 2000
Microsoft Windows Services for UNIX 3.0 on Windows 2000
Microsoft Windows Services for UNIX 2.2 on Windows 2000
Malware exploiting this vulnerability: unknown
This security advisory explains a vulnerability in the Microsoft Telnet client that could allow an attacker to gain sensitive information about the victim�s system.
A remote user or malware can exploit this vulnerability via any of the following scenarios:
* Server-based attack scenario: An attacker would have to create a malicious server and have a user connect to it. The attacker has no way of forcing users to connect to the malicious server. Instead, the attacker needs to persuade the users to connect via Telnet to the server by getting them to click a link. Once connected, the attacker can then send a specially crafted Telnet command to exploit this vulnerability.
* Email attack scenario: A user must click a link to a malicious server in an email message for an attack to be successful through email. Once connected, the attacker can then send a specially-crafted Telnet command to exploit this vulnerability.
An attacker who successfully exploits this vulnerability could read the session variables of users who have open connections to a malicious Telnet server.
More information about this vulnerability and its elimination.
(MS05-036) Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability could allow a remote attacker to execute arbitrary codes on the affected system via a malicious image file in a Web site or email message. This vulnerability exists becau...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This vulnerability could allow a remote attacker to execute arbitrary codes on the affected system via a malicious image file in a Web site or email message. This vulnerability exists because of the way Microsoft Color Management Module handles ICC profile format tag validation. The ICC profile data can be embedded in various image and document formats, including, but not limited to, JPEG, GIF, and TIFF formats.
A successful exploit of this vulnerabilty could result in the execution of a code. This code could allow a potential attacker to take complete control of the affected system. Users with administration rights are more susceptible to the risks caused by this vulnerablity.
More information about this vulnerability and its elimination.
(MS05-037) Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory explains a vulnerability in the JView Profiler that could allow an attacker to execute commands remotely on the affected system. A COM object, the JView Profi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Internet Explorer 5.5 Service Pack 2
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Internet Explorer 5.01 Service Pack 4 (Microsoft Windows 2000 Service Pack 3)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98 SE)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows Millennium Edition)
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 x64 Edition)
Microsoft Internet Explorer 6.0 (Microsoft Windows XP Professional x64 Edition)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 for Itanium-based Systems)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 Service Pack 1)
Malware exploiting this vulnerability: JS_EXPLOIT.F
This security advisory explains a vulnerability in the JView Profiler that could allow an attacker to execute commands remotely on the affected system. A COM object, the JView Profiler (Javaprxy.dll), contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system.
Web-based attack scenario:
An attacker hosts a Web site that exploits this vulnerability. The attacker would then have to persuade target users to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
If the affected user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
An attacker who successfully exploits this vulnerability could take complete control of an affected system.
More information about this vulnerability and its elimination.
(MS05-038) Cumulative Security Update for Internet Explorer (896727)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
COM Object Instantiation Memory Corruption vulnerability exists in the way Internet Explorer (IE) instantiates COM objects that are intended to be used. A succe...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
COM Object Instantiation Memory Corruption vulnerability exists in the way Internet Explorer (IE) instantiates COM objects that are intended to be used. A successful exploit causes buffer overflow vulnerability in IE when certain COM objects are instantiated as ActiveX controls.
An attacker can construct a malicious Web page to exploit the said vulnerability, which potentially allows remote code execution when a user visits the malicious Web page. This can also be possible when a hyperlink is found in e-mail messages pointing to the malicious Web site. Then, remote attackers can execute arbitrary code in the context of the currently logged in user.
Since this allows remote code execution, malwares can use this for replication purposes.
WEB Folder Behaviors Cross-Domain vulnerability exists in IE that could allow remote code execution or information disclosure on an affected system.
A malicious Web page can be constructed to potentially allow remote code execution when viewed by a user. Successful exploit relies on good social engineering to persuade users to click a link that points to the malicious Web page.
The remote attacker can execute arbitrary code in the context of the currently logged in user. This attacker can run or install programs when the affected user is currently logged with administrative privileges.
JPEG Image Rendering Memory Corruption vulnerability A flaw exists in the way Internet Explorer handles JPEG images. A specially crafted JPEG file can be created by an attacker which allows for remote code execution if a user visited a malicious Web site or viewed a malicious e-mail.
This specially crafted file can be attached to e-mail messages or incorporated on malicious Web sites.
Once exploited, this remote code execution vulnerability could allow an attacker to take complete control on the affected system when the affected user is currently logged with administrative privileges.
More information about this vulnerability and its elimination.
(MS05-039) Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves an issue on Plug and Play (PnP) that allows an attacker to gain control of a target system. PnP allows the operating system to detect new hardware when you ins...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves an issue on Plug and Play (PnP) that allows an attacker to gain control of a target system.
PnP allows the operating system to detect new hardware when you install it on a system. If, for instance, a new mouse in installed, PnP allows Windows to detect it, and then loads the necessary drivers for the new mouse to be used.
This vulnerability can be exploited either remotely, or locally via local privilege escalation, with a few mitigating factors:
* On Windows XP Service Pack 2 and Windows Server 2003, an attacker must have valid log on credentials and is capable of logging on locally to a system it wants to affect. Remotely exploiting this vulnerability by anonymous users or users who have standard accounts is not possible, however, access to the affected system is available remotely to those with administrative rights.
* On Windows XP Service Pack 1, an attacker must have valid log on credentials to try to exploit this vulnerability. Remotely exploiting this by anonymous users is not possible, however, the access to the affected system is available remotely to users who have standard user accounts.
A malicious user or malware can execute code on the system once this vulnerability is exploited, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited in the following scenarios:
* Internet or Network-based attack scenario:
o Anonymous users of Windows 2000 and by authenticated users of Windows XP Service Pack 1 can remotely exploit this vulnerability. On Windows XP Service Pack 2 and Windows Server 2003, an attacker must be able to log on to the specific system that it targets. An anonymous attacker cannot load and run a program remotely by using this vulnerability.
* Local-machine attack scenario:
o The user will have to log on locally with the proper credentials and run a specially-crafted application in order to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS05-040) Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly-discovered vulnerability in the telephony service. The said service provides support for Telephony Application Programming Interface (TAPI). TAPI integrates telecommunication...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly-discovered vulnerability in the telephony service. The said service provides support for Telephony Application Programming Interface (TAPI). TAPI integrates telecommunications with the operating system. TAPI supports both traditional and IP telephony to provide voice, data, and video communication. Supported hardware includes sound and video cards, modems, ISDN lines, ATM networks, and cameras. By using this hardware, a user can communicate over direct connections to local computers, telephone lines, LANs, WANs, and the Internet. For more information about TAPI, you may visit this site.
The telephony service is exploited because it does not perform a check on the length of the message before passing it to the allocated buffer. A specially-crafted message can cause a buffer overflow in the telephony service. This overflow can be exploited in order to execute arbitrary code.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Internet-based attack scenario:
o In an Internet-based attack scenario, the target computer needs to enable the telephony service. The attacker/malware could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. However, not all systems are equally vulnerable on all counts. The following is an enumeration of the affected systems and their corresponding weakness with respect to this vulnerability:
+ Remote code execution is possible if you have manually enabled the telephony server feature. The telephony server feature is only available on Windows 2000 Server and Windows Server 2003.
+ On Windows Server 2003 the Telephony service is restricted to authenticated user accounts, even when enabled as a telephony server. Anonymous attacks are not possible on Windows Server 2003.
+ On Windows 2000 Server and Windows Server 2003 based systems that have not manually configured the telephony server feature, this is a local elevation of privilege vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
+ On Windows 2000 Professional and Windows XP, this is a local elevation of privilege vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
+ By default, the Telephony service is not running on Windows XP and Windows Server 2003. However, the TAPI client will start the Telephony service without user interaction when required. Unless the Telephony service has been set to Disabled by an administrator, a non-privileged user account can start this service. Systems that have disabled the Telephony service would not be vulnerable to this issue.
+ Windows 98, Windows 98 Second Edition, and Windows ME contain the affected component but are not critically affected by the vulnerability.
More information about this vulnerability and its elimination.
(MS05-041) Remote Desktop Protocol Vulnerability Could Allow Denial of Service (899591)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
There is an existing denial of service (DoS) vulnerability discovered in the Remote Desktop Protocol (RDP). This vulnerability allows an attacker to send a specially crafted R...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
There is an existing denial of service (DoS) vulnerability discovered in the Remote Desktop Protocol (RDP). This vulnerability allows an attacker to send a specially crafted RDP packet that causes the affected system to stop responding. The said vulnerability exists in the file RDPWD.SYS and the available patch updates this affected file.
This vulnerability could only be leveraged to cause a DoS attack to affected servers. It therefore cannot be used to take control of target systems or as a means for propagation.
More information about this vulnerability and its elimination.
(MS05-042) Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (899587)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security bulletin resolves the following vulnerabilities found in Microsoft Windows:
* CAN-2005-1981 - Kerberos Vulnerability is a denial of service vulnerability that allows an attac...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security bulletin resolves the following vulnerabilities found in Microsoft Windows:
* CAN-2005-1981 - Kerberos Vulnerability is a denial of service vulnerability that allows an attacker to send a specially crafted message to a Windows domain controller, which makes the service that is responsible for authenticating users in an Active Directory domain to stop responding.
o Kerberos is a default authentication protocol used by Windows 2000 and later operating system (OS) versions.
o A denial of service attack takes place when the affected system displays a warning message that it would automatically restart after 60 seconds. During this countdown, local authentication at the console of the affected system and user domain authentication with the affected system would not be possible. Once the 60-second countdown expires, the system automatically restarts.
o A malware cannot use this vulnerability to propagate, though it can be part of its payload.
* CAN-2005-1982 - PKINIT Vulnerability is an information disclosure and spoofing vulnerability
o PKINIT is the Internet Engineering Task Force (IETF) Internet Draft for Public Key Cryptography for Initial Authentication in Kerberos. Windows 2000 and later OS uses draft 9 of the IETF this Internet Draft. Windows uses PKINIT when a smart card is used for interactive logon.
o This vulnerability allows an attacker to tamper with certain information that is sent from a domain controller, and potentially accesses sensitive client network communication. Affected users are fooled into thinking that they are accessing a trusted server when in reality, they are accessing a malicious server. For attackers to exploit this vulnerability, they would first have to inject themselves into the middle of a client and a domain controller's authentication session.
o Since this is an information disclosure and spoofing vulnerability, a malware cannot use this for propagation purposes (no remote-code execution is involved).
More information about this vulnerability and its elimination.
(MS05-043) Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly-discovered vulnerability in the print spooler. The print spooler service is the file SPOOLSV.EXE that is installed as a service. This is launched upon operating system (OS) startup and is terminated when t...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Windows XP Service Pack 2
Windows 2000 Service Pack 4
Windows XP Service Pack 1
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly-discovered vulnerability in the print spooler. The print spooler service is the file SPOOLSV.EXE that is installed as a service. This is launched upon operating system (OS) startup and is terminated when the OS shuts down. This service manages the printing process, which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, and scheduling print jobs. When the tasks for a particular print job are complete, the service passes the job to the print router. For more information on the print spooler service, you may visit this site.
The print spooler service is exploited because it does not perform a check on the length of the message before passing it to the allocated buffer. A specially-crafted message can cause a buffer overflow in the print spooler service. This overflow can be exploited in order to execute arbitrary code.
Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system. However, attempts to exploit this vulnerability could most likely result to a denial of service condition.
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Internet/Network-based attack scenario:
In a network-based attack scenario, the target computer needs to have a shared printer. Then, the attacker/malware can send a specially-crafted message to the target computer. The attacker/malware could try to remotely exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code on operating system versions and configurations that were vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 are vulnerable remotely. A remote attack vector cannot be created on Windows XP SP2 or on Windows Server 2003 unless a user who has appropriate permission shares a printer or tries to connect to a shared printer.
* Local machine attack scenario:
The user will have to log on locally with the proper credentials and run a specially-crafted application in order to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS05-044) Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering (905495)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly discovered vulnerability in the Windows FTP client. Windows FTP clients are programs that are used to access ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly discovered vulnerability in the Windows FTP client. Windows FTP clients are programs that are used to access an FTP server from a desktop computer.
The Windows FTP client is exploited because it fails to properly validate file names received from FTP servers. A malicious writer could then host a file that has a specially crafted file name on an FTP server, which can bypass the file name validation that the FTP client provides.
Once exploited, this vulnerability could allow a malicious user to save files to specific locations on an infected system. This could eventually lead to other attacks. For example, a malicious user could save a malicious executable on a startup folder, which would enable the said file to automatically execute on the next system restart.
This exploit requires a mapped valid location on the user's computer. It is also necessary to trick the target user to the file from the malicious FTP server.
More information about this vulnerability and its elimination.
(MS05-045) Vulnerability in Network Connection Manager Could Allow Denial of Service (905414)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly discovered vulnerability in Network Connection Manager. The Network Connection Manager is an operating system component that provides a means of controlling a sys...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 Service Pack 1
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly discovered vulnerability in Network Connection Manager. The Network Connection Manager is an operating system component that provides a means of controlling a system's network connections, such as those seen in the Network and Dial-Up Connections folder. When a user makes a new network connection, such as through the dial-up networking wizard, the Network Connection Manager processes the request to make the connection.
The Network Connection Manager is exploited because of an unchecked buffer in the program. The Network Connection Manager can be exploited by sending a specially crafted request to it.
If the affected component is stopped due to an attack, it will automatically restart when new requests are received.
More information about this vulnerability and its elimination.
(MS05-047) Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves an issue in Plug-And-Play (PnP) that could allow an authenticated malicious user to gain control of a target system. PnP allows an oper...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows NT Server 4.0 Terminal Server Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows NT
Malware exploiting this vulnerability: unknown
This security advisory resolves an issue in Plug-And-Play (PnP) that could allow an authenticated malicious user to gain control of a target system. PnP allows an operating system to detect new hardware when it is installed on a system.
On Windows XP Service Pack 2, a malicious user must have valid login credentials and be able to log on locally to the target machine to exploit this vulnerability. The vulnerability cannot be exploited remotely by anonymous users or by users who do not have administrator rights. The affected component, however, is available remotely to users administrative rights.
The same factors apply on systems running on Windows 2000 and Windows XP Service Pack 1, however, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users can be authenticated as with Guest accounts.
(Note: If the security updates that are provided by Microsoft Security Bulletin MS05-039 have not been installed on Windows 2000, this issue could be exploited remotely by anonymous users. . If the said update security updates have already been installed, this issue is restricted to authenticated users on Windows 2000. On Windows XP Service Pack 1, this issue is restricted to authenticated users, even without the security updates that are provided by MS05-039.)
The malicious user or a malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a malicious malicious user or a malware by doing the following scenarios:
* Internet/Network-based attack scenario - Authenticated users on Windows 2000 and on Windows XP Service Pack 1 can remotely exploit this vulnerability. An anonymous malicious user cannot load and run a program remotely by using this vulnerability. Authenticated users on Windows XP Service Pack 2 can remotely exploit this vulnerability. An anonymous malicious user or by users with standard user accounts cannot load and run a program remotely by using this vulnerability
* Local-machine attack scenario - The user will have to logon locally with the proper credentials and run a specially-crafted application in order to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS05-048) Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability exists in an unchecked buffer in the following .DLL files of Collaboration Data Objects (CDO) when a third party software uses the s...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Exchange 2000 Server Service Pack 3
Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This vulnerability exists in an unchecked buffer in the following .DLL files of Collaboration Data Objects (CDO) when a third party software uses the said .DLL files’ call function:
* cdosys.dll
* codex.dll
CDOs are components designed to make it easier for a user to write programs that can create or change email messages.
A remote malicious user can exploit this vulnerability by either sending a specifically-crafted message or executing a specially-crafted application to execute code on an affected system. The said action enables the said remote user to install or run programs and view or edit files with full privileges.
This vulnerability can also be used by malware to propagate across networks.
More information about this vulnerability and its elimination.
(MS05-049) Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves an issue on Windows Shell vulnerabilities that allow remote code execution on target systems and also causes Elevation of...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows 2000 Server SP4
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves an issue on Windows Shell vulnerabilities that allow remote code execution on target systems and also causes Elevation of Privilege.
The level of control that a remote malicious user can gain is dependent on the access rights of an affected user currently logged on the target system. If, for example, the affected user currently logged on has administrative rights, the remote malicious user can have full control of the affected system and can even create new accounts with full user rights. The damage is less if the currently logged on user has less rights.
Shell Vulnerability - CAN-2005-2122
The remote malicious user can execute code on the target system with the same access rights as of the logged on user if the said remote user convinces the affected user to open a specially-crafted .LNK file.
A .LNK file points to another file. They are often known as shortcut files and can contain properties that are passed to the program they point to.
Workstations and terminals servers are at risk with this vulnerability since a malicious user can put a specially-crafted .LNK file on the target system and persuade an administrator to open the said file.
This vulnerability is mitigated by the following factors:
* This will only be successful in a web-based scenario if the affected user chooses to click a link to an remote malicious user�s Web site and accepts to perform an action.
* This will only be successful in an email-based scenario if the affected user chooses to open the attachment of an email message.
* The user must have a valid login credentials and be able to log on to the target machine to locally exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous user.
Shell Vulnerability - CAN-2005-2118
This vulnerability is similar to CAN-2005-2122, which was previously discussed but it is able to successfully exploit the vulnerability just by persuading the affected user to view the properties of the specially-crafted .LNK file.
The abovementioned scenarios and mitigating factors applies to this vulnerability, as well.
Web View Script Injection Vulnerability - CAN-2005-2117
This is a remote code execution vulnerability and at the same time an Elevation of Privilege vulnerability on Windows 2000 Professional and Windows 2000 server only.
Web View is one of the two formats that Windows Explorer provides to view file and folder information. This feature allows a user to preview a file or folder in a thumbnail view before they open it. This also causes the display of information about the file or folder such as the title and the author.
The vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. Instead of just displaying the contents of the preview fields, the said contents are executed, thus a successfully exploiting the vulnerability.
On Windows 2000 Professionals and Servers, successful exploitation can lead to Elevation of Privilege on local and remote computer provided that the action is initiated by a user with administrator rights or other higher privileged user.
This vulnerability when used by a malware or a remote malicious user can execute code and can give full control on the affected system.
More information about this vulnerability and its elimination.
(MS05-050) Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the newly disclosed vulnerability in DirectShow. Microsoft DirectShow can be used for streaming media on Windows operating systems. DVD ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft DirectX 8.1 (Microsoft Windows Server 2003)
Microsoft DirectX 7.0 (Microsoft Windows 2000 Service Pack 4)
Microsoft DirectX 8.1 (Microsoft Windows XP Service Pack 1)
Microsoft DirectX 8.1 (Microsoft Windows XP Service Pack 2)
Microsoft DirectX 8.1 (Microsoft Windows XP Professional x64 Edition)
Microsoft DirectX 8.1 (Microsoft Windows Server 2003 Service Pack 1)
Microsoft DirectX 8.1 (Microsoft Windows Server 2003 for Itanium-based Systems)
Microsoft DirectX 8.1 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft DirectX 8.1 (Microsoft Windows Server 2003 x64 Edition)
Malware exploiting this vulnerability: unknown
This security advisory resolves the newly disclosed vulnerability in DirectShow. Microsoft DirectShow can be used for streaming media on Windows operating systems. DVD players, video editing applications, AVI to ASF converters, MP3 players, and digital video capture applications can be made using DirectShow. It can be used for high-quality capture and playback of multimedia streams because it automatically detects and uses video and audio acceleration hardware when it is available. It also supports systems without acceleration hardware. It is integrated with other DirectX technologies.
DirectShow can be exploited because of an unchecked buffer. Memory at an arbitrary address can be modified when a specifically crafted .AVI file is played. This action becomes possibledue to the lack of validation resulting in the execution code, supplied by a remote malicious user, in the .AVI file.
Once exploited, the malicious code can be executed, giving the said remote user the same rights and privileges as the user who attempted to open the movie file. Complete control can be given to a malware or remote user if the affected user logs in with administrator privileges.
The malware or remote user can execute code on the system giving them the ability to install or run programs, view, modify or delete data; or create new user accounts with full user rights.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Internet/Network-based attack scenario - In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to try to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
* Local-machine attack scenario - The user will have to logon locally with the proper credentials and run a specially-crafted AVI file in order to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS05-051) Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves several newly-discovered, privately-reported vulnerabilities.
Microsoft released a single update to support these vulnerabilities because the modific...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This update resolves several newly-discovered, privately-reported vulnerabilities.
Microsoft released a single update to support these vulnerabilities because the modifications that are required to address these issues are located in related files.
MSDTC Vulnerability
Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms, which uses proven transaction processing technology. It is robust despite system failures, process failures, and communication failures; it exploits loosely coupled systems to provide scalable performance; and is easy to install, configure, and manage. For more information on MSDTC, you may visit this site.
MSDTC is exploited because it does not perform a check on the length of a message before passing it to the allocated buffer. A specially crafted message can cause a buffer overflow in the MS DTC OLE Transactions interface proxy (MSDTCPRX.DLL). The said overflow can be exploited in order to execute arbitrary code.
Once exploited, this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges on a system. The mentioned routine can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving the said user or the malware the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious user or a malware by the following scenarios:
* Internet/Network-based attack scenario:
The attacker/malware can send a specially crafted message to the target machine to exploit this vulnerability. The message could then cause the affected system to execute code on operating system versions and configurations that are vulnerable to remote attack vectors. By default, Windows 2000 systems are primarily at risk from this vulnerability. On Windows XP Service Pack 1 and Windows Server 2003, an attacker must have valid logon credentials to exploit this vulnerability unless user configuration has been performed that could allow remote anonymous attacks. On Windows Server 2003, if an administrator has enabled support for Network DTC Access, Windows Server 2003 systems could be vulnerable to remote code execution attacks by anonymous users.
* Local-machine attack scenario:
An attacker can run a specially crafted application that could exploit the vulnerability and gain complete control over the affected system.
COM+ Vulnerability
COM+ is the next step in the evolution of the Microsoft Component Object Model and Microsoft Transaction Server (MTS). COM+ handles resource management tasks, such as thread allocation and security. It automatically makes applications more scalable by providing thread pooling, object pooling, and just-in-time object activation. COM+ also helps protect the integrity of data by providing transaction support even if a transaction spans multiple databases over a network. For more information in COM+, you may visit this site.
COM+ is vulnerable due to the way it creates and uses internal memory structures. A specially crafted message can be used to exploit this vulnerability and execute arbitrary code.
Once exploited, this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges on the system. The said routine can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious user or a malware by the following scenarios:
* Internet/Network-based attack scenario:
The attacker/malware can send a specially crafted message to the target machine to exploit this vulnerability. The message could then cause the affected system to execute code on operating system versions and configurations that are vulnerable to remote attack vectors. By default, Windows 2000 and Windows XP Service Pack 1 systems are primarily at risk from this vulnerability. The vulnerability could not be exploited remotely on Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1.
* Local-machine attack scenario:
The attacker can log on locally and run a specially crafted application to gain administrative privileges to that system.
TIP Vulnerability
Transaction Internet Protocol (TIP) is a feature provided by MSDTC. TIP transactions implicitly assume a two-pipe architecture. In this architecture, messages that describe the work flow on one pipe, the application-to-application pipe, and messages that control the transaction flow on another pipe, the transaction manager-to-transaction manager pipe. MS DTC selects TIP when an application program or resource manager explicitly uses the TIP COM interfaces. MS DTC also uses TIP when TIP is the only communication protocol that is common to both platforms. TIP is typically used when MS DTC is used in conjunction with transaction managers from other companies. For more information on TIP, you may visit this site.
MSDTC is vulnerable due to the way it validates TIP requests. A specially crafted message can be used to exploit this vulnerability and cause denial of service on Microsoft Distributed Transaction Coordinator (MSDTC).
This vulnerability can be exploited by a remote malicious user or a malware by the following scenarios:
Internet/Network-based attack scenario:
The attacker/malware can send a specially crafted message to the target machine exploit this vulnerability. The message could then cause the Microsoft Distributed Transaction Coordinator (MSDTC) in the affected system to stop responding. By default, Windows 2000 based versions of the Microsoft Distributed Transaction Coordinator are primarily at risk from this vulnerability because TIP is enabled by default. If TIPis manually enabled on other operating system versions, they would be equally vulnerable to this issue.
Distributed TIP Vulnerability
This vulnerability is just an extension of the TIP Vulnerability. In this case, the specially crafted message could also be transferred through the affected system to another TIP server and cause that system's MSDTC to stop responding.
More information about this vulnerability and its elimination.
(MS05-052) Cumulative Security Update for Internet Explorer (896688)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. A remote malicious user can exploit this vul...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. A remote malicious user can exploit this vulnerability by constructing a malicious Web page that allows remote code execution if a user visits the Web site where it is located. The remote user, who successfully exploits this vulnerability, can take complete control of an affected system.
Complete control is given to the malware or remote user if an affected user is logged in with administrator privileges. The malware or remote user can then execute code on the system giving them the ability to install or run programs; view, modify or delete data; or create new user accounts with full user rights.
This vulnerability can be exploited by a remote malicious user or a malware through the following scenarios:
* Internet/Network-based attack scenario - In a Web-based attack scenario, a remote user hosts a Web site that contains a Web page that can be used to try to exploit this vulnerability. The said remote user tries to get affected users to visit the Web site by getting them to click a link that takes them to the remote user�s site.
* Local-machine attack scenario - The user logs in locally with the proper credentials and runs a specially-crafted AVI file in order to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS05-053) Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves three vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are required...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves three vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are required to address the said issues are located in related files.
Graphics Rendering Engine
Graphics Rendering Engine refers to the file GDI32.DLL that contains functions for the Windows Graphical Device Interface (GDI). The said device assists windows in creating simple two-dimensional objects. It is also the one responsible for processing Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
The Graphics Rendering Engine is exploited because it does not perform a check on the buffer when rendering WMF and EMF image formats. A specially-crafted WMF or EMF image can cause a buffer overflow. This overflow can then be exploited in order to execute arbitrary code.
Once exploited, this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges on a system. This enables the said malicious user/malware to take complete control of the affected system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware through the following ways:
* Internet-based attack scenario - A remote user could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade an unsuspecting user to view the Web site.
* Email attack scenario - A remote user could create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Microsoft Outlook or through Outlook Express 6. The said remote user could persuade the an unsuspecting user to view the HTML e-mail message.
* MS Office Document - A remote user could embed a specially crafted image in an Office document and then persuade an unsuspecting user to view the document.
* Network attack scenario - A remote user could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the folder.
* Local-machine attack scenario - If a remote user is able to log on locally, s/he could then run a specially-designed program that could exploit the vulnerability, and thereby gain complete control over the affected system.
Windows Metafile Vulnerability
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system. It is vulnerable because it does not validate the length of the message before passing it to the allocated buffer. A specially-crafted WMF image can thus be used to exploit this vulnerability and execute arbitrary code.
Once exploited, this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system, giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
This vulnerability can be exploited by a remote malicious attacker or a malware using the same scenarios as the ones described in the Graphics Rendering Engine section above.
Enhanced Metafile Vulnerability
An Enhanced Metafile (EMF) image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features. It is vulnerable because it does not validate the length of the message before passing it to the allocated buffer. A specially-crafted EMF image can be used to exploit this vulnerability and execute arbitrary code.
This vulnerability can be exploited by a remote malicious attacker or a malware using the same scenarios as the ones described in the Graphics Rendering Engine section above.
More information about this vulnerability and its elimination.
(MS05-054) Cumulative Security Update for Internet Explorer (905915)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves four vulnerabilities. It replaces the MS05-052 security update. Microsoft released a single update to support these vulnerabilities because ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves four vulnerabilities. It replaces the MS05-052 security update. Microsoft released a single update to support these vulnerabilities because the modifications that are required to address these issues are located in related files.
File Download Dialog Box Manipulation Vulnerability
File Download Dialog Box pertains to the dialog boxes opened when a file is downloaded from the Web using the Internet Explorer browser.
The File Download Dialog Box can be manipulated through the use of social engineering. This interaction could be in the form of certain keystrokes that a user makes when visiting a Web page. A custom dialog box may also be positioned in front of a file download dialog box to make this more convincing. A user may also be persuaded to double-click an element of a Web page. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited the malicious Web site.
Once exploited, this vulnerability could allow a malicious Web site to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system.
The malicious Web site can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. However, significant user interaction is required to exploit this vulnerability.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Internet/Network-based attack scenario:
The attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. For an attack to be successful, a user would then have to interact with the Web site.
* Email attack scenario:
An attacker could send a specially-crafted HTML-formatted email. However, by default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98, and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
HTTPS Proxy Vulnerability
HTTPS is a protocol that helps secure HTTP communications. In Internet Explorer, when you visit a Web site and a yellow lock icon appears in the lower-right corner of the browser window, the current session is protected by HTTPS. On the other hand, basic authentication means that credentials are sent to the proxy server in clear text or encoded by using Base64 encoding. Base64 encoding is not an encryption technique and considered to be equal to clear text. For more information about different authentication methods, you may visit this Web site.
Also, a proxy server is a server configured to act on behalf of assigned clients. When a client application makes a request for an object on the Internet, a proxy server on the private network responds by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client application on the computer that made the request.
An information disclosure vulnerability exists in the way Internet Explorer behaves in certain situations where an HTTPS proxy server requires clients to use Basic authentication. This vulnerability could allow an attacker to read Web addresses in clear text sent from Internet Explorer to a proxy server despite the connection being an HTTPS connection.
Using a common packet sniffer, an attacker could analyze network traffic between a client system and a proxy server that requires Basic authentication and that also handles HTTPS connections.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Network-based attack scenario:
The attacker can use a common sniffer in order to analyze network traffic and retrieve information sent to the prxy server. However, this vulnerability only manifests itself if a client system is configured to use an authenticating proxy server that requires Basic authentication for HTTPS communications. Also, the attacker must be on the same network as the user. An attacker would have no way of targeting this to a specific user. The information disclosure can happen only when a user uses an authenticating proxy server for HTTPS communications.
COM Object Instantiation Memory Corruption Vulnerability
COM stands for Component Object Model, and is a technology that enables software to be built in the form of reusable components. A component typically performs a single task, and the advantage of using COM is that developers can make use of pre-written components rather than developing custom ones themselves. This makes software development faster and easier. Software components that use COM are typically referred to as COM objects.
This vulnerability exists when Internet Explorer tries to instantiate certain COM objects as ActiveX Controls, the COM objects may corrupt the system state in such a way that an attacker could execute arbitrary code.
An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited the malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
This vulnerability can be exploited by a remote malicious attacker or a malware by:
* Internet/Network-based attack scenario:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
* Email attack scenario:
An attacker could send a specially-crafted HTML-formatted email. However, by default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98, and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
Mismatched Document Object Model Objects Memory Corruption Vulnerability
When Internet Explorer handles mismatched Document Object Model objects it may corrupt system memory in such a way that an attacker could execute arbitrary code.
For example, when Internet Explorer displays a Web page that contains an onLoad event that points to a Window object, system memory may be corrupted in such a way that an attacker could execute arbitrary code.
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
Internet/Network-based attack scenario:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
More information about this vulnerability and its elimination.
(MS06-001) Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Graphics Rendering Engine Vulnerability
The Graphics Rendering Engine has a vulnerability that could allow remote code execution because of the way it handles Windows Metafile (WMF) images. If a user visit...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: TROJ_NASCENE.GEN
Graphics Rendering Engine Vulnerability
The Graphics Rendering Engine has a vulnerability that could allow remote code execution because of the way it handles Windows Metafile (WMF) images. If a user visits a malicious web site that has a specially crafted WMF image embedded or opens an e-mail with the malicious WMF image as an attachment, this WMF image may allow remote code execution. A successful exploitation of this vulnerability can give an attacker complete control over an affected system.
Windows Metafile Vulnerability
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain vector information as well as bitmap information. It is optimized for the Windows operating system.
An attacker could exploit this vulnerability by creating a specially crafted metafile image and embedding it in a Web site. It can also exploit this vulnerability by attaching the metafile image in an email message. These routines work when the user is persuaded into visiting the aforementioned Web site and opening the attached image. Upon opening the attachment or visiting the web site, the attacker could cause malicious code to run in the security context of the locally logged on user. Displaying specially crafted Web content can also be displayed with the use of banner advertisement or other methods of delivering Web content to affected systems.
Another means of exploiting this vulnerability is by embedding a specially crafted Windows Metafile (WMF) image within files like Word document and convince a user to open the said document.
More information about this vulnerability and its elimination.
(MS06-002) Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves a privately reported vulnerability in embedded web fonts.
The Embedded Web Font vulnerability exists in Windows because of the way it handles malformed embedded Web fonts. Font embeddin...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory resolves a privately reported vulnerability in embedded web fonts.
The Embedded Web Font vulnerability exists in Windows because of the way it handles malformed embedded Web fonts. Font embedding is a technology built into Microsoft Internet Explorer versions 4 and higher. This allows the fonts used in a specific document to travel with that document ensuring that what the users see is the exact format the designer intended for them to see. The vulnerability allows remote execution of arbitrary codes.
An attacker could exploit this vulnerability by creating or hosting malicious Web sites and then convincing the user to visit the Web site, usually by getting them to click a link as provided in an HTML email. Moreover, an attacker can also compromise a Web site and have it display malicious content or create a specially crafted Web content through the use of banner advertisements.
An attacker who successfully exploited this vulnerability could take full control of the affected system and is capable of installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights, if the current user is logged on with administrator privileges. User accounts with lesser privileges are affected with lesser impact.
More information regarding this vulnerability can be found on the following Microsoft Web page:
Microsoft Security Bulletin MS06-002
More information about this vulnerability and its elimination.
(MS06-005) Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves the vulnerability in Windows Media Player on Windows XP and Server 2003.
The Windows Media Player vulnerability exis...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Windows Media Player for XP (Microsoft Windows XP Service Pack 1)
Windows Media Player 9 (Microsoft Windows XP Service Pack 2)
Windows Media Player 9 (Microsoft Windows Server 2003)
Microsoft Windows Media Player 7.1 (Windows 2000 Service Pack 4)
Microsoft Windows Media Player 9 (Windows 2000 Service Pack 4)
Microsoft Windows Media Player 9 (Windows XP Service Pack 1)
Microsoft Windows Media Player 10 (Windows XP Service Pack 1)
Microsoft Windows Media Player 10 (Windows XP Service Pack 2)
Malware exploiting this vulnerability: unknown
This security advisory resolves the vulnerability in Windows Media Player on Windows XP and Server 2003.
The Windows Media Player vulnerability exists because of the way it processes .BMP files.
An attacker or a malware program could exploit this vulnerability by executing arbitrary codes based on the privilege of the currently logged on user. Once exploited, the attacker may take full control of the affected computer.
This vulnerability can be exploited by a remote attacker or a malware program by:
Internet/Network-based attack scenario:
An attacker could host a malicious Web site. The attacker would have to convince and persuade users to visit the Web site, usually by getting them to click on a link that leads users to the malicious Web site. The attacker may also display malicious Web content using banner advertisements.
Email-based scenario:
An attacker could send a specially-crafted .BMP file to the user. The attacker would have to persuade the user to open the said malicious file using Windows Media Player.
More information about this vulnerability and its elimination.
(MS06-006) Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Windows Media Player plug-in allows users to stream media through a non-Microsoft Internet browser.
A remote code execution vulnerability exists in the said plug-in because of the way it handles a malformed...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
The Windows Media Player plug-in allows users to stream media through a non-Microsoft Internet browser.
A remote code execution vulnerability exists in the said plug-in because of the way it handles a malformed EMBED element. The vulnerability may be exploited when an attacker creates a malicious EMBED element that may potentially allow remote code execution once a user visits a malicious Web site. Successfully exploiting this vulnerability enables an attacker to have complete control of an affected system.
Sample Web-based scenario:
An attacker hosts a Web site that contains a page with an EMBED element that it uses to exploit this vulnerability. Since there is no way of forcing users to visit a malicious Web site, an attacker persuades them into visiting the Web site, typically, by getting them to click on a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by other methods to deliver Web content to affected systems.
More information about this vulnerability and its elimination.
(MS06-007) Vulnerability in TCP/IP Could Allow Denial of Service (913446)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a vulnerability that allows denial of service. IGMP is a TCP/IP standard defined in RFC 1112 "Internet Group Management Protocol (IGMP)." It defines address and host extensions for how IP hosts suppor...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This update resolves a vulnerability that allows denial of service.
IGMP is a TCP/IP standard defined in RFC 1112 "Internet Group Management Protocol (IGMP)." It defines address and host extensions for how IP hosts support multicasting, and the Internet Group Management Protocol (IGMP) version 1. RFC 2236, "Internet Group Management Protocol (IGMP), version 2" defines IGMP version 2. The two versions provide a protocol to exchange and update information about host membership in specific multicast groups. Windows Server 2003 supports IGMP version 3, which is defined in the Internet Draft "Internet Group Management Protocol, version 3." In IGMP version 3, hosts can specify interest in receiving multicast traffic from specified sources or from all but a specific set of sources.
The vulnerability exists because the affected messages are not being ignored in certain cases that allow an attacker to send a malformed packet that may cause the affected system to stop responding. An attacker could exploit this vulnerability by sending a specially-crafted IGMP packet to an affected system, causing a target system to stop responding.
More information about this vulnerability and its elimination.
(MS06-008) Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Web Client service allows applications to access documents on the Internet. Web Client extends the networking capability of Windows by allowing standard Win32 applications to create, ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
The Web Client service allows applications to access documents on the Internet. Web Client extends the networking capability of Windows by allowing standard Win32 applications to create, read, and write files on Internet file servers by using the WebDAV protocol. The WebDAV protocol is a file-access protocol that is described in XML and travels over the Hypertext Transfer Protocol (HTTP). By using standard HTTP, WebDAV runs over the existing Internet infrastructure.
The Web Client service is vulnerable due to the way it validates the length of a message before it passes the message to the allocated buffer. To exploit the said vulnerability, an attacker must have valid logon credentials since the vulnerability could not be exploited by anonymous users. Even though the Web Client service is used to support the WebDAV protocol over the Internet, an authenticated attacker must perform the steps that are required to attempt to exploit this issue.
Once exploited, the attacker takes complete control of an affected system and is capable of the following:
* Install programs
* View, change, or delete files
* Create new accounts with full user rights
More information about this vulnerability and its elimination.
(MS06-011) Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves a newly-discovered vulnerability. A discretionary access control list (DACL) identifies the trustees that are allowed or ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Malware exploiting this vulnerability: unknown
This security advisory resolves a newly-discovered vulnerability.
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a secured object.
An escalation of privilege vulnerability exists on Windows XP Service Pack 1 on the identified Windows services where the permissions are set by default to a level that allows a low-privileged user to change properties associated with the service. On Windows Server 2003, permissions on the identified services are set to a level that allows a user that belongs to the network configuration operators group to change properties associated with the service.
Only members of the Network Configuration Operators group on the targeted computer can remotely attack Windows Server 2003, and this group contains no user by default. The vulnerability could allow a user with a valid logon credentials to take complete control of the system on Windows XP Service Pack 1.
An attacker who successfully exploits this vulnerability can take complete control of an affected computer. An attacker can do any of the following:
* Install programs
* View, change, or delete data
* Create new accounts with full user rights
However, an attacker must have valid logon credentials to exploit this vulnerability. This vulnerability cannot be exploited by anonymous users.
More information about this vulnerability and its elimination.
(MS06-013) Cumulative Security Update for Internet Explorer (912812)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves ten vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are required t...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003)
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows 2000 Advanced Server SP4
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98 Second Edition)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows Millennium Edition)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003)
Microsoft Internet Explorer 6 (Windows Server 2003 for Itanium-based Systems)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 x64 Edition)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 for Itanium-based Systems)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 Service Pack 1)
Microsoft Internet Explorer 6 (Microsoft Windows XP Service Pack 2)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 Service Pack 1)
Microsoft Internet Explorer 6 (Microsoft Windows XP Professional x64 Edition)
Internet Explorer 5.01 Service Pack 4 (Microsoft Windows 2000 Service Pack 4)
Malware exploiting this vulnerability: unknown
This security advisory resolves ten vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are required to address these issues are located in related files.
• DHTML Method Call Memory Corruption Vulnerability
This vulnerability exists when Internet Explorer (IE) displays a Web page containing HTML object method calls. This is specifically pointed to the createTextRange () method, wherein unexpected call to an HTML object using the aforementioned method, can corrupt system memory and thus, execute arbitrary codes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• Multiple Event Handler Memory Corruption Vulnerability
Remote code execution vulnerability exists in the way Internet Explorer (IE) handles multiple event handlers in an HTML element. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• HTA Execution Vulnerability
Remote code execution vulnerability exists in Internet Explorer (IE). An HTML Application (HTA) can be initiated in a way that bypasses the security control within Internet Explorer. This allows an HTA to execute without Internet Explorer displaying the normal security dialog box. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• HTML Parsing Vulnerability
Remote code execution vulnerability exists in the way Internet Explorer (IE) handles specially crafted and invalid HTML. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This vulnerability does not affect Internet Explorer 6 Service Pack 1 on Windows XP Service Pack 1, Windows 2000 Service Pack 4, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium Edition (ME).
• COM Object Instantiation Memory Corruption Vulnerability
Remote code execution vulnerability exists in the way Internet Explorer (IE) instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a malicious Web page that could allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
Customers who have installed the security update included with Microsoft Security Bulletin MS05-052 or a later security bulletin for Internet Explorer are not at risk from attacks originating from the Internet zone.
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• HTML Tag Memory Corruption Vulnerability
Remote code execution vulnerability exists in the way Internet Explorer (IE) handles HTML elements that contain a specially crafted tag. An attacker could exploit the vulnerability by constructing a malicious Web page that could allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This vulnerability does not affect Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4.
• Double-Byte Character Parsing Memory Corruption Vulnerability
Remote code execution vulnerability exists in the way Internet Explorer (IE) handles double-byte characters in specially crafted URLs. An attacker could exploit the vulnerability by constructing a malicious Web page that could allow remote code execution if a user visits the malicious Web site. Once successfully exploited, an attacker could take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This vulnerability only affects systems that use double-byte character sets. Systems that are affected are Windows language versions that use double-byte character sets language. Examples of languages that use DBCS are Chinese, Japanese, and Korean languages. Customers using other language versions of Windows might also be affected if Language for non-Unicode programs are set to a double-byte characters sets language.
• Script Execution Vulnerability
A vulnerability exists in Internet Explorer (IE) in the way it returns IoleClientSite information, wherein an embedded object is dynamically created. An attacker could exploit the vulnerability by constructing a malicious Web page with a dynamically created object. This object needs to make use of the returned IOleClientSite information to make a security-related decision. Once a user visits the malicious Web site, remote code execution or information disclosure could take place, thus, allowing the attacker take complete control of an affected system.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The Restricted sites zone helps reduce attacks that tries to exploit this vulnerability by preventing Active Scripting from being used when reading HTML email messages. However, if a user clicks a link in an email message, they could still be vulnerable to this issue through the Web-based attack scenario.
• Cross-Domain Information Disclosure Vulnerability
Information disclosure vulnerability exists in Internet Explorer (IE) because of the way it handles navigation methods. Once a user visits the malicious Web site or views a specially crafted email message, remote code execution or information disclosure could take place. Successfully exploiting this vulnerability allows an attacker to read cookies or other data from another Internet Explorer domain. However, user interaction is required to exploit this vulnerability.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
An attacker who successfully exploits this vulnerability could read cookies or other data from a system other than that of the attacker's Web site.
The Restricted sites zone helps reduce attacks that tries to exploit this vulnerability by preventing Active Scripting from being used when reading HTML email messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
• Address Bar Spoofing Vulnerability
A spoofing vulnerability exists in Internet Explorer that could allow an attacker to display spoofed content in a browser window. The address bar and other parts of the trust user interface is navigated away from the attacker's Web site but the content of the window still contains the attacker's Web page.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Internet/Network-based attack scenario
In a Web-based attack scenario, an attacker has to host a Web site that contains a Web page that is used to exploit this vulnerability. Since the attacker has no way of forcing users into visiting a malicious Web site, the attacker has to persuade the target user to click a link that takes the user to the attacker's Web site.
Interacting with the Web page, for instance, by clicking on it, causes the content to refresh and display the Web site identified by the address bar.
More information about this vulnerability and its elimination.
(MS06-014) Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Microsoft Data Access Components (MDAC) is a collection of Dynamic Link Libraries and associated component resources that support a number of dif...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
Microsoft Data Access Components (MDAC) is a collection of Dynamic Link Libraries and associated component resources that support a number of different APIs including Open Database Connectivity (ODBC), OLE DB, Microsoft� ActiveX� Data Objects (ADO), and Microsoft Remote Data Service (RDS). It provides applications with a means to access data from various data storage sources, focusing on access to the Microsoft SQL Server. A large number of applications depend on MDAC-contained components for proper operation.
One of MDAC's supported API, RDS, is actually a feature of ADO. It moves data from a server to a client application or to a Web page. It also helps manipulate the data on the client and returns updates to the server in a single round trip.
A remote code execution vulnerability exists in RDS wherein Dataspace ActiveX control is provided as part of ADO and is distributed in MDAC. A remote user who successfully exploits this vulnerability can take complete control of an affected system. If a user is logged on with administrative user rights, the said remote user can then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system can be less affected.
Furthermore, this vulnerability can conceivably be used by malware for replication purposes.
In a Web-based scenario, a remote user or malware tries different social engineering techniques, like displaying banner advertisements to get an affected user to visit a malicious Web site that contains the specially-crafted file that jumpstarts the successful exploitation of this vulnerability.
In an email-based scenario, the remote user or malware sends out an email message to a user of a server that is running an affected software application that contains a link. Clicking this link, in turn, takes the user to a malicious Web site designed to exploit this vulnerability.
(Note: The affected software of this vulnerability are dependent on which version of MDAC is installed on a particular system. Click here for more details regarding the affected MDAC versions.)
More information about this vulnerability and its elimination.
(MS06-015) Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Windows Explorer, which provides a Graphical User Interface (GUI) for accessing file systems, is the default shell used by modern Microsoft Wind...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
Windows Explorer, which provides a Graphical User Interface (GUI) for accessing file systems, is the default shell used by modern Microsoft Windows.
A remote code execution vulnerability exists in Windows Explorer because of the way it handles COM objects. It can be exploited through a Web-based scenario by a remote malicious user or a malware. The mentioned agents try to get an affected user to click on a link that leads to a malicious Web site. Upon reaching this specially-crafted Web site, the user is prompted to perform several actions needed to connect to a certain file server. This file server, in turn, can cause Windows Explorer to fail in a way that can allow code execution. Thus, a remote user or malware, who successfully exploits this vulnerability, can take complete control of an affected system.
It should be noted that this vulnerability can not be exploited automatically via e-mail. For an attack to be successful, the affected user must open an attachment or click on a link within an e-mail message.
More information about this vulnerability and its elimination.
(MS06-016) Cumulative Security Update for Outlook Express (911567)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Windows provides an address book for storing contact information. The Windows Address Book (WAB) is an application and service that enables users to keep track of people. The WAB ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
Windows provides an address book for storing contact information. The Windows Address Book (WAB) is an application and service that enables users to keep track of people. The WAB has a local database and user interface for finding and editing information about people and it can query network directory servers using Lightweight Directory Access Protocol (LDAP).
An unchecked buffer in WAB functioning within Outlook Express can cause remote code execution. A malicious user or malware creates a specially crafted .WAB file and persuades a user to open it causing an error in Outlook Express that allows execution of remote code. If an affected user is logged on with administrative user rights, a remote user who successfully exploits this vulnerability can take complete control of an affected system. The said remote user can then install programs; view, change, or delete data; or create new accounts with full user rights.
In a Web-based scenario, a remote user or malware tries different social engineering techniques to get an affected user to visit a malicious Web site that contains the specially-crafted .WAB file that jumpstarts the successful exploitation of this vulnerability.
In an email-based scenario, the remote user or malware sends out the created .WAB file to the affected user as an attachment. The email message's details try to get the user to open the attached file.
More information about this vulnerability and its elimination.
(MS06-018) Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. The DTC has se...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Malware exploiting this vulnerability: unknown
The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. The DTC has several benefits, namely:
* Enable software development using distributed software components
* Simplify application development
* Provide a consistent transaction model
* Reduce the cost of enterprise computing
This vulnerability allows a malicious user to utilize a specially crafted network message, which it brings to an affected system. If the said routine is successful, the message can cause the affected system to stop responding. An unchecked buffer in the MSDTC service is causing this vulnerability.
This vulnerability can also be exploited over the Internet. MSDTC versions that are based on Windows 2000 are at risk because the MSDTC service is enabled by default. Also at risk are Windows XP with SP1 and Windows 2003, if their MSDTC are enabled.
More information about this vulnerability and its elimination.
(MS06-021) Cumulative Security Update for Internet Explorer (916281)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory resolves several vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are require...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows XP Service Pack 1)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 98 Second Edition)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows Millennium Edition)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 x64 Edition)
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 for Itanium-based Systems)
Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 Service Pack 1)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft Internet Explorer 6 (Microsoft Windows XP Professional x64 Edition)
Internet Explorer 5.01 Service Pack 4 (Microsoft Windows 2000 Service Pack 4)
Malware exploiting this vulnerability: unknown
This security advisory resolves several vulnerabilities. Microsoft released a single update to support these vulnerabilities because the modifications that are required to address these issues are located in related files.
• Exception Handling Memory Corruption Vulnerability
Robust code anticipates and handles exceptions. Exceptions occur when a program executes abnormally because of conditions outside the program's control. Certain operations, including object creation and file input/output, are subject to failures that go beyond errors. Out-of-memory conditions, for example, can occur even when the program is running correctly. For more information about exception handling see the following product documentation:
* Exception handling in Visual C++
* Exception handling in Visual Basic
* Exception handling in the .NET Framework
The IE is exploited because it allows objects to register exception handlers that may not properly handle certain conditions. Unsafe exception handling can cause memory corruption resulting to remote code execution.
An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through IE. It then entices a user to view the said Web site. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. The attacker cannot force users into visiting these Web sites. Instead, an attacker needs to persuade users to visit the Web site, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's Web site. It may display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Email attack scenario
Vulnerable machines cannot be automatically exploited through email or while viewing email messages in the preview pane while using Outlook Express. Affected users need to click a link that points to a specially crafted Web site, or open an attachment that exploits the vulnerability.
• HTML Decoding Memory Corruption Vulnerability
UTF-8 is the byte-oriented encoding form of Unicode. More information regarding the said encoding can be found in the following Web site:
http://www.unicode.org/faq/utf_bom.html#UTF8
IE is vulnerable due to the way it parses the code for decoding UTF-8 characters. A specially crafted file can be used to corrupt system memory and execute arbitrary codes.
An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through IE. It then entices a user to view the said Web site. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. The attacker cannot force users into visiting these Web sites. Instead, an attacker needs to persuade users to visit the Web site, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's Web site. It may display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Email attack scenario
A specially crafted email message in HTML may exploit this vulnerability.
• ActiveX Control Memory Corruption Vulnerability
DXImageTransform.Microsoft.Light is an ActiveX control that handles the light filter properties of an object. This property is responsible for the effect of a light from the content of the object. By setting the properties of the Light filter, you can control the virtual position of the light source. You also can control the X and Y coordinates of the light's focus, as well as the light's type (point or cone), color, and intensity.
IE is vulnerable because it does not perform parameter validation on the data that is passed to the DXImageTransform.Microsoft.Light ActiveX control. An unexpected data can cause IE to fail in a way that could allow code execution.
An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through IE. It then entices a user to view the said Web site. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. The attacker cannot force users into visiting these Web sites. Instead, an attacker needs to persuade users to visit the Web site, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's Web site. It may display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
• COM Object Instantiation Memory Corruption Vulnerability
The Component Object Model (COM) provides a standard way for applications (.EXE files) or libraries (.DLL files) to make their functionality available to any COM-compliant application or script. COM makes it possible for non programmers to write scripts for managing Windows operating systems. COM provides a mechanism for translating script code into commands that can be acted on by the operating system. More information regarding COM can be found in the following Web site:
http://www.microsoft.com/technet/scr....mspx?mfr=true.
IE is vulnerable because when it attempts to instantiate certain COM objects as ActiveX Controls, the COM objects may corrupt the system state in such a way that an attacker could execute arbitrary code.
An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code or gain higher privileges in the system. This can enable the malicious user to take complete control of the affected system.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through IE. It then entices a user to view the said Web site. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. The attacker cannot force users into visiting these Web sites. Instead, an attacker needs to persuade users to visit the Web site, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's Web site. It may display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Email attack scenario
A specially crafted email message in HTML may exploit this vulnerability.
• COM CSS Cross-Domain Information Disclosure Vulnerability
IE Security Zones are part of a system that divides online content into categories or zones, based on the trustworthiness of the content. Specific Web domains can be assigned to a zone, depending on how much trust is put in the content of each domain. The zone then restricts the capabilities of the Web content, based on the zone's policy. By default, most Internet domains are treated as part of the Internet zone. By default, the policy of the Internet zone prevents scripts and other active code from accessing resources on the local system.
An information disclosure vulnerability exists in IE because it incorrectly interprets a specially crafted document as a Cascading Style Sheet (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially lead to information disclosure if a user visited a specially crafted Web site or clicked a link in a specially crafted email message.
An attacker who successfully exploits this vulnerability could allow a malicious user to read data from another security zone or domain in IE.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through IE. It then entices a user to view the said Web site. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. The attacker cannot force users into visiting these Web sites. Instead, an attacker needs to persuade users to visit the Web site, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's Web site. It may display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Email attack scenario
A specially crafted email message in HTML may exploit this vulnerability.
• Address Bar Spoofing Vulnerabilities
The address bar and other parts of the trust User Interface (UI) can be persisted from a trusted Web site that displays a modal browser Window whereas the content of the browser window is navigated to the attacker�s Web site.
An attacker can use the vulnerability to create a Web page that displays a spoofed URL in the Address bar, while pointing to a different Web site. An attacker may use this vulnerability to create a specially crafted page that persists the address bar and other parts of the trust UI from a legitimate site. A user could then expose information into the possibly malicious Web site when in fact the data is sent to the attacker�s site.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker hosts a Web site containing malicious Web pages. An attacker cannot force users to visit the said Web site. Instead, an attacker needs to persuade them to visit the Web site by getting them to click a link pointing to the attacker's Web site.
• MHT Memory Corruption Vulnerability
A specially crafted Web page can, when saved as a multipart HTML file cause memory corruption.
An attacker who successfully exploits this vulnerability could gain the same user rights as the affected user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. However, significant user interaction is required.
A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:
Web-based attack scenario
An attacker hosts a specially crafted Web page that is designed to exploit this vulnerability through IE. It then persuades a user to save the Web page as a multipart HTML (.MHT) file. Specially-crafted Web sites can also include Web sites that accept or host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. It is possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Email attack scenario
A specially crafted email message in HTML may exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS06-022) Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
ART is an image file format used by the America Online (AOL) client software. This technology is developed by Johnson and Grace in 1991 and is used by AOL since...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
ART is an image file format used by the America Online (AOL) client software. This technology is developed by Johnson and Grace in 1991 and is used by AOL since 1994. AOL purchased the Johnson-Grace company to obtain full rights on the said technology.
Internet Explorer can render ART files via jgdw400.dll, the JG ART DLL. More information is available at the following Web site:
http://en.wikipedia.org/wiki/ART_image_file_format
The JG ART DLL is exploited because it does not validate the length of the message before passing it to the allocated buffer. A specially-crafted ART file can cause a heap overflow when the file is rendered via Internet Explorer within the IMG tags. This vulnerability is exploited to execute arbitrary codes.
Once successfully exploited, this vulnerability could allow a malicious user or malware to execute arbitrary codes using the privileges of the currently logged-on user. This enables the malicious user to install or run programs and view or edit data with full privileges. Thus, this vulnerability can be used by another malware for replication purposes.
The malicious user or malware can exploit this vulnerability under the following scenarios:
* Web-based attack scenario
The attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, Web sites that are compromised as well as Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
In all cases, however, the attacker has no way of forcing the users to visit these Web sites. Instead, the attacker has to persuade users into visiting the said Web sites, typically by getting them to click the links in the email message or instant message. As a result, the browser of the affected user is redirected to the attacker's Web site.
* Email attack scenario
The attacker can send an email message rendered in HTML to invoke a specially-crafted ART file to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS06-023) Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
JScript is the Microsoft implementation of ECMA 262 language specification (ECMAScript Edition 3). It is an interpreted, object-based scripting language...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
JScript is the Microsoft implementation of ECMA 262 language specification (ECMAScript Edition 3). It is an interpreted, object-based scripting language. More information on JScript is available in the following Web site:
http://msdn.microsoft.com/library/de...scriptinga.asp
Jscript is exploited because it may release objects early, potentially causing memory corruption. A specially-crafted Jscript file can cause an overflow. This vulnerability can be exploited in order to execute arbitrary codes.
Once successfully exploited, this vulnerability could allow a malicious user or malware to execute arbitrary codes using the privileges of the currently logged-on user. This enables the malicious user to install or run programs and view or edit data with full privileges. Thus, this vulnerability can be used by another malware for replication purposes.
The malicious user or malware can exploit this vulnerability under the following scenarios:
* Web-based attack scenario
The attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, Web sites that are compormised as well as Web sites that accept or host user-provided content or advertisements could contain specially crafted JScript that could exploit this vulnerability.
In all cases, however, the attacker has no way of forcing the users to visit these Web sites. Instead, the attacker has to persuade users into visiting the said Web sites, typically by getting them to click the links in the email message or instant message. As a result, the browser of the affected user is redirected to the attacker's Web site.
It is also possible to display specially crafted Web content by using banner advertisements or other methods in delivering Web content to affected systems.
* Email attack scenario
The attacker can send an email message rendered in HTML,which exploits this vulnerability.
More information about this vulnerability and its elimination.
(MS06-025) Vulnerability in Routing and Remote Access Could Allow Remote Execution (911280)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This Microsoft security bulletin resolves the following issues in Routing and Remote Access service:
* RRAS Memory Corruption Vulnerabilit...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Malware exploiting this vulnerability: unknown
This Microsoft security bulletin resolves the following issues in Routing and Remote Access service:
* RRAS Memory Corruption Vulnerability (CVE-2006-2370)
* RASMAN Registry Corruption Vulnerability (CVE-2006-2370)
Both vulnerabilities are caused by an unchecked buffer in the Routing and Remote Access service. Once exploited, both vulnerabilities could allow a malicious user or a malware to execute arbitrary code with the privileges of the currently logged-on user. This can enable the malicious user to take complete control of the affected computer.
On Windows XP Service Pack 2 and Windows Server 2003 systems, an attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. In the aforementioned systems, these vulnerabilities could not be exploited remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.
These vulnerabilities can be exploited by a malicious attacker or a malware on this scenario:
* Internet/Network-based attack scenario:
Authenticated users on Windows 2000 and on Windows XP Service Pack 1 can remotely exploit this vulnerability. An anonymous attacker cannot load and run a program remotely by using this vulnerability.
Authenticated users on Windows XP Service Pack 2 and Windows Server 2003 can remotely exploit these vulnerabilities. An anonymous attacker or by users with standard user accounts cannot load and run a program remotely by using these vulnerabilities.
More information about this vulnerability and its elimination.
(MS06-030) Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security vulnerability resolves the newly discovered vulnerabilities in Server Message Block (SMB), which could allow an attacker to escalate privileges a...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security vulnerability resolves the newly discovered vulnerabilities in Server Message Block (SMB), which could allow an attacker to escalate privileges and take control over an affected system.
SMB Driver Elevation of Privilege Vulnerability
There is an elevation of privilege vulnerability in SMB that could allow an attacker to take complete control over an affected system.
This vulnerability exists due to the utilization of unbuffered I/O between user and kernel mode for its IOCTLs by the SMB driver MRXSMB.SYS. An IOCTL is a mechanism that is commonly used to communicate between the userspace and the kernelspace.
SMB Invalid Handle Vulnerability
There is a denial of service vulnerability in SMB that could allow an attacker to cause an affected system to stop responding.
In this case, the SMB driver MRXSMB.SYS contains a function which takes a handle as a parameter that is subsequently closed. A user-mode process can pass in the handle for the driver which causes a kernel-mode deadlock on this thread. The said process will be unable to terminate and the system may not be able to properly shut down.
The two vulnerabilities abovementioned require an attacker to be able to log on locally using valid logon credentials and successfully exploit the vulnerabilities.
More information about this vulnerability and its elimination.
(MS06-032) Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This security advisory refers to a vulnerability in the TCP/IP protocol driver that allows a remote code execution using a created a strict or loose r...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This security advisory refers to a vulnerability in the TCP/IP protocol driver that allows a remote code execution using a created a strict or loose route ICMP packet.
An attacker who successfully exploited this vulnerability can take complete control of an affected system, giving them the privilege to view, change, delete data, and create accounts with full-user rights.
Below are the mitigating factors for this vulnerability:
* It is recommended that systems should have a minimal number of ports exposed while connected to the Internet.
* On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the IP Source Routing protocol is disabled by default. Set the DisableIPSourceRouting to "2".
* On any affected platform, the Routing and Remote Access Service protocol is disabled by default. Manually configuring the said protocol makes the system more susceptible to this vulnerability.
* Attempted attacks on the vulnerability might result in a denial of service (DoS) condition, though, remote code execution is possible.
More information about this vulnerability and its elimination.
(MS06-035) Vulnerability in Server Service Could Allow Remote Code Execution (917159)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
MailSlot Heap Overflow Vulnerability (CVE-2006-1314)
Mailslots are temporary mechanisms that are utilized by applications and processes to facilitat...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
MailSlot Heap Overflow Vulnerability (CVE-2006-1314)
Mailslots are temporary mechanisms that are utilized by applications and processes to facilitate unidirectional data transfer.
This security advisory resolves a remote code execution in the Server driver. Because of this vulnerability, a successful attacker can take complete control of an affected system. An unchecked buffer in the Server service causes this vulnerability. Any anonymous user who is able to deliver a specially crafted network packet to the affected system can successfully exploit this vulnerability. This vulnerability however may probably result in a denial of service caused by the unexpected restart of the affected system. The specially crafted network packet can cause a remote code execution.
This vulnerability can also be exploited over the Internet. Firewall best practices can protect users against these types of attacks.
The security update for this vulnerability modifies how the Server driver validates the length of a message before it passes the message to the allocated buffer.
SMB Information Disclosure Vulnerability (CVE-2006-1315)
SMB (Server Message Block) is the Internet standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers.
The security update addresses an information disclosure vulnerability in SMB. Successful exploitation of this vulnerability could allows the attacker to remotely read information stored in buffers for SMB. This specific vulnerability does not allow the attacker to remotely execute codes nor elevate user privileges directly. It can however be used to produce more information to further compromise a system. The attacker could try sending a specially crafted message to the affected system in order to retrieve information on SMB buffers. This vulnerability can also be exploited over the Internet.
The vulnerability is addressed by initializing the buffer prior to responding to a client request.
More information about this vulnerability and its elimination.
(MS06-036) Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This vulnerability affects the Dynamic Host Configuration Protocol (DHCP), which is an IP standard designed to reduce the complexity of administering...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This vulnerability affects the Dynamic Host Configuration Protocol (DHCP), which is an IP standard designed to reduce the complexity of administering network addresses.
To successfully exploit this vulnerability, a malformed DHCP communication is sent to an affected client on the same network segment. Successful exploitation of this vulnerability allows remote code execution, which eventually provides remote attackers complete control over the exploited system. This vulnerability is caused by an unchecked buffer in the DHCP Client Service.
More information about this vulnerability and its elimination.
(MS06-040) Vulnerability in Server Service Could Allow Remote Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The Server Service provides RPC support, file print support, and named pipe sharing over the network. It allows the sharing of local resources so that other users on the network can ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
The Server Service provides RPC support, file print support, and named pipe sharing over the network. It allows the sharing of local resources so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.
There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
This vulnerability can be exploited by crafting a specially crafted message, which can cause code execution to an affected system. Workstations and servers are affected by this issue, however, Windows 2000 systems are primarily at risk because of this vulnerability's unique characteristics and affected code path.
More information about this vulnerability and its elimination.
(MS06-041) Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
The update resolves several newly discovered vulnerabilities. A malicious user who successfully exploits these vulnerabilities could very well take complete control over an affected syst...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
The update resolves several newly discovered vulnerabilities. A malicious user who successfully exploits these vulnerabilities could very well take complete control over an affected system by installing programs or viewing, changing, or deleting data. It is also possible to create new accounts with full user rights.
Winsock Hostname Vulnerability - CVE-2006-3440
There is a remote code execution vulnerability in Winsock that could allow a malicious user to take complete control of the affected system. For an attack to be successful, the malicious user would have to force the unsuspecting user to open a file or visit a Web site that is specially crafted to call the affected Winsock API.
Windows Sockets 2 (Winsock) enables programmers to create advanced Internet and other network-capable applications to transmit application data independent of the network protocol being used.
With Winsock, programmers are provided access to advanced Microsoft Windows networking capabilities such as multicast and Quality of Service (QOS).
DNS Client Buffer Overrun Vulnerability - CVE-2006-3441
There is a remote code execution vulnerability in the DNS Client service that could allow a malicious user to take complete control of the affected system.
For an attack to be successful, the malicious user would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.
One way to help protect the system from exploit attempts is to block the following DNS record types at network gateways:
* ATMA
* HINFO
* ISDN DNS
* TXT
* X25
More information about this vulnerability and its elimination.
(MS06-042) Cumulative Security Update for Internet Explorer (918899)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves several newly discovered, publicly and privately reported vulnerabilities. Each of the vulnerabilities is documented in its own section ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 64-Bit Edition)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4)
Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows XP Service Pack 1)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 x64 Edition)
Microsoft Internet Explorer 6.0 (Microsoft Windows Server 2003 Service Pack 1)
Microsoft Internet Explorer 6 (Microsoft Windows XP Service Pack 2)
Microsoft Internet Explorer 6 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
Microsoft Internet Explorer 6 (Microsoft Windows XP Professional x64 Edition)
Internet Explorer 5.01 Service Pack 4 (Microsoft Windows 2000 Service Pack 4)
Malware exploiting this vulnerability: unknown
This update resolves several newly discovered, publicly and privately reported vulnerabilities. Each of the vulnerabilities is documented in its own section of this bulletin.
If a user is logged on with administrative user rights, a malicious user who successfully exploited the most severe of these vulnerabilities, could take complete control of an affected system. A malicious user could then install programs; view, change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Redirect Cross-Domain Information Disclosure Vulnerability
This security advisory addresses an information disclosure vulnerability that exists in Internet Explorer (IE) due to the incorrect interpretation of the location of a Web page after a redirect to a Web page that uses gzip encoding or some other compression type supported by IE.
A malicious user who successfully exploited this vulnerability could read data from another security zone or domain in IE.
A malicious user could host a specially crafted Web site that is designed to exploit this vulnerability through IE and then persuade a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability.
In all cases, however, a malicious user would have no way to force users to visit these Web sites. Instead, a malicious user would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.
It is possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Moreover, this vulnerability requires a user to be logged on and to be visiting a Web site for any malicious action to occur. Therefore, any systems where IE is used frequently, such as workstations or terminal servers, are the most likely with the highest risk.
HTML Layout and Positioning Memory Corruption Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the way IE interprets specially crafted HTML with certain layout positioning combinations. When IE handles the said combinations, it may corrupt system memory in such a way that a malicious user could execute arbitrary code.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if an unsuspecting user viewed the Web page. On successful exploitation, this vulnerability could take complete control of an affected system.
However, this vulnerability requires that a user is logged on and is reading HTML e-mail messages or is visiting a Web site for any malicious action to occur.
CSS Memory Corruption Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the way IE handles chained Cascading Style Sheets (CSS). System memory corruption can occur in IE when attempting to import style sheets, which leads to potentially execute arbitrary code remotely.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page.
A malicious user who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be affected than users who operate with administrative user rights. A malicious user could then install programs; view, change, or delete data; or create new accounts with full user rights on a worst-case scenario.
HTML Rendering Memory Corruption Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the way IE interprets HTML with certain layout combinations. This is due to a race condition that exists within IE where an object pointer can be freed and later referenced.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the specially crafted Web site.
A malicious user who successfully exploited this vulnerability could take complete control of an affected system.
COM Object Instantiation Memory Corruption Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the way IE instantiates COM objects that are not intended to be instantiated in IE. There is a potentially exploitable issue that exists in an ActiveX component that causes this bug. This happens when IE attempts to instantiate certain COM objects as ActiveX Controls. The COM objects may corrupt the system state in such a way that a malicious user could execute arbitrary code. The ActiveX component that is affected by this vulnerability is the DANIM.DLL FILE.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. Once successful, the malicious user could take complete control of an affected system.
However, this vulnerability requires that a user is logged on and visits a Web site for any malicious action to occur. Therefore, any systems where IE is used frequently, such as workstations or terminal servers, are at the highest risk from this vulnerability.
Source Element Cross-Domain Vulnerability
This security advisory addresses a remote code execution and information disclosure vulnerability that exists in IE in the way that a redirect is handled. IE incorrectly interprets the origin of script and allows this script to run in a domain or IE zone other than where it originates from. This is actually due to IE's cross-domain scripting flaw that could allow for information disclosure if a user viewed the specially crafted Web page.
A malicious user could exploit the vulnerability by registering a mouse handler that receives click and double click events from within an IFRAME. With this event comes the object on which the event was fired. This object can be manipulated using standard DHTML/DOM scripting.
On Windows XP Service Pack 1 and Windows 2000 Service Pack 4, a malicious user who successfully exploited this vulnerability could execute code in the context of the user.
On Windows XP Service Pack 2, the malicious user could read data from another security zone or domain in IE.
A malicious user could only exploit this vulnerability on Windows Server 2003 to read data from another security zone or domain in IE if the Internet Explorer Enhanced Security Configuration has been disabled.
Window Location Information Disclosure Vulnerability
This security advisory addresses an information disclosure vulnerability that exists in IE where script can be persisted across navigations and used to gain access to the location of a Window in another domain or IE zone. This is mainly due to the flaw that exists in the mshtml.dll file that allows a popup to persist through navigations and access the location of the parent window.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page.
Once successful, the malicious user could gain access to the location of a Web page in another domain or IE zone. After a user visits a Web site containing the exploit the attacker can see the location of subsequent Web pages visited in the same IE session.
FTP Server Command Injection Vulnerability
This security advisory address an elevation of privilege vulnerability that exists in the way IE handles specially crafted FTP links that contain line feeds. When IE handles specially crafted FTP links that contain line feeds, it passes the line feeds on to the server. The server may then interpret the substrings between the line feeds as additional commands.
IE can be tricked into sending mail through its FTP client without any user other than loading a page. This is a similar issue as was addressed in MS06-021. In this variation, it is SMTP commands that are injected. The vulnerability brings light that an FTP URL contains a port number field, and commands can be directed to any reachable port on a server, not just FTP and SMTP.
A malicious user could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link.
Once successful, the malicious user could issue FTP server commands as the user to FTP servers. The malicious user would be limited by what the user could do on the FTP server, the former would need to know the location of the FTP server. In addition, user interaction is required to exploit this vulnerability.
However, this vulnerability requires that a user click on an FTP link for any malicious action to occur. Therefore, any systems where HTML e-mail messages are read or where IE is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.
More information about this vulnerability and its elimination.
(MS06-045) Vulnerability in Windows Explorer Could Allow Remote Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A remote code execution vulnerability exists in Windows Explorer because of the way that Windows Explorer handles Drag and Drop events. An attacker could exploit this vulnerability by constructing a malicious Web...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
A remote code execution vulnerability exists in Windows Explorer because of the way that Windows Explorer handles Drag and Drop events. An attacker could exploit this vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the target user's system. It can be done by enticing users to visit the said malicious Web site or view potentially malicious email messages containing HTML code. User interaction is required to exploit this vulnerability.
An attacker who successfully exploited this vulnerability gains the same rights as that of the local user. If the local user has administrative user rights, the attacker could take complete control of an affected system. Users with lesser user rights are less affected.
More information about this vulnerability and its elimination.
(MS06-046) Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
On vulnerable versions of Microsoft Windows, if a certain user is logged on a system with administrative rights, the malicious user who is able to successfully exploit thi...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
On vulnerable versions of Microsoft Windows, if a certain user is logged on a system with administrative rights, the malicious user who is able to successfully exploit this vulnerability could take complete control of the client workstation.
The malicious user could then install programs or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who work with administrative user rights.
There exists vulnerability in the HTML Help ActiveX control that could allow remote code execution on an affected system. The malicious user could exploit the vulnerability by creating a malicious Web site that could possibly allow remote code execution if a user visited that particular page. A successfully exploit of this vulnerability could allow complete control of the affected system.
In a Web-based attack scenario, a malicious user would have to host a Web site that to exploit this vulnerability. The malicious user would have no way to force users to visit a Web site. Instead, the malicious user would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to a site that has been compromised by the malicious user.
The risk of attack from the HTML e-mail vector can be reduced if a user meets all the following conditions:
* Install the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
* Use Microsoft Outlook 2000 with the Microsoft Outlook E-mail Security Update installed.
* Use Microsoft Outlook Express 6 or later or Microsoft Outlook 2000 Service Pack 2 or later in their default configuration.
By default, Internet Explorer on Windows Server 2003 runs in a restricted mode.
More information about this vulnerability and its elimination.
(MS06-050) Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves two newly discovered vulnerabilities. If a user is logged on with administrative user rights, a malicious user who successfully exploited this vulnerab...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This update resolves two newly discovered vulnerabilities. If a user is logged on with administrative user rights, a malicious user who successfully exploited this vulnerability could take complete control of an affected system by installing programs; viewing, changing, or deleting data; or creating new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. User interaction is required for a malicious user to exploit these vulnerabilities.
Hyperlink Object Buffer Overflow Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the Hyperlink Object Library. The Hyperlink Object Library is a collection of application programming interfaces. These interfaces provide functionality to software developers for handling hyperlinks.
This problem exists because of an unchecked buffer in the code that is used for handling hyperlinks. A malicious user could exploit the vulnerability by constructing a malicious hyperlink, which could potentially lead to remote code execution if a user clicks a malicious link within an Office file or e-mail message. A malicious user who successfully exploited this vulnerability could take complete control of the affected system. User interaction is required to exploit this vulnerability.
If a user were logged on with administrative user rights, a malicious user who successfully exploited this vulnerability could take complete control of an affected system. A malicious user could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
A malicious user who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
However, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful, a malicious user must persuade an unsuspecting user to click a link in e-mail message or open an Office file and click a link within that file.
Hyperlink Object Function Vulnerability
This security advisory addresses a remote code execution vulnerability that exists in the Hyperlink Object Library. This problem exists when the Hyperlink Object Library uses a file containing a malformed function while handling hyperlinks.
A malicious user could exploit the vulnerability by constructing a malicious hyperlink, which could potentially lead to remote code execution if a user clicks a malicious link within an Office file or e-mail message. A malicious user who successfully exploited this vulnerability could take complete control of the affected system.
However, user interaction is required to exploit this vulnerability.
More information about this vulnerability and its elimination.
(MS06-051) Vulnerability in Windows Kernel Could Result in Remote Code Execution
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
User Profile Elevation of Privilege Vulnerability
This security advisory addresses a privilege elevation vulnerability in the way that Windows 2000 starts applications. This ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
User Profile Elevation of Privilege Vulnerability
This security advisory addresses a privilege elevation vulnerability in the way that Windows 2000 starts applications. This vulnerability could allow a logged on user to take complete control of the system due to a race condition that exists within the WINLOGON system process that allows local Elevation of Privilege from an unprivileged user to system context.
WINLOGON is the process that manages security-related user interactions in Windows. It handles logon and logoff requests, locking or unlocking the machine, changing the password, and other requests.
To exploit this vulnerability, an attacker would first have to log on to the target system. An attacker could then place a specially crafted .DLL file within their User Profile folder and then restart the computer. After the restart and subsequent re-logon by the attacker, the malicious .DLL file would execute a code that could exploit the vulnerability and allow the attacker to gain complete control over the affected system.
On Windows 2000, WINLOGON does not prohibit the use of an invalid path. If a specially crafted DLL is placed in the user directory, it is possible for WINLOGON to execute the code of the malicious .DLL file instead of the code of the legitimate .DLL file located in %Windows%\system32 resulting in an elevation of the user's privileges.
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
The attacker who successfully exploited this vulnerability could take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
However, an attacker must be able to log on locally to the target system and run a program to successfully exploit the vulnerability.
Unhandled Exception Vulnerability
This security advisory addresses the remote code execution vulnerability in the way that exception handling is managed on multiple applications that are resident in memory. Windows allows programs to register a single unhandled exception filter (UEF). Typically, DLLs that register a UEF treat the process like a stack. In essence, the old handle is returned to them by the API and is stored and replaced with their new handler. When the DLL is unloaded, it replaces the old handler during cleanup.
This works properly until the DLL load and unload order for a process changes. As soon as a malicious user can break the stack paradigm, pointers to invalid memory can become the UEF pointer due to a well meaning DLL restoring the UEF of an unloaded DLL. This allows code execution if the attacker can spray the heap.
The attacker who successfully exploited this vulnerability could take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
However, an attacker must be able to log on locally to the target system and run a program to successfully exploit the vulnerability.
More information about this vulnerability and its elimination.
(MS06-052) Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Pragmatic General Multicast
According to Microsoft, Pragmatic General Multicast (PGM) is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unreco...
More information about this vulnerability and its elimination.
Affected programs and services: Windows XP Service Pack 1 with the MSMQ service installed
Windows XP Service Pack 2 with the MSMQ service installed
Malware exploiting this vulnerability: unknown
Pragmatic General Multicast
According to Microsoft, Pragmatic General Multicast (PGM) is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. It transfers the responsibility of ensuring that all data is received, from the sender to the receiver, thus absolving the sender of any reception responsibility. PGM is appropriate for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. It does not support acknowledged delivery, nor does it guarantee ordering of packets from multiple senders.
Microsoft Message Queuing Service
Microsoft Message Queuing Service (MSMQ) enables applications running at different times to communicate across networks and systems that may be temporarily offline.
There is a remote code execution vulnerability that could allow an attacker to send a specially crafted multicast message to an affected system and execute code on the affected system. The MSMQ service, which is the Windows service needed to allow PGM communications is not installed by default. This vulnerability can be exploited by an attacker by sending a specially crafted message that use MSMQ to communicate to a vulnerable system. An invalid memory access in the PGM protocol implementation causes this vulnerability in Windows XP, however, Windows XP x64 edition systems are not affected because they share its implementation of MSMQ with Windows 2003 x64 edition.
More information about this vulnerability and its elimination.
(MS06-053) Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update resolves a newly discovered, privately reported vulnerability. This vulnerability allows remote malicious users to gain unauthorized access to sensitive users information. This vulnerability...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This update resolves a newly discovered, privately reported vulnerability. This vulnerability allows remote malicious users to gain unauthorized access to sensitive users information. This vulnerability does not allow the remote users to execute code to elevate their rights directly, but it is possible to produce useful information that could be used to further compromise the affected system.
There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. This vulnerability allows remote malicious users to run a client-side script. The said script could disclose information, spoof content, or take any other action that the users may take on the affected Web site.
Remote malicious users who successfully exploit this vulnerability could run a malicious script. Once the said script is run, it runs in the security context of the users. The script basically does anything on an affected computer that the Web site is authorized to take. The said actions may include monitoring Web sessions and forwarding information to a third party, running codes on the system, and reading or writing cookies.
In a Web-based attack scenario, remote malicious users host a Web site that contains a Web page that is used to exploit this vulnerability. Compromised Web sites and Web sites that accept or host user-provided content or advertisements contain specially crafted content that exploit this vulnerability In all cases, however, remote malicious users have no way to force affected users to visit these Web sites. Instead, remote users have to persuade affected users to visit the Web site, typically by getting them to click a link in an email message or an Instant Messenger message that takes affected users to Web sites of the remote users.
More information about this vulnerability and its elimination.
(MS06-055) Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
Vector Markup Language (VML) Vulnerability
This overrun vulnerability allows remote code execution. Once successfully exploited, an attacker takes complete control of an affected syst...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: HTML_VMLFILL.C, HTML_VIMALOV.B, HTML_VMLFILL.B, EXPL_EXECOD.A
Vector Markup Language (VML) Vulnerability
This overrun vulnerability allows remote code execution. Once successfully exploited, an attacker takes complete control of an affected system. It does this by creating a specially crafted Web page or email (in HTML format) that allows remote code execution when a user visits a Web site or views an email message.
An exploited system may allow an attacker to perform malicious activities, such as data manipulation and creating user-account creation. It is important to note that users who were granted with fewer rights can less be affected than those with administrative rights.
This vulnerability exists due to an unchecked buffer in the VML implementation in Microsoft Windows.
VML is an exchange, editing, and delivery format based on XML, a simple yet flexible text-based language that complements HTML. Exploiting VML can both be done in a Web-based scenario and an email-based scenario:
* In a Web-based scenario, an attacker creates and hosts a specially crafted Web page that may exploit this vulnerability due to its content. This Web page may also be hosted in other Web sites, such as sites that accept or host contents supplied by the user and advertisements. An attacker then persuades the user to visit the Web site by getting them to click on a link from an email message or an instant messenger message. Clicking the link directs them to the attacker's Web site.
* In an email-based scenario, an attacker creates a specially crafted email, in which it contains a link that redirects them to the attacker's Web site. Opening an attached file in the specially crafted email may also trigger this action. It is important to note that users reading email messages in plain text format is less likely to be affected by this vulnerability when using Microsoft Outlook or Outlook Express.
The update removes the vulnerability by modifying the way that Windows validates the length of data before storing it in the allocated buffer.
More information about this vulnerability and its elimination.
(MS06-057) Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability exists in Windows Shell in the way it validates input parameters when called by the WebViewFolderIcon ActiveX (Web View) control that if succ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: EXPL_SSLICE.GEN
A vulnerability exists in Windows Shell in the way it validates input parameters when called by the WebViewFolderIcon ActiveX (Web View) control that if successfully exploited, could allow remote code execution.
A remote malicious user may design a specially-crafted Web site or a specially-crafted email message that contains a code that exploits this vulnerability.
Once exploited, the remote malicious user may gain the same user rights as the logged on user. Thus, users whose accounts are configured with fewer rights could be less affected than users with administrative rights.
On Windows Server 2003 systems, Internet Explorer runs in a restricted mode known as Enhanced Security Configuration. The said mode reduces the effects of this vulnerability.
More information about this vulnerability and its elimination.
(MS06-061) Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses vulnerabilities in several versions of Microsoft XML Parser and Microsoft XML Core Services. The following vulnerabilities, when succes...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Office 2003 Service Pack 1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Office 2003 Service Pack 2
Microsoft XML Parser 2.6
Microsoft XML Core Services 3.0
Microsoft XML Core Services 5.0 Service Pack 1
Microsoft XML Core Services 4.0
Microsoft XML Core Services 6.0
Malware exploiting this vulnerability: unknown
This update addresses vulnerabilities in several versions of Microsoft XML Parser and Microsoft XML Core Services. The following vulnerabilities, when successfully exploited, could allow remote code execution and information disclosure:
* A vulnerability exists in the way XML Core Services interprets an HTTP server-side redirect. The XMLHTTP ActiveX control's flawed interpretation of an HTTP server-side redirect may lead to information disclosure. A remote malicious user may also be able to read information from another security zone or domain in Internet Explorer.
* A vulnerability in the Extensible Stylesheet Language Transformations (XSLT) control processing could lead to remote code execution.
To exploit the said vulnerabilities, a remote user may design a Web site that contains code used to exploit this vulnerability. Once exploited, the remote malicious user gains control of the system. Users who have fewer rights are less affected than users with administrative rights.
On Windows Server 2003 systems, Internet Explorer runs in a restricted mode known as Enhanced Security Configuration. The said mode reduces the effects of the vulnerability in XML Core Services.
More information about this vulnerability and its elimination.
(MS06-063) Vulnerability in Server Service Could Allow Denial of Service (923414)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses the following vulnerabilities in Server Service that could cause denial of service and remote code execution:
* The first vulnerabili...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows 2000 Service Pack 4
Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
This update addresses the following vulnerabilities in Server Service that could cause denial of service and remote code execution:
* The first vulnerability exists in the way the Server Service handles an uninitialized buffer in certain network messages. A remote malicious user may send a specially-crafted network message to exploit this vulnerability. Once successfully exploited, the remote malicious user may cause the vulnerable system to stop responding.
* The second vulnerability exists in the way the Server Service handles certain network messages. It is caused by the service's attempt to remove reference to an invalid pointer. A remote malicious user may send a specially-crafted network message to exploit this vulnerability. Once successfully exploited, the remote malicious user could gain control of the vulnerable system. However, to be able to exploit this vulnerability, the remote malicious user must have valid logon credentials and is able to logon to the network where the target system is located. Moreover, anonymous users may not be able to exploit this vulnerability.
This update resolves the said vulnerabilities by fixing the uninitialized buffer and modifying the way Server Service removes reference to an invalid pointer.
More information about this vulnerability and its elimination.
(MS06-064) Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses several vulnerabilities in several versions of TCP/IP networking protocols. The following vulnerabilities, when successfully exploite...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Malware exploiting this vulnerability: unknown
This update addresses several vulnerabilities in several versions of TCP/IP networking protocols. The following vulnerabilities, when successfully exploited, could allow denial of service:
* A vulnerability exists in the IPv6 implementation of the Internet Control Message Protocol (ICMP). Specially-crafted ICMP packets that should be dropped instead of being parsed may cause reset of an existing connection.
* A vulnerability exists in the IPv6 implementation of Transmission Control Protocol (TCP). Specially-crafted TCP packets that should be dropped instead of being parsed may cause reset of an existing connection.
* A vulnerability exits in the IPv6 implementation of TCP/IP. This vulnerability occurs when a TCP packet with a spoofed source Internet Protocol (IP) address and port number similar to the destination IP address and port is received.
To successfully exploit the said vulnerabilities, a remote malicious user would have to belong to the same IPv6 network.
A remote malicious user that successfully exploits the said vulnerabilities may cause the vulnerable syste to drop existing TCP connections. It may also cause the vulnerable system to stop responding.
More information about this vulnerability and its elimination.
(MS06-065) Vulnerability in Windows Object Packager Could Allow Remote Code Execution (924496)
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
A vulnerability in the Windows Object Packager exists due to the way it handles file extensions. Object Packager is a tool that creates a package that may ...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Windows Server 2003
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Malware exploiting this vulnerability: unknown
A vulnerability in the Windows Object Packager exists due to the way it handles file extensions. Object Packager is a tool that creates a package that may be inserted into a file.
In a Web-based attack scenario, a remote malicious user may host a Web site that contains an exploit code. Once exploited, the remote malicious user may take complete control of the vulnerable system. However, user interaction is required to successfully exploit this vulnerability.
More information about this vulnerability and its elimination.
TITLE_OF_VULNERABILITY
Transfering more information about this vulnerability...
An error occured while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.
Port: is accessible
Transfering more information about this port...
An error occured while trying to retrieve more information about this port. There is currently no more information available.
Standard services over this port: Unknown
Malware exploiting this port: Unknown
Clean now » Removes all infections found on your machine, according to the options selected.
You need a ticket
If you want to use HouseCall to remove viruses and other malware, you need a valid ticket from Trend Micro. A ticket consists of a unique, multi-character code called the ticket code, which is used to identify the ticket.
Do you already have a ticket? Yes, I have a valid ticket
If you already have a valid ticket, please select this option and enter the ticket code into the specified text box. Please make sure to use the correct format (a-z and 0-9).
Please enter your ticket code here.
Did you misplace your ticket code?
No, I do not have a valid ticket
If you do not have a valid ticket yet, please select this option and click "Next" to request a new ticket. Alternatively, you can click here for further information about tickets.
Next » Use specified ticket or request new ticket
Use account information to find valid ticket
If you already have a HouseCall ticket, but can not locate the relevant ticket code at the moment, you can enter the following account information to retrieve your ticket code.
HouseCall will send you the ticket code by e-mail.
Title
Given name
Family name
E-mail address
« Back Next » Finds a valid ticket for the specified account and sends the corresponding ticket code by e-mail
New ticket - personal information
Before you can request a ticket, we kindly ask you to provide some information for creating your personal account.
If you already have an account, entering the data will open this account and will not create a new account.
Title
Given name
Family name
E-mail address
Please send me more information about Trend Micro.
« Back Next » Creates a new account or opens an existing account.
New ticket - reservation (Step 1 of 2)
Trend Micro HouseCall is a cost-efficient and easy-to-use solution to clean your computer from various security threats. From the list below, please sekect a ticket that meets your requirements. Please read the product description and the price carefully.
Transfering Data...
Description_of_TicketType
Payment is effected by the provider mentioned below. For further information about the payment process, please click the associated information "link".
Transfering Data...
PaymentProviderName
PaymentProviderDescription
More information is available here.
If you want to purchase a ticket in Trend Micro HouseCall, you need to accept the terms of the license agreement first.
Yes, I accept the terms of the license agreement
« Back Next » Reserves the selected ticket for your account
New ticket - payment (Step 2 of 2)
New ticket
Current ticket - overview:
Activated on Not yet activated
Expires on No limitations
Available usages No limitations
Applying the ticket to remove viruses and other malware from your computer will deduct one usage from your ticket. If you have a ticket with a limited number of usages, this will reduce the number of potential usages by one.
"One ticket usage" is valid for a maximum of 24 hours and ends with the removal of the malware detected by HouseCall on your PC.
Apply now » Deducts one usage from the selected ticket and starts the cleanup process
BackNext
Thanks a lot!!
