Continued from MS Security Bulletins - Vol. 5 (http://www.sysopt.com/forum/Forum1/HTML/003113.html)
==========================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-009)
--------------------------------------
Patch Available for "Image Source Redirect" Vulnerability
Originally Posted: February 16, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability
in Microsoft® Internet Explorer. The vulnerability could allow a
malicious web site operator to read - but not add, change or delete -
certain types of files on the computer of a visiting user.
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-009.asp
Issue
=====
When a web server navigates a window from one domain into another one,
the IE security model checks the server's permissions on the new page.
However, it is possible for a web server to open a browser window to a
client-local file, then navigate the window to a page that is in the
web site's domain in such a way that the data in the client-local file
is accessible to the new window. The data would only be accessible to
the new window for a very brief period, but the result is that it
could be possible for a malicious web site operator to view files on
the computer of a visiting user. The web site operator would need to
know (or guess) the name and location of the file, and could only view
file types that can be opened in a browser window.
Affected Software Versions
==========================
Microsoft Internet Explorer 4.0 and 4.01.
Microsoft Internet Explorer 5 and 5.01.
NOTE: Microsoft produces security patches for Internet Explorer 4.01
SP2 and higher. In the event that this package is applied to Internet
Explorer 4.01 SP1, the package states that a fix is not needed. This
message is incorrect, as the vulnerability does exist on Internet
Explorer 4.01 SP1 or any earlier release. If you are using Internet
Explorer 4.01 SP1 or any earlier release, please upgrade to the latest
version of Internet Explorer to resolve this issue.
NOTE: Additional security patches are available at the Microsoft Download
Center.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS00-009: Frequently Asked Questions.
- Microsoft Knowledge Base (KB) article. A link will be posted to
http://www.microsoft.com/technet/Security/Bulletin/ms00-009.asp
as soon as the article is available.
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
February 16, 2000: Bulletin Created.
[This message has been edited by socalgal (edited 02-16-2000).]
socalgal
02-18-2000, 07:12 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-010)
--------------------------------------
Patch Available for "Site Wizard Input Validation" Vulnerability
Originally Posted: February 18, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability
in web applications associated with Microsoft® Site Server 3.0, Commerce
Edition. These applications are provided as samples and generated by
wizards, but do not follow security best practices. If deployed on a
web site, they could allow inappropriate access to a database on the
site. Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-010.asp.
Issue
=====
Two sample web sites provided as part of Site Server 3.0, Commerce
Edition do not follow security best practices; the code generated by
one of the wizards is affected by the same problem. The code requests
an identification number as one of the inputs, but does not validate
it before using it in a database query. As a result, a malicious user
could, instead of entering an appropriate input, provide SQL commands.
If this were done, the SQL commands would be executed as part of the
query, and could be used to create, modify, delete or read data in the
database.
The vulnerability only affects sites that have either deployed the code
at issue here, or have used the code as a model for developing custom code.
Customers who have deployed the code should apply the patch to ensure that
security best practices are followed. Customers who have used the code as a
guide in developing their own should refer to the Knowledge Base article
referenced below for specific code changes.
Affected Software Versions
==========================
Microsoft Site Server 3.0, Commerce Edition
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-010,
http://www.microsoft.com/technet/security/bulletin/fq00-010.asp
- Microsoft TechNet Security Web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks /technet/security/bulletin/policy.asp Nick Southwell
of Creative Online Media for reporting this problem to us and working
with us to protect customers.
Revisions
=========
February 18, 2000: Bulletin Created.
pickel
02-18-2000, 07:24 PM
MORE BANDAIDS!!!
Avoid the patch, use Netscape Messenger
[This message has been edited by pickel (edited 02-22-2000).]
tkray
02-18-2000, 08:02 PM
Well. it beats letting people pick at your scabs, to follow your metaphor.
socalgal
02-19-2000, 10:37 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-011)
--------------------------------------
Patch Available for "VM File Reading" Vulnerability
Originally Posted: February 18, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability
in the Microsoft® virtual machine (Microsoft VM). The vulnerability
could enable a malicious web site operator to read files from the
computer of a person who visited his site or read web content from
inside an intranet if the malicious site is visited by a computer from
within that intranet. In both cases the malicious applet would have to
know the exact name and location of the files. Frequently asked
questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-011.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32® operating
environment. It runs atop Microsoft Windows® 95, 98 or Windows NT®.
It ships as part of each operating system, and also as part of
Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet
Explorer 4.x and Internet Explorer 5.x contains a security
vulnerability that could allow a Java applet to operate outside the
bounds set by the sandbox. A malicious user could write a Java applet
that could read - but not change, delete or add - files from the
computer of a person who visited his site or read web content from
inside an intranet if the malicious site is visited by a computer
from within that intranet. The malicious user would need to know the
exactly path and filename of the files he wished to read.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which can
be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3100 series.
- All builds in the 3200 series.
Note: The Microsoft VM ships as part of several products. However, the
primary ship vehicle is Internet Explorer.
Patch Availability
==================
New versions of the Microsoft VM that include a fix for the
vulnerability can be downloaded from the following locations:
- 2000 series builds: http://www.microsoft.com/java/vm/dl_vmsp2.htm
- 3100 series builds: http://www.microsoft.com/java/vm/dl_vm32.htm
- 3200 series builds: http://www.microsoft.com/java/vm/dl_vm40.htm
Note: 2000 series builds are shipped as part of Internet Explorer 4.x; 3100
series builds are shipped as part of Internet Explorer 5; 3200 series builds
are shipped as part of Internet Explorer 5.01.
Note: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-011,
http://www.microsoft.com/technet/security/bulletins/ms00-011.asp
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Hideo Nakamura of NEC in Tokyo, Japan for reporting the VM
File Reading vulnerability to us and working with us to protect customers.
Revisions
=========
February 18, 2000: Bulletin Created.
socalgal
02-22-2000, 07:08 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-012)
--------------------------------------
Patch Available for "Remote Agent Permissions" Vulnerability
Originally Posted: February 22, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability
in an installation routine associated with Microsoft® Systems
Management Server (SMS). If particular features have been enabled, the
vulnerability could allow a user to gain elevated privileges on the
local machine.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-012.asp
Issue
=====
If the SMS 2.0 Remote Control feature has been installed and enabled on
a machine, the folder in which the remote agent resides has its
permissions set to Everyone Full Control by default. If a malicious
user replaced the client code with code of his or her choosing, it
would run automatically in a system context the next time he or she
rebooted the machine and logged on. The vulnerability exists only if
the Remote Control feature has been enabled - no other SMS features
are affected by it.
For X86: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18498
For Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18499
Note Additional security patches are available at the Microsoft Download
Center.
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-012.
http://www.microsoft.com/technet/security/bulletin/fq00-012.asp
- Microsoft TechNet Security web site.
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
February 22, 2000: Bulletin Created.
socalgal
02-23-2000, 08:45 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-013)
--------------------------------------
Patch Available for "Misordered Windows Media Services Handshake"
Vulnerability
Originally Posted: February 23, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows Media Services. The vulnerability could allow denial
of service attacks against a streaming media server.
Frequently asked questions regarding this vulnerability and the patch can be
found at http://www.microsoft.com/technet/security/bulletin/fq00-013.asp
Issue
=====
The handshake sequence between a Windows Media server and a Windows Media
Player is asynchronous, because certain resource requests are dependent on
the successful completion of previous ones. If the client-side handshake
packets are sent in a particular misordered sequence, with certain timing
constraints, the server will attempt to use a resource before it has been
initialized and will fail catastrophically, causing the Windows Media
Unicast Service to crash.
The Windows Media Unicast Service can be put back into normal operating
condition by restarting the service, but any sessions that were in effect
at the time of the crash would need to be restarted.
Affected Software Versions
==========================
- Microsoft Windows Media Services 4.0 and 4.1
NOTE: Windows NT Server 4.0 customers should upgrade their Windows Media
Services installation to Windows Media Services 4.1 before applying the
patch. Windows Media Services 4.1 can be downloaded for free from http://www.microsoft.com/windows/windowsmedia/. Windows 2000 Server
includes Windows Media Services 4.1, so the patch can be applied directly
to this configuration.
Patch Availability
==================
- Windows NT Server 4.0:
http://download.microsoft.com/download/winmediatech40/Update/4954/NT4/EN-US/WMSU4954_NT4.EXE
- Windows 2000 Server:
http://download.microsoft.com/download/winmediatech40/Update/4954/NT5/EN-US/WMSU4954_Win2000.EXE
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-013,
http://www.microsoft.com/technet/security/bulletin/fq00-013.asp
- Microsoft Knowledge Base (KB) article Q253943,
Misordered Windows Media Services Handshake Vulnerability,
http://www.microsoft.com/technet/support/kb.asp?ID=253943
- Microsoft TechNet Security Web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Kit Knox for reporting this issue to us and working with us
to protect customers.
Revisions
=========
- February 23, 2000: Bulletin Created.
socalgal
03-07-2000, 04:28 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-015)
--------------------------------------
Patch Available for "Clip Art Buffer Overrun" Vulnerability
Originally Posted: March 06, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
the Microsoft® Clip Art Gallery. The vulnerability could allow a malicious
party to cause hostile code to execute on the computer of a user of the
Clip Art Gallery.
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-015.asp
Issue
=====
The Microsoft Clip Art Gallery software is used to allow users to retrieve
and use clip art in their documents. One of the features of the Clip Art
Gallery allows the user to download additional clips from the Microsoft
Clip Gallery Live web site, and then install that clip art on their
computer. To do this, Clip Art Gallery and Clip Gallery Live use a file
format called the CIL format to contain the newly downloaded clips. Under
certain circumstances, a very long field embedded in a clip art CIL file
could cause a buffer overrun in the Clip Art Gallery software. The buffer
overrun could cause the software to crash or, under certain circumstances,
could cause the execution of hostile code on the computer where the Clip
Art Gallery software was executing.
The risk from this vulnerability results from the facts that any web site
can host a CIL file and that clip art will normally be processed
without prompting the user for confirmation as would be the case with an
executable file format.
Affected Software Versions
==========================
The Clip Art Gallery software ships with the following products:
- Microsoft Office 2000
- Microsoft Works 2000
- Microsoft PictureIt 2000
- Microsoft HP 2000
- Microsoft Publisher99
- Microsoft PhotoDraw 2000 Version 1
NOTE: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS00-015: Frequently Asked Questions
http://www.microsoft.com/technet/security/bulletin/fq00-015.asp
- Microsoft TechNet Security web site
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support
is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Dildog of the @Stake, Inc. L0pht Research Labs for
reporting this issue to us and working with us to protect customers.
Revisions
=========
- March 06, 2000: Bulletin Created.
socalgal
03-09-2000, 06:29 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-014)
--------------------------------------
Patch Available for "SQL Query Abuse" Vulnerability
Originally Posted: March 08, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0. The
vulnerability could allow the remote author of a malicious SQL query to
take unauthorized actions on a SQL Server or MSDE database or on the
underlying system that was hosting the SQL Server or MSDE database.
Frequently asked questions regarding this vulnerability and the patch can
be found at http://www.microsoft.com/technet/security/bulletin/fq00-014.asp
Issue
=====
Microsoft SQL Server 7.0 and MSDE 1.0 perform incomplete argument validation
on certain classes of remotely submitted SQL statements. If a user is able
to submit a particular form of a SQL Select statement to SQL Server or MSDE,
it is possible to take actions on the SQL data base or, if the SQL Server or
MDSE is operating in an account with elevated privileges on the underlying
system, on the underlying operating system itself.
In order to exploit this vulnerability, a user would have to have the right
to submit queries to the SQL Server or MSDE via ODBC, OLE DB, or DB-Library
and be logged on using SQL Server Security. The user would not require any
special privileges beyond the right to submit SQL queries.
Note: Additional security patches are available at the Microsoft Download
Center
More Information
================
Please see the following references for more information related to this
issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-014,
http://www.microsoft.com/technet/security/bulletin/fq00-014.asp
- As soon as more information on this topic is available, it will be
posted at
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Sven Hammesfahr http://www.itrain.de for reporting the
SQL Query Abuse vulnerability to us and working with us to protect
customers..
Revisions
=========
- March 08, 2000: Bulletin Created.
socalgal
03-09-2000, 06:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-008)
--------------------------------------
Patch Available for "Registry Permissions" Vulnerability
Originally Posted: March 09, 2000
Summary
=======
Microsoft has released a tool that installs tighter permissions on three
sets of registry values in Microsoft(r) Windows NT 4.0. The default
permissions could allow a malicious user to gain additional privileges on a
machine that they can interactively log onto.
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-008.asp
Issue
=====
This vulnerability involves three sets of registry keys whose default
permissions are too permissive. These permissions could allow a malicious
user who could interactively log onto a target machine to:
- Cause code to run in a local system context.
- Cause code to run the next time another user logged onto the
same machine.
- Disable the security protection for a previously-reported vulnerability.
These three key sets are not related to each other except by the fact that
their permissions should be tightened. A tool is available that will reset
all of the affected keys to the correct default value.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
NOTE: Windows 2000 is not affected by this vulnerability.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS00-008: Frequently Asked Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-008.asp
- Microsoft Security Bulletin MS99-025,
Unauthorized Access to IIS Servers through ODBC Data Access with RDS,
http://www.microsoft.com/security/bulletins/ms99-025.asp
- Microsoft Knowledge Base (KB) article Q103861,
INFO: Choosing the Debugger That the System Will Spawn,
http://www.microsoft.com/technet/support/kb.asp?ID=103861
- Microsoft Knowledge Base (KB) article Q185590,
Guide To Windows NT 4.0 Profiles and Policies (Part 5 of 6),
http://www.microsoft.com/technet/support/kb.asp?ID=185590
- Microsoft Knowledge Base (KB) article Q184375,
Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC,
http://www.microsoft.com/technet/support/kb.asp?ID=184375
- Microsoft Knowledge Base (KB) article Q184375,
HOWTO: Regulate Network Access to the Windows NT Registry,
http://www.microsoft.com/technet/support/kb.asp?ID=155363
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- March 09, 2000: Bulletin Created.
socalgal
03-16-2000, 07:39 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS00-017)
--------------------------------------
Patch Available for "DOS Device in Path Name" Vulnerability
Originally Posted: March 16, 2000
Summary
=======
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft(r) Windows(r) 95, Windows 98, and Windows 98 Second Edition. The
vulnerability could cause a user's system to crash, if they attempted to
access a file or folder whose path contained certain reserved words.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
Issue
=====
DOS device names are reserved words, and cannot be used as folder or file
names. When parsing a reference to a file or folder, Windows correctly
checks for the case in which a single DOS device name is used in the path,
and treats it as invalid. However, it does not check for the case in which
the path includes multiple DOS device names. When Windows attempts to
interpret the device name as a file resource, it performs an illegal
resource access that usually results in a crash.
Because it is not possible to create files or folders that contain DOS
device names, it would be unusual for a user to try to access one under
normal circumstances. The chief threat posed by this vulnerability is that a
malicious user could attempt to entice a user to attempt such an access. For
instance, if a web site operator hosted a hyperlink that referenced such a
path, clicking the link would result in the user's machine crashing.
Likewise, a web page or HTML mail that specified a local file as the source
of rendering information could cause the user's machine to crash when it was
displayed. If this happened, the machine could be put back into normal
service by restarting it.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
Patch Availability
==================
- Windows 95:
http://www.microsoft.com/downloads/release.asp?releaseID=19491
- Windows 98 and Windows 98 Second Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19389
NOTE: Additional security patches are available at the Microsoft Download
Center
NOTE: The patch will be available shortly at the WindowsUpdate site. When
this happens, we will modify the bulletin to provide additional information.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS00-017: Frequently Asked Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
- Microsoft Knowledge Base article Q256015 discusses this issue and will
be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- March 16, 2000: Bulletin Created.
Last updated March 16, 2000
(r) 2000 Microsoft Corporation. All rights reserved. Terms of use
socalgal
03-17-2000, 10:25 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-016)
- --------------------------------------
Patch Available for "Malformed Media License Request" Vulnerability
Originally Posted: March 17, 2000
Summary
=======
Microsoft has released a patch that eliminates a denial of service
vulnerability in Microsoft(r) Windows Media(tm) License Manager. The
vulnerability could allow a malicious user to temporarily prevent the
license server from issuing further licenses to customers for
protected digital content (music and video).
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-016.asp
Issue
=====
Windows Media License Manager is part of Windows Media Rights Manager,
a component of Windows Media Technologies that enables content
providers to distribute copyrighted digital media in encrypted form.
When Windows Media Player opens protected digital media, it contacts
the provider's server, presents the user's license request
information, and obtains a license that allows it to play the media.
However, a specially-malformed license request can cause License
Manager to halt, thereby preventing legitimate subscribers from
obtaining a license for the same or other content hosted at this site.
The vulnerability does not in any way compromise the protection
provided by the encryption or prevent offline playing of content that
the user has already licensed. The server can be put back into normal
operation by restarting the License Manager.
Affected Software Versions
==========================
- Microsoft Windows Media Technologies 4.1 and 4.0.
NOTE: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-016: Frequently Asked Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-016.asp
- Microsoft Knowledge Base (KB) article Q257200,
Windows Media Server Rights Manager May Stop Serving Licenses,
http://www.microsoft.com/technet/support/kb.asp?ID=257200
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Ranjiv Sharma for reporting this issue to us and
working with us to protect customers.
Revisions
=========
- March 17, 2000: Bulletin Created.
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
socalgal
03-20-2000, 06:02 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-018)
----------------------------------------
Patch Available for "Chunked Encoding Post" Vulnerability
Originally Posted: March 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server 4.0. The
vulnerability could allow a malicious user to consume all resources on
a web server and prevent it from servicing other users.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/technet/security/bulletin/fq00-018.asp
Issue
=====
IIS 4.0 supports chunked encoding transfers, but does not limit the
size of the buffer that can be reserved. This would allow a malicious
user to request an extremely large buffer for a POST or PUT operation,
but never actually send data, thereby blocking memory on the server
that had been allocated to the session. If sufficient memory on the
server were blocked in this fashion, it could prevent the server from
performing useful work. There is no capability through this attack to
create, modify or delete data on the server, nor is there any
capability to usurp administrative control of the server. If the
malicious user closed his session, the memory would be released and
the server's operation would return to normal. Otherwise, the machine
could be put back into normal service by stopping and restarting the
service.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
NOTE: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-018: Frequently Asked Questions,
http://www.microsoft.com/technet/Security/Bulletin/ms00-018.asp
- Microsoft Knowledge Base (KB) article Q252693,
Chunked Encoding Request with No Data Causes IIS Memory Leak,
http://www.microsoft.com/technet/support/kb.asp?ID=252693.
- RFC 2616,
Hypertext Transfer Protocol - HTTP 1.1 ,
http://www.ietf.org/rfc/rfc2616.txt.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Petteri Stenius for reporting this issue to us and
working with us to protect customers.
Revisions
=========
- March 20, 2000: Bulletin Created.
socalgal
03-27-2000, 08:45 PM
***This is not a Security Bulletin, per se, but it should be. Thanks to BBA for forwarding me this info.***
Microsoft Clip Gallery Buffer Overrun Vulnerability Patch
-----------------------------------------
This patch is intended for users of the following Microsoft products: Office 2000, Home Publishing 2000, Works 2000, Picture It! 2000, and PhotoDraw™ 2000 Version 1.
The Media Store team at Microsoft developed a patch for Clip Gallery which prevents customers from encountering a possible buffer overrun. The buffer overrun could cause Clip Gallery to crash, or allow the execution of arbitrary code on a user's computer. Arbitrary code embedded by a malicious user within a file downloaded by Clip Gallery to a user's computer could be harmful, damaging information stored on the computer.
Background
One of the features of Microsoft Clip Gallery is that it allows users to download additional clip art from Microsoft Clip Gallery Live and the websites of our associated partners. This functionality includes the automatic installation of the downloaded clip art on their computers. Clip Gallery and Clip Gallery Live use a special file format for downloading these clips, called the .CIL format. Under certain circumstances, a very long field embedded in a clip art .CIL file could cause a buffer overrun in the Clip Gallery software. When the buffer overrun occurs, the software could crash or could cause the execution of arbitrary code on a user's computer.
The primary danger in this vulnerability is that the buffer overrun would occur when a user opens an attachment that includes a maliciously formed clip art file, or downloads a .CIL file from a malicious user's Web page.
For example, a user finds a Web site, which contains groups of clip art - saved in the .CIL format - for Office 2000, Works 2000, Picture It! 2000, Home Publisher 2000, or PhotoDraw™ 2000 Version 1. The user believes these are legitimate download pages. The user then downloads one of these .CIL files to use in Picture It! 2000. The instructions on the page tell the user to double-click the file to open Clip Art. However, the person who made the Web site has embedded malicious code that deletes data on the user's hard disk. To make the malicious code execute, the person also includes a very long field in the .CIL file. When the user double-clicks the file to open it into Clip Gallery, Clip Gallery has a buffer overrun, and then the malicious code executes.
Since Clip Gallery does not prompt you for confirmation, this vulnerability will still affect you even if you follow safe computing practices such as using virus detection software.
Instructions
Click the self-extracting file shown below (CILUPDT.EXE).
When prompted, save the file to your hard drive.
Double-click the downloaded file on your hard disk to run the program and update Clip Art Gallery.
Support for the tool can be obtained through the support offering for your product listed in the product's Help file.