Previous Security Bulletins
Guide to Severity Rating System
Click the link below to go to the bulletin for that month.
Microsoft Security Bulletin summary for March 2006
|
Critical
|
|
Microsoft Security Bulletin MS06-012
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Update Number: 905413
Serverity Rating: Critical
Affected Software:
· Microsoft Office 2000 Service Pack 3
· Microsoft Office XP Service Pack 3
· Microsoft Office 2003 Service Pack 1 or Service Pack 2
· Microsoft Works Suites
· Microsoft Office X for Mac
· Microsoft Office 2004 for Mac
This update resolves a newly-discovered, public vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS06-011
Permissive Windows Services DACLs Could Allow Elevation of Privilege
Update Number: 914798
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
This update resolves a newly-discovered, publicly-reported vulnerability. A privilege elevation vulnerability exists on Windows XP Service Pack 1 on the identified Windows services where the permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service. On Windows 2003 permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service. Only members of the Network Configuration Operators group on the targeted machine can remotely attack Windows Server 2003, and this group contains no users by default. The vulnerability could allow a user with valid logon credentials to take complete control of the system on Microsoft Windows XP Service Pack 1. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-011.mspx
|
Microsoft Security Bulletin summary for February 2006
|
Critical
|
|
Microsoft Security Bulletin MS06-004
Cumulative Security Update for Internet Explorer
Update Number: 910620
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, public vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-004.mspx
Microsoft Security Bulletin MS06-005
Vulnerability in Microsoft Windows Media Player Could Allow Remote Code Execution
Update Number: 911565
Serverity Rating: Critical
Affected Software:
· Windows Media Player for XP on Microsoft Windows XP Service Pack 1
· Windows Media Player 9 on Microsoft Windows XP Service Pack 2
· Windows Media Player 9 on Microsoft Windows Server 2003
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
· Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4
· Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1
· Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2
Non-Affected Software:
· Windows Media Player 6.4 on all Microsoft Windows operating systems
· Windows Media Player 10 on Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Windows Media Player because of the way that it handles processing bitmap files. An attacker could exploit the vulnerability by constructing a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-005.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS06-006
Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution
Update Number: 911564
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability.A remote code execution vulnerability exists in the Windows Media Player plug-in for non-Microsoft Internet browsers because of the way the Windows Media Player plug-in handles a malformed EMBED element. An attacker could exploit the vulnerability by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that users apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx
Microsoft Security Bulletin MS06-007
Vulnerability in TCP/IP Could Allow Denial of Service
Update Number: 913446
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A denial of service vulnerability exists that could allow an attacker to send a specially crafted IGMP packet to an affected system. An attacker could cause the affected system to stop responding. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx
Microsoft Security Bulletin MS06-008
Vulnerability in Web Client Service Could Allow Remote Code Execution
Update Number: 911927
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the way that Windows processes Web Client requests that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-008.mspx
Microsoft Security Bulletin MS06-009
Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege
Update Number: 901190
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Affected Components:
· Microsoft Office 2003 Service Pack 1 and Service Pack 2
· Microsoft Office 2003 Multilingual User Interface Packs
· Microsoft Office Visio 2003 Multilingual User Interface Packs
· Microsoft Office Project 2003 Multilingual User Interface Packs
· Microsoft Office OneNote 2003
· Microsoft Office Project 2003
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
· Microsoft Office XP Service Pack 3
· Microsoft Office 2000 Service Pack 3
This update resolves a newly-discovered, privately-reported vulnerability. A privilege elevation vulnerability exists in the Windows and Office Korean Input Method Editor (IME). This vulnerability could allow a malicious user to take complete control of an affected system. For an attack to be successful an attacker must be able to interactively logon to the affected system.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-009.mspx
Microsoft Security Bulletin MS06-0010
Vulnerability in PowerPoint 2000 Could Allow Information Disclosure
Update Number: 889167
Serverity Rating: Important
Affected Software:
· Microsoft Office 2000 Service Pack 3 - PowerPoint 2000
Non-Affected Software:
· Microsoft Office XP Service Pack 3 - PowerPoint 2002
· Microsoft Office 2003 Service Pack 1 or Service Pack 2 - PowerPoint 2003
This update resolves a newly-discovered, privately-reported vulnerability.An attacker who successfully exploited this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) explicitly by name. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-010.mspx
|
Microsoft Security Bulletin summary for January 2006
|
Critical
|
|
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
Update Number: 912919
Severity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution
Update Number: 908519
Severity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Windows because of the way that it handles malformed embedded Web fonts. An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system, install programs; view, change, or delete data; or create new accounts that have full privileges. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-002.mspx
Microsoft Security Bulletin MS06-003
Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution
Update Number: 902412
Severity Rating: Critical
Affected Software:
· Microsoft Office 2003 Service Pack 1 and Service Pack 2
· Microsoft Office 2000 Service Pack 3
· Microsoft Office XP Service Pack 3
· Microsoft Outlook
· Microsoft Office 2003 Multilingual User Interface Packs
· Microsoft Office 2003 Language Interface Packs
· Microsoft Exchange Server
Non-Affected Software:
· Microsoft Exchange Server 2003 Service Pack 1 and Service Pack 2
· Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system.
On vulnerable versions of Outlook, Office Language Interface Packs, Office MultiLanguage Packs or Office Multilingual User Interface Packs, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
On vulnerable versions of Exchange, an attacker who successfully exploited this vulnerability could take complete control of an affected system. This vulnerability could be exploited automatically without user interaction. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. We recommend that customers apply the security update as soon as possible. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-003.mspx
|
Microsoft Security Bulletin summary for December 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer
Update Number: 905915
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Affected Components:
· Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1
· Internet Explorer 6 for Microsoft Windows XP Service Pack 2
· Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
· Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
· Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
This update resolves several newly-discovered, publicly and privately reported vulnerabilities. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS05-055
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Update Number: 908523
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability.A privilege elevation vulnerability exists in the way that asynchronous procedure calls are processed within the kernel. This vulnerability could allow a logged on user to take complete control of the system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-055.mspx
|
Microsoft Security Bulletin summary for November 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-053
Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution
Update Number: 896424
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves several newly-discovered, privately reported and public vulnerabilities. denial of service vulnerability exists in the rendering of Enhanced Metafile (EMF) image format that could allow any program that renders EMF images to be vulnerable to attack. An attacker who successfully exploited this vulnerability could cause the affected programs to stop responding. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
|
Microsoft Security Bulletin summary for October 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-050
Vulnerability in DirectShow Could Allow Remote Code Execution
Update Number: 904706
Serverity Rating: Critical
Affected Software:
· Microsoft DirectX 7.0 on Microsoft Windows 2000 with Service Pack 4
· Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and Microsoft DirectX 9.0c on Microsoft Windows XP with Service Pack 2
· Microsoft DirectX 9.0c on Microsoft Windows XP Professional x64 Edition
This update resolves a newly-discovered, privately-reported vulnerability. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-050.mspx
Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
Update Number: 902400
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx
Microsoft Security Bulletin MS05-052
Cumulative Security Update for Internet Explorer
Update Number:896688
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects.If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS05-046
Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution
Update Number: 899589
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Non-Affected Software:
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Client Service for NetWare (CSNW). By default, CSNW is not installed on any affected operating system version. Only customers who manually installed CSNW could be vulnerable to this issue. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-046.mspx
Microsoft Security Bulletin MS05-047
Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege
Update Number: 905749
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Non-Affected Software:
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an authenticated attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx
Microsoft Security Bulletin MS05-048
Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution
Update Number: 907245
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3
Non-Affected Software:
· Microsoft Exchange Server 2003
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx
Microsoft Security Bulletin MS05-049
Vulnerabilities in Windows Shell Could Allow Remote Code Execution
Update Number: 900725
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. This vulnerability could allow a malicious user to take complete control of an affected system. For an attack to be successful an attacker must be able to interactively logon to the affected system.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-049.mspx
|
|
Moderate
|
|
Microsoft Security Bulletin MS05-044
Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering
Update Number: 905495
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows XP Service Pack 1
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the Windows FTP client because of the way it validates file names. This vulnerability could allow an attacker to tamper with the file transfer location on the client during an FTP file transfer session. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-044.mspx
Microsoft Security Bulletin MS05-045
Vulnerability in Network Connection Manager Could Allow Denial of Service
Update Number: 905414
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Non-Affected Software:
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based System
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, public vulnerability.An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx
|
Microsoft Security Bulletin summary for August 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-038
Cumulative Security Update for Internet Explorer
Update Number: 896727
Serverity Rating: Critical
Affected Software:
· Microsoft Windows XP Service Pack 1
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
Affected Components:
· Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1
· Internet Explorer 6 for Microsoft Windows XP Service Pack 2
· Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Š Download the update
· Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
· Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
· Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
<
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
This update resolves a newly-discovered, public vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx
Microsoft Security Bulletin MS05-039
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege
Update Number: 899588
Serverity Rating: Critical/b>
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based System
· Microsoft Windows XP Professional x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS05-040
Vulnerability in Telephony Service Could Allow Remote Code Execution
Update Number: 893756
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exits in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-040.mspx
|
|
Moderate
|
|
Microsoft Security Bulletin MS05-041
Vulnerability in Remote Desktop Protocol Could Allow Denial of Service
Update Number: 899591
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
· Microsoft Windows Professional 2000 Server Serivce Pack
TThis update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding.More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx
Microsoft Security Bulletin MS05-042
Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing
Update Number: 899587
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
TThis update resolves two newly-discovered vulnerabilities, a privately reported vulnerability and a publicly reported vulnerability.An attacker who successfully exploited the most severe of these vulnerabilities could cause the service responsible for authenticating users in an Active Directory domain to stop responding. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx
Microsoft Security Bulletin MS05-043
Vulnerability in Print Spooler Service Could Allow Remote Code Execution
Update Number: 896423
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
Non-Affected Software:
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. This vulnerability could allow a malicious user to take complete control of an affected system. For an attack to be successful an attacker must be able to interactively logon to the affected system.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-043.mspx
|
Microsoft Security Bulletin summary for July 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-035
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Update Number: 903672
Serverity Rating: Critical
Affected Software:
· Microsoft Office 2000 Software Service Pack 3
· Word 2000
· Microsoft Office XP Software Service Pack 3
· Word 2002
· Microsoft Works Suite 2000
· Microsoft Works Suite 2001
· Microsoft Works Suite 2002
· Microsoft Works Suite 2003
· Microsoft Works Suite 2004
Non-Affected Software:
· Microsoft Office 2003 Word
· Microsoft Office Word 2003 Viewer
This update resolves a newly-discovered, privately-reported vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that users apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-035.mspx
Microsoft Security Bulletin MS05-036
Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution
Update Number: 901214
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Microsoft Color Management Module because of the way that it handles ICC profile format tag validation. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that users apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-036.mspx
Microsoft Security Bulletin MS05-037
Vulnerability in JView Profiler Could Allow Remote Code Execution
Update Number: 903235
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
· JView Profiler
· Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
· Internet Explorer 6 for Microsoft Windows XP Service Pack 2
· Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
· Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
· Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE or on Microsoft Windows Millennium Edition
This update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that users apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx
|
Microsoft Security Bulletin summary for June 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-025
Cumulative Security Update for Internet Explorer
Update Number: 883939
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
Affected Components:
· Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
· Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or
on Microsoft Windows XP Service Pack 1
· Internet Explorer 6 for Microsoft Windows XP Service Pack 2
· Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium), Microsoft Windows Server 2003 for Itanium-based Systems and
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
· Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
· Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
This update resolves two newly-discovered, publicly and privately reported vulnerabilities. If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx
Microsoft Security Bulletin MS05-026
Vulnerability in HTML Help Could Allow Remote Code Execution
Update Number: 896358
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in HTML Help that could allow remote code execution on an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx
Microsoft Security Bulletin MS05-027
Vulnerability in SMB Could Allow Remote Code Execution
Update Number: 896422
Serverity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. . An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS05-028
Vulnerability in Web Client Service May Allow Remote Code Execution
Update Number: 896426
Serverity Rating: Important
Affected Software:
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-028.mspx
Microsoft Security Bulletin MS05-029
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks
Update Number: 895179
Serverity Rating: Important
Affected Software:
· Microsoft Exchange Server 5.5 Service Pack 4
Non-Affected Software:
· Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004
· Microsoft Exchange Server 2003
· Microsoft Exchange Server 2003 Service Pack 1
This update resolves a newly-discovered, privately-reported vulnerability. A cross-site scripting and spoofing vulnerability exists in Outlook Web Access for Exchange Server 5.5 that could allow an attacker to convince a user to run a malicious script. An attacker who successfully exploited the vulnerability could perform cross-site scripting attacks. We recommend customers should apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-029.mspx
Microsoft Security Bulletin MS05-030
Cumulative Security Update for Outlook Express
Update Number: 897715
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows Server 2003
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
· Outlook Express 5.5 Service Pack 2 on Microsoft Windows 2000 Service Pack 3 and on
Microsoft Windows 2000 Service Pack 4
· Outlook Express 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft
Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
· Outlook Express 6 Service Pack 1 for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Outlook Express 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Outlook Express 6 for Microsoft Windows Server 2003 for Itanium-based Systems
· Outlook Express 6 for Microsoft Windows Server 2003
Non-Affected Software:
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows XP Service Pack 2
This update resolves a newly-discovered, privately-reported vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-030.mspx
Microsoft Security Bulletin MS05-031
Vulnerability in Microsoft Windows Interactive Training Could Allow Remote Code Execution
Update Number: 898458
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-031.mspx
|
|
Moderate
|
|
Microsoft Security Bulletin MS05-032
Vulnerability in Microsoft Agent Could Allow Spoofing
Update Number: 890046
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. We recommend that users apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-032.mspx
Microsoft Security Bulletin MS05-033
Vulnerability in Telnet Client Could Allow Information Disclosure
Update Number: 896428
Serverity Rating: Moderate
Affected Software:
· Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
· Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
· Microsoft Windows XP Professional x64 Edition
· Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
· Microsoft Windows Server 2003 x64 Edition
· Microsoft Windows Services for UNIX 3.5 when running on Windows 2000
· Microsoft Windows Services for UNIX 3.0 when running on Windows 2000
· Microsoft Windows Services for UNIX 2.2 when running on Windows 2000
· Microsoft Windows Services for UNIX 2.1 when running on Windows 2000
· Microsoft Windows Services for UNIX 2.0 when running on Windows 2000
Non-Affected Software:
· Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this information disclosure vulnerability could remotely read the session variables for users who have open connections to a malicious telnet server. We recommend that users apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-033.mspx
Microsoft Security Bulletin MS05-034
Cumulative Security Update for ISA Server 2000
Update Number: 899753
Serverity Rating: Moderate
Affected Software:
· Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2
· Microsoft Small Business Server 2000
· Microsoft Small Business Server 2003 Premium Edition
Non-Affected Software:
· Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition
· Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition
This update resolves a newly-discovered, privately-reported vulnerability. Vulnerabilities exist in Microsoft ISA Server 2000 that could allow circumvention of a packet filter and enable an attacker to retrieve unpredictable information from an ISA ServerÕs cache or from a system behind the ISA server . We recommend that users apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-034.mspx
|
Microsoft Security Bulletin summary for May 2005
|
Important
|
|
Microsoft Security Bulletin MS05-024
Vulnerability in Web View Could Allow Remote Code Execution
Update Number: 894320
Serverity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
Non-Affected Software:
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability. We recommend that users apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-024.mspx
|
Microsoft Security Bulletin summary for April 2005
|
Critical
|
|
Microsoft Security Bulletin MS05-019
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service
Update Number: 893066
Severity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
Non-Affected Software:
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
This update resolves several newly-discovered, privately-reported and public vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx
Microsoft Security Bulletin MS05-020
Cumulative Security Update for Internet Explorer
Update Number: 890923
Severity Rating: Critical
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
Non-Affected Software:
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
This update resolves several newly-discovered, privately reported vulnerabilities. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
Microsoft Security Bulletin MS05-021
Vulnerability in Exchange Server Could Allow Remote Code Execution
Update Number: 894549
Severity Rating: Critical
Affected Software:
· Microsoft Exchange 2000 Server Service Pack 3
· Microsoft Exchange Server 2003
· Microsoft Exchange Server 2003 Service Pack 1
Non-Affected Software:
· Microsoft Exchange Server 5.5 Service Pack 4
· Microsoft Exchange Server 5.0 Service Pack 2
This update resolves a newly-discovered, privately-reported vulnerability in Microsoft Exchange Server that could allow an attacker to run arbitrary code on the system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-021.mspx
Microsoft Security Bulletin MS05-022
Vulnerability in MSN Messenger Could Lead to Remote Code Execution
Update Number: 896597
Severity Rating: Critical
Affected Software:
· MSN Messenger 6.2
Non-Affected Software:
· MSN Messenger 7.0
This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-022.mspx
Microsoft Security Bulletin MS05-023
Vulnerabilities in Microsoft Word May Lead to Remote Code Execution
Update Number: 890169
Severity Rating: Critical
Affected Software:
· Microsoft Word 2000
· Microsoft Works Suite 2001
· Microsoft Word 2002
· Microsoft Works Suite 2002
· Microsoft Works Suite 2003
· Microsoft Works Suite 2004
· Microsoft Office Word 2003
This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. We recommend that customers apply the update immediately. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-023.mspx
|
|
Important
|
|
Microsoft Security Bulletin MS05-016
Vulnerability in Windows Shell that Could Allow Remote Code Execution
Update Number: 893086
Severity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
Non-Affected Software:
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
This update resolves a newly-discovered, privately-reported vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx
Microsoft Security Bulletin MS05-017
Vulnerability in Message Queuing Could Allow Code Execution
Update Number: 892944
Severity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
Non-Affected Software:
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows Millennium Edition (Me)
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Message Queuing component. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually installed the Message Queuing component could be vulnerable to this issue. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service
Update Number: 890859
Severity Rating: Important
Affected Software:
· Microsoft Windows 2000 Service Pack 3
· Microsoft Windows 2000 Service Pack 4
· Microsoft Windows XP Service Pack 1
· Microsoft Windows XP Service Pack 2
· Microsoft Windows XP 64-Bit Edition Service Pack 1
· Microsoft Windows XP 64-Bit Edition Version 2003
· Microsoft Windows Server 2003
· Microsoft Windows Server 2003 for Itanium-based Systems
· Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (Me)
Non-Affected Software:
· Microsoft Windows Server 2003 Service Pack 1
· Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
· Microsoft Windows Server 2003 64-Bit Edition
· Microsoft Windows XP Profesional 64-Bit Edition
This update resolves several newly-discovered, privately-reported vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. More information for this update can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS05-018.mspx
|
Microsoft Security Bulletin summary for February 2005
|
