For previous MS Security Bulletins 30 through 48, see http://www.sysopt.com/forum/Forum1/HTML/001969.html
======================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-049)
--------------------------------------
Patch Available for "File Access URL" Vulnerability
Originally Posted: November 12, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft Windows 95 or Windows 98. The vulnerability could allow
a malicious web site or e-mail message to cause the Windows
machine to crash, or to run arbitrary code.
Frequently asked questions regarding this vulnerability can be
found at http://www.microsoft.com/security/bulletins/MS99-049faq.asp
Issue
=====
There is a buffer overflow in the Windows 95 and Windows 98
networking software that processes file name strings. If the
networking software were provided with a very long random string
as input, it could crash the machine. If provided with a
specially-malformed argument, it could be used to run arbitrary
code on the machine via a classic buffer overrun attack.
The vulnerability could be exploited remotely in cases where a
file:// URL or a Universal Naming Convention (UNC) string on a
remote web site included a long file name or where a long file
name was included in an e-mail message.
Affected Software Versions
==========================
The buffer overrun is present in the networking software in all
versions of Windows 95 and Windows 98.
Patch Availability
==================
- Windows 95:
http://download.microsoft.com/download/win95/update/245729/w95/en-us/245729us5.exe
- Windows 98:
http://download.microsoft.com/download/win98/update/245729/w98/en-us/245729us8.exe
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-049: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-049faq.asp
- Microsoft Knowledge Base (KB) article Q245729, Windows 95 and
98 File Access URL Update,
http://support.microsoft.com/support/kb/articles/q245/7/29.asp
(Note: It may take 24 hours from the original posting of this
bulletin for the KB article to be visible.)
- Microsoft Security Advisor web site,
[url] http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges UNYUN, the Shadow Penguin Security Research
Group of Japan for bringing this issue to our attention.
Revisions
=========
- November 12, 1999: Bulletin Created.
Target
11-13-1999, 12:13 AM
Thanks for providing the heads-up on all the security bulletins Socalgal......you're the best-est /forum/smile.gif
Bleeding Edge
11-13-1999, 01:38 AM
I appreciate your post.
Chainsaw
11-14-1999, 02:27 AM
Thanks SG,
I'm a bit curious why this is not refered to on the Microsoft Windows Update page.
Would this not be classified as one of their "CRITICAL UPDATES"?
...Chainsaw
socalgal
11-14-1999, 10:30 AM
Thanks Target, Bleeding Edge, Chainsaw - actually that's a good question - it seems that MS takes a day or two sometimes before the Security Bulletins reach the Update/Critical Updates site. I don't know why as I wasn't able to find a reason listed looking around their site (unless I missed something).
Anyone can receive these Security Bulletins in their email on the day they are released. For a list of Security Bulletins released since October 1998, and a link to receive same in your email, go to http://www.microsoft.com/security/bulletins/current.asp?ID=4&Parent=1
Chainsaw
11-15-1999, 11:29 PM
SG,
Well, I don't suppose a day or two really makes much difference, but it's nice to be able to keep up to date on these things, just like keeping up to date on the ol' AntiVirus. Thanks again for keepin' us all informed. ... /forum/smile.gif
...chainsaw
[This message has been edited by Chainsaw (edited 11-15-1999).]
socalgal
11-17-1999, 07:19 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
On October 22, 1999, Microsoft released Security Bulletin MS99-046,
discussing the availability of a patch that improves the randomness of TCP
Initial Sequence Numbers. However, we recently learned that the patch
contains a regression error, and as a result, we have removed it from our
download site. We are working to correct the error, and will deliver an
updated version of the patch shortly. In the meantime, we wanted to provide
some information on the problem and what customers should do.
The patch is affected by the same error that recently was announced in
Windows NT 4.0 Service Pack 6. (Please see
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp
for more information on Service Pack 6). The effect of the error is to
prevent some applications from connecting to the server via WINSOCK unless
run in an administrative context. The error is not associated with TCP
Initial Sequence Numbers, nor does it pose any security risk. If you are
not experiencing problems with the patch, you can safely leave it in place
until the updated patch is available. If you are experiencing problems,
please see http://www.microsoft.com/security/bulletins/MS99-046faq.asp for
information on how to remove the patch or apply a temporary workaround.
A new version of the patch is nearly complete, and we expect to release it
soon. When it is available, we will update the bulletin and announce the
availability of the patch via the Microsoft Product Security Notification
Service. We are very sorry for any inconvenience caused by the error.
Sincerely,
The Microsoft Product Security Team
socalgal
11-17-1999, 09:51 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-043)
--------------------------------------
Patch Available for "Javascript Redirect" Vulnerability
Originally Posted: October 18, 1999
Re-released: November 17, 1999
Summary
=======
On October 18, 1999, Microsoft released the original version of this
bulletin, in order to advise customers of a workaround for a vulnerability
in Microsoft(r) Internet Explorer. The vulnerability could allow a
malicious web site operator to read files on the computer of a user who
visited the site, under certain circumstances. Microsoft has completed a
patch that completely eliminates the vulnerability, and has re-released
this bulletin in order to advise customers of its availability.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-043faq.asp
Issue
=====
Client-local data that is displayed in the browser window can be made
available to the server by using a redirect to a Javascript applet running
in the same window. This in effect bypasses cross-domain security and makes
the data available to the applet, which could then send the data to a
hostile server. This could allow a malicious web site operator to read the
contents of files on visiting users' computers, if he or she knew the name
of the file and the folder in which it resided. The vulnerability would not
allow the malicious user to list the contents of folders, create, modify or
delete files, or to usurp any administrative control over the machine.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.01 and 5.
NOTE: The IE 4.01 patch requires IE 4.01 SP2 in order to install.
IE 4.01 SP 2 is available at
http://www.microsoft.com/Windows/ie/download/windows.htm
NOTE: The patch will be available shortly via the WindowsUpdate
site. When this happens, we will modify this bulletin to provide
additional information.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-043: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-043faq.asp
- Microsoft Knowledge Base (KB) article Q244356,
Update for "Javascript Redirect" Vulnerability in Internet
Explorer 4.01,
http://support.microsoft.com/support/kb/articles/q244/3/56.asp
- Microsoft Knowledge Base (KB) article Q244357,
Update for "Javascript Redirect" Vulnerability in Internet
Explorer 5,
http://support.microsoft.com/support/kb/articles/q244/3/57.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
NOTE: It may take 24 hours from the original posting of this
bulletin for the KB articles to be visible.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- October 18, 1999: Bulletin Created.
- November 17, 1999: Bulletin re-released to provide information
on availability of patch.
socalgal
11-29-1999, 09:05 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-051)
--------------------------------------
Patch Available for "IE Task Scheduler" Vulnerability
Originally Posted: November 29, 1999
Summary
=======
Microsoft has released a version upgrade that eliminates a vulnerability in
Microsoft(r) Internet Explorer 5. A vulnerability in an optional component
could allow a malicious user to gain additional privileges on a Windows NT
machine that allowed him or her to create or change files.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-051faq.asp
Issue
=====
IE 5 includes an Offline Browsing Pack that is not installed by default. The
Offline Browsing Pack provides a Task Scheduler that replaces the native
Windows NT Schedule Service (the schedule service is also known as the "AT
Service"). A vulnerability in the Task Scheduler poses a privilege elevation
risk and could allow normal users to execute code on the local machine in
System context. (The Windows NT Schedule Service does not have this
vulnerability).
The IE 5 Task Scheduler controls who can create and submit "AT jobs." The
utility that is used to create AT jobs can only be run by an administrator,
and the Task Scheduler will only execute AT jobs that are owned by
administrators. However, if a malicious user had change access to an
existing file owned by an administrator (it would not need to be an AT job),
he or she could modify it to be a valid AT job and place in the appropriate
folder for execution. This would bypass the control mechanism and allow the
job to be executed.
This vulnerability would primarily affect machines that allow normal users
to interactively log onto them. The patch eliminates this vulnerability by
digitally signing all AT jobs at creation time, and verifying the signature
at execution time.
Affected Software Versions
==========================
- Microsoft Internet Explorer 5, when run on a Windows NT 4.0 system
NOTE: The affected components are part of the IE 5 Offline Browsing Pack,
which is not installed by default.
NOTE: Windows NT 4.0 includes a native scheduling service, but it does not
have this vulnerability.
Patch Availability
==================
The vulnerability is eliminated by IE 5.01, which is available at:
- http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm
NOTE: A line break has been inserted into the above URL for readability.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-051: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-051faq.asp
- Microsoft Knowledge Base (KB) article Q246972,
IE 5 Task Scheduler Allows Privilege Elevation on Windows NT Systems,
http://support.microsoft.com/support/kb/articles/q245/7/29.asp
(NOTE: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Arne Vidstrom and Svante Sennmark for bringing this
issue to our attention.
Revisions
=========
- November 29, 1999: Bulletin Created
[This message has been edited by socalgal (edited 11-29-1999).]
socalgal
11-29-1999, 10:19 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-052)
--------------------------------------
Patch Available for "Legacy Credential Caching" Vulnerability
Originally Posted: November 29, 1999
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows(r) 95 and 98 caused by a legacy mechanism for caching
network security credentials. The vulnerability could allow a user's
plaintext network password to be retrieved from the cache.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-052faq.asp
Issue
=====
Windows for Workgroups(r) provided a RAM-based caching mechanism that cached
the user's plaintext network credentials for use by real-mode command-line
networking utilities. Part of this mechanism was carried forward into the
Windows 95 and 98 designs, even though it is not used by either. A
malicious user could query this mechanism to obtain the network credentials
of the last person to use the machine for network access, as long as they
had physical access to the machine and it had not been rebooted since the
last networking session.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
Patch Availability
==================
- Windows 95:
http://www.microsoft.com/windows95/downloads/contents/WUCritical/password/default.asp
- Windows 98:
http://www.microsoft.com/windows98/downloads/contents/WUCritical/password/default.asp
NOTE: Line breaks have been inserted into the above URLs for readability.
NOTE: Windows 98 Second Edition is not affected by this vulnerability.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-052: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-052faq.asp
- Microsoft Knowledge Base (KB) article Q168115,
Windows Security Update Prevents Reading Domain Password,
http://support.microsoft.com/support/kb/articles/q168/1/15.asp
(Note: It may take 24 hours from the original posting of this bulletin
for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- November 29, 1999: Bulletin Created.
[This message has been edited by socalgal (edited 11-29-1999).]
socalgal
11-30-1999, 08:17 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Yesterday, we released Microsoft Security Bulletin MS99-052, discussing the
"Legacy Credential Caching" vulnerability in Windows 95 and 98. The
bulletin provided URLs from which to download the patch. However, due to a
human error, the patch that was loaded onto the download site was not the
correct patch. Instead, a copy of the previously-released patch for the
"File Access URL" vulnerability propagated to the URLs. (For more
information on the "File Access URL" vulnerability, see
http://www.microsoft.com/Security/Bulletins/ms99-049.asp ). We have updated
the bulletin, at http://www.microsoft.com/Security/Bulletins/ms99-052.asp ,
and ensured that the correct URL information is now provided there.
We have no reports of any customers suffering ill effects from installing
the "File Access URL" patch. (In fact, there's no reason not to install it,
as it was designed for Windows 95 and 98 and is a recommended patch).
However, we suggest that customers who installed it visit the updated
bulletin and ensure that they also install the "Legacy Credential Caching"
patch as well.
We are very sorry for any inconvenience caused by this error, and would like
to thank the customers who alerted us to the problem. Sincerely,
The Microsoft Security Response Team
-------------------------------------
**sheesh**
pickel
11-30-1999, 09:38 PM
More bandaids for my computer. At least Win 98 2nd edtn was affected... That's a first /forum/biggrin.gif
socalgal
12-02-1999, 08:00 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-054)
--------------------------------------
Patch Available for "WPAD Spoofing" Vulnerability
Originally Posted: December 01, 1999
Summary
=======
Microsoft has released a version upgrade that eliminates a vulnerability in
Microsoft(r) Internet Explorer 5. Under very specific conditions, the
vulnerability could allow a malicious user to provide proxy settings to web
clients in another network.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-054faq.asp
Issue
=====
The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to
automatically detect proxy settings without user intervention. The algorithm
used by WPAD prepends the hostname "wpad" to the fully-qualified domain name
and progressively removes subdomains until it either finds a WPAD server
answering the hostname or reaches the third-level domain. For instance, web
clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft,
wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises
because in international usage, the third-level domain may not be trusted. A
malicious user could set up a WPAD server and serve proxy configuration
commands of his or her choice.
Affected Software Versions
==========================
- Microsoft Internet Explorer 5
Patch Availability
==================
The vulnerability is eliminated by IE 5.01, which is available at:
- http://www.microsoft.com/windows/ie/download/all.htm?bShowPage
- http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm
A line break has been inserted into the above URL for readability.
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS99-054,
http://www.microsoft.com/security/bulletins/ms99-054faq.asp
- Microsoft Knowledge Base (KB) article Q247333,
Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,
http://support.microsoft.com/support/kb/articles/q247/7/33.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Web Proxy Auto-Discovery Protocol Internet Draft,
http://ietf.org/internet-drafts/draft-ietf-wrec-wpad-01.txt
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Tim Adam of Open Software Associates (www.osa.com)
for bringing this issue to our attention.
Revisions
=========
- December 01, 1999: Bulletin Created.
socalgal
12-02-1999, 08:11 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-053)
--------------------------------------
Patch Available for Windows "Multithreaded SSL ISAPI Filter" Vulnerability
Originally Posted: December 02, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in the SSL
ISAPI filter that ships with Microsoft(r) Internet Information Server and
is used by other Microsoft products. If called by a multi-threaded
application under very specific, and fairly rare, circumstances, a
synchronization error in the filter could allow a single buffer of plaintext
to be transmitted back to the data's owner.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-053faq.asp
Issue
=====
The SSL ISAPI filter provided as part of IIS supports concurrent use. When
used in this mode, a synchronization problem could induce a race condition
and cause a single buffer of plaintext to be leaked. The conditions under
which this could happen are very rare, and could only occur when a single
user's session was multi-threaded and traffic volumes were extremely high.
The scope of this vulnerability is very limited. The leaked plaintext would
always be sent to its owner, never another user. Also, because the leaked
data would fail its integrity check, the effect of the leak would be to
cause the SSL session to immediately collapse. The condition could not be
induced by a hostile user, and would offer at best a target of opportunity.
Finally, it is worth noting that this vulnerability only affects the SSL
ISAPI filter, not the secure communications capability provided by Windows
NT via Schannel.
Affected Software Versions
==========================
- Microsoft IIS 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0
NOTE: This and other patches are available from the Microsoft
Download Center http://www.microsoft.com/downloads/search.asp?Search=Keyword&Value='security_patch'&OpSysID=1
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-053: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-053faq.asp
- Microsoft Knowledge Base (KB) article Q244613,
IIS 4.0 SSL ISAPI Filter Can Leak Single Buffer of Plaintext,
http://support.microsoft.com/support/kb/articles/q244/6/13.asp
(Note: It may take 24 hours from the original posting of this
bulletin for this KB article to be visible.)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft acknowledges Wall Data for bringing this issue to our attention.
Revisions
=========
- December 02, 1999: Bulletin Created.
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.