******************************************************************** Title: Microsoft Security Bulletin Re-Release, December 2004 Issued: December 14, 2004 ********************************************************************
Summary ======= The following bulletin has undergone a major revision increment. Please see the bulletin for more details.
* MS04-028
Bulletin Information: =====================
* MS04-028
- http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx - Reason for revision: Bulletin updated to advise on the availability of additional security updates. Standalone security updates for The Microsoft .NET Framework version 1.0 Service Pack 2 and The Microsoft .NET Framework version 1.1 are now available. Security updates for Microsoft Visual FoxPro 8.0 and the Microsoft Visual FoxPro 8.0 runtime are also now available. Bulletin updated to reflect the release of Windows Messenger 5.1 that contains an updated version of the affected file. The MS04- 028 Enterprise Update Scanning Tool has been updated to detect and deploy the additional security updates. - Originally posted: September 14, 2004 - Updated: December 14, 2004 - Bulletin Severity Rating: Critical - Version: 3.0
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates via e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Summary for December 2004 Issued: December 14, 2004 Version Number: 2.0 Bulletin: http://go.microsoft.com/fwlink/?LinkId=38912 ********************************************************************
Summary: ======== This advisory contains information about all security updates released this month. It is broken down by security bulletin severity.
MS04-040 - Cumulative Security Update for Internet Explorer (889293)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1
- Review the FAQ section of bulletin MS04-O40 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
Note: This bulletin (MS04-040) was released on December 1, 2004.
Important Security Bulletins ============================
MS04-041 - Vulnerability in WordPad Could Allow Code Execution (885836)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP Service Pack 1 - Windows XP Service Pack 2 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Impact: Remote Code Execution - Version Number: 1.0
MS04-042 - Vulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Impact: Remote Code Execution - Version Number: 1.0
MS04-043 - Vulnerability in HyperTerminal Could Allow Code Execution (873339)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP Service Pack 1 - Windows XP Service Pack 2 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Impact: Remote Code Execution - Version Number: 1.0
MS04-044 - Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP Service Pack 1 - Windows XP Service Pack 2 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Impact: Elevation of Privilege - Version Number: 1.0
MS04-045 - Vulnerability in WINS Could Allow Remote Code Execution (870736)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Impact: Remote Code Execution - Version Number: 1.0
Update Availability: =================== Updates are available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=38912
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at:
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
Acknowledgments: ================ Microsoft thanks the following for working with us to protect customers:
* Greg Jones of KPMG UK (http://www.kpmg.co.uk/) for reporting an issue described in MS04-041.
* Lord Yup working with iDefense (http://www.idefense.com/) for reporting an issue described in MS04-041.
* Kostya Kortchinsky (kostya.kortchinsky@renater.fr) from CERT RENATER for reporting the issues described in MS04-042.
* Brett Moore of Security-Assessment.com (http://www.security-assessment.com/) for reporting an issue described in MS04-043.
* Cesar Cerrudo of Application Security Inc. (http://www.appsecinc.com/) for reporting the issues described in MS04-044.
* Kostya Kortchinsky (kostya.kortchinsky@renater.fr) from CERT RENATER for reporting the issues described in MS04-045.
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
MS04-040 - Cumulative Security Update for Internet Explorer (889293)
- Affected Software: - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1
- Review the FAQ section of bulletin MS04-O40 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
Update Availability: =================== An update is available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=38912
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Re-Releases, November 2004 Issued: November 16, 2004 ********************************************************************
Summary ======= The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details.
* MS04-039
Bulletin Information: =====================
* MS04-039
- http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx - Reason for re-release: Bulletin updated to reflect the release of updated ISA Server 2000 security updates for all languages. These issues affected customers using ISA Server 2000 Service Pack 1 or using Windows 2000 Service Pack 3. The Security Update Replacement section has also been revised. - Originally posted: November 9, 2004 - Updated: November 16, 2004 - Bulletin Severity Rating: Important - Version: 3.0
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates via e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Re-Releases, November 2004 Issued: November 10, 2004 ********************************************************************
Summary ======= The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details.
* MS04-039
Bulletin Information: =====================
* MS04-039
- http://www.microsoft.com/technet/security/bulletin/MS04-039.mspx - Reason for re-release: Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update. The Security Update Replacement section has also been revised. - Originally posted: November 9, 2004 - Updated: November 9, 2004 - Bulletin Severity Rating: Important - Version: 2.0
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates via e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Summary for November 2004 Issued: November 9, 2004 Version Number: 1.0 Bulletin: http://go.microsoft.com/fwlink/?LinkId=37221 ********************************************************************
Summary: ======== This advisory contains information about all security updates released this month. It is broken down by security bulletin severity.
Important Security Bulletins ===========================
MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)
- Affected Software: - Microsoft Proxy Server 2.0 Service Pack 1 - Microsoft Internet Security and Acceleration Server 2000 Service Pack 1 and Microsoft Internet Security and Acceleration Server 2000 Service Pack 2 - Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000) - Microsoft Small Business Server 2003 Premium Edition (which includes Microsoft Internet Security and Acceleration Server 2000)
- Impact: Spoofing - Version Number: 1.0
Update Availability: =================== An update is available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=36672
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at: www.microsoft.com/technet/security/bulletin/summary.mspx
The on-demand version of the webcast will be available 24 hours after the live webcast at: www.microsoft.com/technet/security/bulletin/summary.mspx
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
Acknowledgments: ================ Microsoft thanks the following for working with us to protect customers:
- - Martijn de Vries (martijnv@infosupport.com)of Info Support for discovering and Thomas de Klerk (thomask@infosupport.com) of Info Support for reporting an issue described in MS04-039.
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
- Affected Software:
- Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Office 2003 - Office XP Service Pack 3 - Visio 2003 (All versions) - Visio 2002 Service Pack 2 (All versions) - Project 2003 (All versions) - Project 2002 Service Pack 1 (All versions)
- Review bulletin MS04-O28 for information about these affected operating systems and applications:
- Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4
- The Microsoft .NET Framework, version 1.0 - The Microsoft .NET Framework, version 1.1 - Internet Explorer 6 Service Pack 1
- Picture It! 2002 (All versions) - Greetings 2002 - Picture It! version 7.0 (All versions) - Digital Image Pro version 7.0 - Picture It! version 9 (All versions) Including Picture It! Library) - Digital Image Pro version 9 - Digital Image Suite version 9 - Producer for Microsoft Office PowerPoint (All versions)
- Visual Studio 2003 .NET - Visual Basic .NET Standard 2003 - Visual C# .NET Standard 2003 - Visual C++ .NET Standard 2003 - Visual J# .NET Standard 2003 - Visual Studio 2002 .NET - Visual Basic .NET Standard 2002 - Visual C# .NET Standard 2002 - Visual C++ .NET Standard 2002 - The Microsoft .NET Framework, version 1.0 SDK - Platform SDK Redistributable: GDI+
- Review the FAQ section of bulletin MS04-O28 for information about these operating systems:
- Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
Important Security Bulletins ============================
MS04-027 - Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
- Affected Software: - Office 2003 - Office XP Service Pack 3 - Office 2000 Service Pack 3 - Works Suite (All versions)
- Impact: Remote Code Execution - Version Number: 1.0
Update Availability: =================== An update is available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=34846
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
Acknowledgments: ================ Microsoft thanks the following for working with us to protect customers:
- - Peter Winter-Smith of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting the issue described in MS04-027.
- - Nick DeBaggis (ndebaggis@verizon.net) for reporting the issue described in MS04-028.
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Re-Releases, August 2004 Issued: August 10, 2004 ********************************************************************
Summary ======= The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details.
* MS04-020
Bulletin Information: =====================
* MS04-020
- http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx - Reason for re-release: Updated to reflect an additional affected product - Microsoft INTERIX 2.2. - Originally posted: July 13, 2004 - Updated: August 10, 2004 - Bulletin Severity Rating: Important - Version: 2.0
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates via e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
MS04-026 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)
- Affected Software: - Exchange Server 5.5 Service Pack 4 - Affected Components: - Outlook Web Access
Update Availability: =================== An update is available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=20833
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at: http://www.microsoft.com/technet/security/secnews/default.mspx
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at: http://go.microsoft.com/fwlink/?LinkId=32590
The on-demand version of the webcast will be available 24 hours after the live webcast at:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
Acknowledgments: ================ Microsoft thanks the following for working with us to protect customers:
- - Amit Klein or Sanctum Inc. (http://www.sanctuminc.com) for reporting the issue described in MS04-026.
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
MS04-025 - Cumulative Security Update for Internet Explorer (867801)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
MS04-022 - Vulnerability in Task Scheduler Could Allow Code Execution (841873)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1
- Affected Components: - Internet Explorer 6 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition)
- Impact: Remote Code Execution - Version Number: 1.1
MS04-023 - Vulnerability in HTML Help Could Allow Code Execution (840315)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Affected Components: - Internet Explorer 6 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition)
- Review the FAQ section of bulletin MS04-O23 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
Important Security Bulletins ============================
MS04-019 - Vulnerability in Utility Manager Could Allow Code Execution (842526)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4
- Impact: Remote Code Execution - Version Number: 1.0
MS04-020 - Vulnerability in POSIX Could Allow Code Execution (841872)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4
- Impact: Remote Code Execution - Version Number: 1.0
MS04-021 - Security Update for IIS 4.0 (841373)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a
- Impact: Remote Code Execution - Version Number: 1.1
MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Review the FAQ section of bulletin MS04-O24 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.3
MS04-018 - Cumulative Security Update for Outlook Express (823353)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Review the FAQ section of bulletin MS04-O18 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Denial of Service - Version Number: 1.0
Update Availability: =================== Updates are available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=32567
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
******************************************************************** Title: Microsoft Security Bulletin Summary for July 2004 Issued: July 13, 2004 Version Number: 1.0 Bulletin: http://go.microsoft.com/fwlink/?LinkId=32567 ********************************************************************
Summary: ======== This advisory contains information about all security updates released this month. It is broken down by security bulletin severity.
MS04-022 - Vulnerability in Task Scheduler Could Allow Code Execution (841873)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1
- Affected Components: - Internet Explorer 6 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition)
- Impact: Remote Code Execution - Version Number: 1.0
MS04-023 - Vulnerability in HTML Help Could Allow Code Execution (840315)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Affected Components: - Internet Explorer 6 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition)
- Review the FAQ section of bulletin MS04-O23 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
Important Security Bulletins ============================
MS04-019 - Vulnerability in Utility Manager Could Allow Code Execution (842526)
- Affected Software: - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4
- Impact: Remote Code Execution - Version Number: 1.0
MS04-020 - Vulnerability in POSIX Could Allow Code Execution (841872)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4
- Impact: Remote Code Execution - Version Number: 1.0
MS04-021 - Security Update for IIS 4.0 (841373)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a
- Impact: Remote Code Execution - Version Number: 1.0
MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Review the FAQ section of bulletin MS04-O24 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Remote Code Execution - Version Number: 1.0
MS04-018 - Cumulative Security Update for Outlook Express (823353)
- Affected Software: - Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4 - Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition
- Review the FAQ section of bulletin MS04-O18 for information about these operating systems: - Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)
- Impact: Denial of Service - Version Number: 1.0
Update Availability: =================== Updates are available to address these issues. For additional information, including Technical Details, Workarounds, answers to Frequently Asked Questions, and Update Deployment Information please read the Microsoft Security Bulletin Summary for this month at: http://go.microsoft.com/fwlink/?LinkId=32567
Support: ======== Technical support is available from Microsoft Product Support Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for support calls associated with security updates. International customers can get support from their local Microsoft subsidiaries. Phone numbers for international support can be found at: http://support.microsoft.com/common/international.aspx
Additional Resources: ===================== * Microsoft has created a free monthly e-mail newsletter containing valuable information to help you protect your network. This newsletter provides practical security tips, topical security guidance, useful resources and links, pointers to helpful community resources, and a forum for you to provide feedback and ask security-related questions. You can sign up for the newsletter at:
* Microsoft has created a free e-mail notification service that serves as a supplement to the Security Notification Service (this e-mail). It provides timely notification of any minor changes or revisions to previously released Microsoft Security Bulletins. This new service provides notifications that are written for IT professionals and contain technical information about the revisions to security bulletins. Visit http://www.microsoft.com to subscribe to this service:
- Click on Subscribe at the top of the page. - This will direct you via Passport to the Subscription center. - Under Newsletter Subscriptions you can sign up for the "Microsoft Security Notification Service: Comprehensive Version".
* Join Microsoft's webcast for a live discussion of the technical details of these security bulletins and steps you can take to protect your environment. Details about the live webcast can be found at: http://go.microsoft.com/fwlink/?LinkId=30865
The on-demand version of the webcast will be available 24 hours after the live webcast at:
If you receive an e-mail that claims to be distributing a Microsoft security update, it is a hoax that may be distributing a virus. Microsoft does not distribute security updates through e-mail. You can learn more about Microsoft's software distribution policies here:
******************************************************************** THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ********************************************************************
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
Buffer Overflow in ISS Protocol Analysis Module eEye Digital Security discovered a buffer-overflow vulnerability in the Internet Security Systems (ISS) Protocol Analysis Module component for the BlackICE, Proventia, and RealSecure products. The vulnerability results from insufficient size checks on certain protocol fields in ICQ Instant Messaging (IM) protocol response data and could lead to remote compromise of the vulnerable system. ISS has released an advisory and recommends that affected customers apply the appropriate available patch. http://secadministrator.com/articles/index.cfm?articleid=42099
Security Alert, March 24, 2004
Buffer Overrun in WS_FTP Pro John Layman discovered that a buffer-overrun vulnerability in WS_FTP Pro 8.02 and earlier can cause arbitrary code execution on the vulnerable system. If an attacker sends an ASCII mode directory data file that exceeds 260 bytes, and the file isn't terminated by a carriage return/line feed (CRLF), a buffer overrun results. WS_FTP Pro 8.03 isn't vulnerable to the buffer-overrun condition, so users should consider upgrading to version 8.03. http://secadministrator.com/articles/index.cfm?articleid=42098
Security Alert, March 16, 2004
Denial of Service in Windows Media Services Qualsys discovered a Denial of Service (DoS) vulnerability in Microsoft Windows Media Services 4.1. Microsoft has released security bulletin MS04-008, "Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)," to address the vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin. http://secadministrator.com/articles/index.cfm?articleid=42021
Security Alert, March 15, 2004
Information Disclosure in MSN Messenger qFox and Mephisto discovered a vulnerability in Microsoft MSN Messenger that can result in information disclosure on the vulnerable system. Microsoft has released security bulletin MS04-010, "Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)," to address the vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin. http://secadministrator.com/articles/index.cfm?articleid=42023
