Continued from MS Security Bulletins - Vol. 8 (http://sysopt.earthweb.com/forum/Forum1/HTML/006219.html)
=============================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-049)
- --------------------------------------
Patch Available for "The Office HTML Script" Vulnerability and a
Workaround for "The IE Script" Vulnerability
Originally Posted: July 13, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Office 2000 (Excel and PowerPoint) and
in PowerPoint 97. Microsoft has also documented a workaround that
prevents the use of Microsoft Access to exploit a vulnerability in
Internet Explorer. A patch for the latter vulnerability will be
available soon and we will have an update to this bulletin.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
Issue
======
Two vulnerabilities have recently been discovered, one affecting
Microsoft Office 2000, and PowerPoint 97, and the other Internet
Explorer 4.01 SP2 and higher. We will refer to these issues as the
"Office script" and "IE script" vulnerabilities. The names refer to
the product where the vulnerability is present, but not necessarily
how the vulnerability is exploited.
The Office HTML Script vulnerability, allows malicious script code on
a web page to reference an Excel 2000 or PowerPoint file in such a
way as to cause a remotely hosted file to be saved to a visiting
user's hard drive.
This vulnerability can only be exploited by a reference to an Excel
2000 or PowerPoint file; it cannot be exploited using Excel 97,
Microsoft Word or a Microsoft Access file.
The IE Script vulnerability, can allow malicious script code on a web
page to reference a remotely hosted Microsoft Access file. The
Microsoft Access file can in turn causes a VBA macro code in the file
to be executed.
Affected Software Versions
==========================
Microsoft Excel 2000
Microsoft PowerPoint 97 and 2000
Microsoft Internet Explorer 5.5, 5.01 SP1, 5.01, 4.01 SP2
Patch Availability
==================
Microsoft Excel 2000 and PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
Microsoft PowerPoint 97: http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-049,
http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
- Microsoft Knowledge Base (KB) articles:
Q268365 (Excel 2000), Q268457 (PowerPoint 2000), Q268477
(PowerPoint 97) discusses "The Office HTML Script" vulnerability.
- The Microsoft Office Update Site,
http://officeupdate.microsoft.com
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
July 13, 2000: Bulletin Created.
socalgal
07-14-2000, 05:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-044)
- --------------------------------------
Patch Available for "Absent Directory Browser Argument" Vulnerability
Originally Posted: July 14, 2000
Summary
=======
Microsoft has released a patch that eliminates two security
vulnerabilities in Microsoft(r) Internet Information Server. In sum,
the vulnerabilities could allow a malicious user to stop the web
server from providing useful service, or to extract certain types of
information from it.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-044.asp
Issue
=====
There are two vulnerabilities at issue here:
- The "Absent Directory Browser Argument" vulnerability. An
administrative script installed as part of IIS 3.0 but preserved
on upgrade to IIS 4.0 or IIS 5.0 does not correctly handle the
case where an expected argument is missing. The absence of the
argument causes the script to go into an infinite loop, at which
point the script consumes all CPU resources on the server. In
addition, the permissions on this tool and several related ones,
which were appropriate under IIS 3.0, are inappropriate under
IIS 4.0 and 5.0. This could allow web site visitors to use these
tools, which provide the ability to view the directory structure
on the server.
- A new variant on the "File Fragment Reading via .HTR"
vulnerability. The original version of this vulnerability was
discussed in Microsoft Security Bulletin MS00-031. The new
vulnerability differs only in the specific way that it could be
exploited - like the original version, the effect of the
vulnerability is that fragments of .ASP and other files could
potentially be retrieved from the server. As in the original
version, the mechanics of the new variant make it likely that
the parts of an .ASP file most interesting to a malicious user
would be stripped out.
Microsoft believes that the most appropriate way to eliminate these
vulnerabilities is to remove the script mapping for HTR, as
discussed in the IIS 4.0 Security Checklist. Only customers with
business-critical HTR scripts should retain the functionality and
install the patch.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Note: The patch should only be installed by customers who have a
business-critical need for the .HTR functionality. Microsoft
recommends that all other customers disable the .HTR functionality
altogether, as discussed in the FAQ.
Note: Customers who choose to install the patch should also
strengthen the permissions on the /scripts/iisadmin folder in each
web site on the server, and ensure that only administrators can
access it.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-044,
http://www.microsoft.com/technet/security/bulletin/fq00-044.asp
- Microsoft Knowledge Base article Q267559 discusses the "Absent
Directory Browser Argument" and will be available soon.
- Microsoft Knowledge Base article Q267560 discusses the new
variant of the "File Fragment Reading via .HTR" issue and will
be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks the following customers for working with us to
protect customers:
- Peter Grundl for reporting the "Absent Directory Browser Argument"
issue to us
- Zuo Lei for reporting the new variant of the "File Fragment
Reading via .HTR" vulnerability to us.
Revisions
=========
- July 14, 2000: Bulletin Created.
socalgal
07-19-2000, 05:06 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-043)
- --------------------------------------
Patch Available for "Malformed E-mail Header" Vulnerability
Originally posted: July 18, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Outlook(r) and Outlook Express. Under
certain conditions, the vulnerability could allow a malicious user to
cause code of his choice to execute on another user's computer.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
Issue
=====
A component shared by Outlook and Outlook Express contains an
unchecked buffer in the functionality that parses e-mail headers
when downloading mail via either POP3 or IMAP4. By sending an e-mail
that overruns the buffer, a malicious user could cause either of two
effects to occur when the mail was downloaded from the server by an
affected e-mail client:
- If the affected field were filled with random data, the
e-mail could be made to crash.
- If the affected field were filled with carefully-crafted
data, the e-mail client could be made to run code of the
malicious user's choice.
Customers who have installed Internet Explorer 5.01 Service Pack 1,
and customers who have installed Internet Explorer 5.5 on any system
other than Windows 2000, would not be affected by this vulnerability.
Likewise, Outlook users who have configured Outlook to use only MAPI
services would not be affected, regardless of what version of
Internet Explorer they have installed.
Affected Software Versions
==========================
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
- Microsoft Outlook 97
- Microsoft Outlook 98
- Microsoft Outlook 2000
Patch Availability
==================
The vulnerability can be eliminated by a default installation of
either of the following upgrades:
- Internet Explorer 5.01 Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm
- Internet Explorer 5.5 on any system except Windows 2000,
http://www.microsoft.com/windows/ie/download/ie55.htm
Note: A non-default installation of IE 5.01 SP1 or IE 5.5 also will
eliminate this vulnerability, as long as an installation method is
chosen that installs upgraded Outlook Express components.
Note: When installed on a Windows 2000 machine, IE 5.5 does not
install upgraded Outlook Express components, and therefore does not
eliminate the vulnerability. However, Windows 2000 Service Pack 1
will install IE 5.5 and upgrade the Outlook Express components at
the same time.
Note: Patches will be available shortly that will eliminate the
vulnerability without requiring a full version upgrade. When they
are available, we will update this bulletin and re-release it.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-043,
http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
- Microsoft Knowledge Base article Q267884 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks USSR Labs (www.ussrback.com) for reporting this
issue to us and working with us to protect customers.
Revisions
=========
- July 18, 2000: Bulletin Created.
Amarok
07-19-2000, 03:17 PM
Thanks Socalgal..... here is the CNN article I just read on the same issue as the last bulliten.
http://www.cnn.com/2000/TECH/computing/07/19/email.hackers.ap/index.html
socalgal
07-20-2000, 07:14 PM
Thanks for that link, Amarok! http://sysopt.earthweb.com/forum/smile.gif
=================================
=================================
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-043)
- --------------------------------------
Patch Available for "Malformed E-mail Header" Vulnerability
Originally posted: July 18, 2000
Updated: July 20, 2000
Summary
=======
On July 18, 2000, Microsoft released the original version of this
bulletin, to advise customers of the issue and recommend that they
install either of the two service packs that will eliminate the
vulnerability. On July 20, 2000, the bulletin was updated to announce
the availability of patches that eliminate the vulnerability.
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Outlook(r) and Outlook Express. Under
certain conditions, the vulnerability could allow a malicious user to
cause code of his choice to execute on another user's computer.
The patch eliminates this vulnerability as well as those discussed in
Microsoft Security Bulletins MS00-045 and MS00-046. Customers who
already have taken the corrective action discussed in either of these
bulletins do not need to take any additional action.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
Issue
=====
A component shared by Outlook and Outlook Express, Inetcomm.dll,
contains an unchecked buffer in the functionality that parses e-mail
headers when downloading mail via either POP3 or IMAP4. By sending an
e-mail that overruns the buffer, a malicious user could cause either
of two effects to occur when the mail was downloaded from the server
by an affected e-mail client:
- If the affected field were filled with random data, the
e-mail could be made to crash.
- If the affected field were filled with carefully-crafted data,
the e-mail client could be made to run code of the malicious
user's choice.
The vulnerability affects all Outlook Express users and all Outlook
users whose mail clients are configured to use either POP3 or IMAP4.
Outlook users who have configured Outlook to use only MAPI services
are unlikely to be affected by the vulnerability. Despite this,
Microsoft recommends that such customers apply one of the corrective
steps discussed in the Patch Availability section, primarily because
the patch protects against other vulnerabilities that affect all
Outlook users, regardless of the mail protocol they use.
A version of Inetcomm.dll that is not affected by the vulnerability
ships as part of Outlook Express 5.5, and customers who have
installed it do not need to take any additional action. Outlook
Express 5.5 is available as part of Internet Explorer 5.01 Service
Pack 1, and, except when installed on Windows 2000, Internet Explorer
5.5. Customers who do not wish to upgrade to Outlook Express 5.5
should install the patch provided below.
Affected Software Versions
==========================
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
- Microsoft Outlook 97
- Microsoft Outlook 98
- Microsoft Outlook 2000
Patch Availability
==================
This vulnerability can be eliminated by taking any of the following
actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
- Performing a default installation of Internet Explorer 5.01
Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
- Performing a default installation of Internet Explorer 5.5
http://www.microsoft.com/windows/ie/download/ie55.htm
on any system except Windows 2000.
Note: The patch requires IE 4.01 SP2
http://www.microsoft.com/windows/ie/download/ie401sp2.htm or
IE 5.01 http://www.microsoft.com/windows/ie/download/ie501.htm
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q267884
Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-045
http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
and MS00-046
http://www.microsoft.com/technet/security/bulletin/MS00-046.asp
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.
Note: Additional security patches are available at the Microsoft
Download Center http://www.microsoft.com/downloads
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-043,
http://www.microsoft.com/technet/security/bulletin/fq00-043.asp
- Microsoft Knowledge Base article Q267884 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- July 18, 2000: Bulletin Created.
- July 20, 2000: Bulletin updated to announce availability of a
patch that does not require a full version upgrade of
Internet Explorer.
[This message has been edited by socalgal (edited 07-20-2000).]
socalgal
07-20-2000, 08:03 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-046)
- --------------------------------------
Patch Available for "Cache Bypass" Vulnerability
Originally Posted: July 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Outlook(r) and Outlook Express. The
vulnerability could allow a malicious user to send an HTML mail that,
when opened, could read, but not add, change or delete, files on the
recipient's computer. If coupled with other vulnerabilities, it could
potentially be used in more advanced attacks as well.
The patch eliminates this vulnerability as well as those discussed in
Microsoft Security Bulletins MS00-043 and MS00-045. Customers who
already have taken the corrective action discussed in either of these
bulletins do not need to take any additional action.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-046.asp
Issue
=====
By design, an HTML mail that creates a file on the recipient's
computer should only be able to create it in the so-called cache.
Files in the cache, when opened, do so in the Internet Zone. However,
this vulnerability would allow an HTML mail to bypass the cache
mechanism and create a file in a known location on the recipient's
disk. If an HTML mail created an HTML file outside the cache, it
would run in the Local Computer Zone when opened. This could allow it
to open a file on the user's computer and send it a malicious user's
web site. The vulnerability also could be used as a way of placing an
executable file on the user's machine, which the malicious user would
then seek to launch via some other means.
The vulnerability would not enable the malicious user to add, change
or delete files on the user's computer. Only files that can be opened
in a browser window, such as .txt, .jpg or .htm files, could be read
via this vulnerability, and the malicious user would need to know or
guess the full path and file name of every file he wished to read.
The vulnerability resides in a component that is shared by Outlook
and Outlook Express, and as a result the vulnerability affects both
products. A version of the component that is not affected by the
vulnerability ships as part of Outlook Express 5.5, and customers who
have installed it do not need to take any additional action. Outlook
Express 5.5 is available as part of Internet Explorer 5.01 Service
Pack 1, and, except when installed on Windows 2000, Internet Explorer
5.5.
Affected Software Versions
==========================
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
- Microsoft Outlook 97
- Microsoft Outlook 98
- Microsoft Outlook 2000
Patch Availability
==================
This vulnerability can be eliminated by taking any of the following
actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
- Performing a default installation of Internet Explorer 5.01
Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.
- Performing a default installation of Internet Explorer 5.5
(http://www.microsoft.com/windows/ie/download/ie55.htm)
on any system except Windows 2000.
Note: The patch requires IE 4.01 SP2
(http://www.microsoft.com/windows/ie/download/ie401sp2.htm) or
IE 5.01 (http://www.microsoft.com/windows/ie/download/ie501.htm)
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q247638.
Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-043
(http://www.microsoft.com/technet/security/bulletin/MS00-043.asp)
and MS00-045
(http://www.microsoft.com/technet/security/bulletin/MS00-045.asp).
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.
Note: Additional security patches are available at the Microsoft
Download Center http://www.microsoft.com/downloads
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-046,
http://www.microsoft.com/technet/security/bulletin/fq00-046.asp
- Microsoft Knowledge Base article Q247638 discusses this
vulnerability and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- July 20, 2000: Bulletin Created.
socalgal
07-20-2000, 08:06 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-045)
- --------------------------------------
Patch Available for "Persistent Mail-Browser Link" Vulnerability
Originally Posted: July 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability affecting Microsoft(r) Outlook Express. The
vulnerability could allow a malicious user to send an email that
would "read over the shoulder" of the recipient as he previews
subsequent emails in Outlook Express.
A patch is available that eliminates this vulnerability as well as
those discussed in Microsoft Security Bulletins MS00-043 and
MS00-046. Customers who already have taken the corrective action
discussed in either of these bulletins do not need to take any
additional action.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
Issue
=====
By design, HTML mail can contain script, and among the actions such a
script can take is to open a browser window that links back to the
Outlook Express windows. Also by design, script in the browser window
could read the HTML mail that is displayed in Outlook Express.
However, a vulnerability results because the link could be made
persistent. This could allow the browser window to retrieve the text
of mails subsequently displayed in the preview pane, and relay it to
the malicious user.
There are several significant restrictions on this vulnerability:
- Only the recipient could open the HTML mail that established
the link.
- The attack would only persist until the user either closed
the browser window that the HTML mail opened, or closed
Outlook Express.
- The malicious user could only read mails that were displayed
in the preview pane. If the preview pane feature were
disabled, he could not read mails under any conditions.
The vulnerability is eliminated in Outlook Express 5.5, and customers
who have installed it do not need to take any additional action.
Outlook Express 5.5 is available as part of Internet Explorer 5.01
Service Pack 1, and, except when installed on Windows 2000, Internet
Explorer 5.5. A patch is available for customers who prefer not to
upgrade to Outlook Express 5.5.
Affected Software Versions
==========================
- Microsoft Outlook Express 4.0
- Microsoft Outlook Express 4.01
- Microsoft Outlook Express 5.0
- Microsoft Outlook Express 5.01
Patch Availability
==================
This vulnerability can be eliminated by taking any of the following
actions:
- Installing the patch available at
http://www.microsoft.com/windows/ie/download/critical/patch9.htm
- Performing a default installation of Internet Explorer 5.01
Service Pack 1,
http://www.microsoft.com/Windows/ie/download/ie501sp1.htm (http://www.microsoft.com/Windows/ie/download/ie501sp1.htm.)
- Performing a default installation of Internet Explorer 5.5
http://www.microsoft.com/windows/ie/download/ie55.htm
on any system except Windows 2000.
Note: The patch requires IE 4.01 SP2
http://www.microsoft.com/windows/ie/download/ie401sp2.htm or
IE 5.01 http://www.microsoft.com/windows/ie/download/ie501.htm
to install. Customers who install this patch on versions other
than these may receive a message reading "This update does not
need to be installed on this system". This message is incorrect.
More information is available in KB article Q261255.
Note: In addition to eliminating the vulnerability at issue
here, the steps above also eliminate all vulnerabilities
discussed in Microsoft Security Bulletins MS00-043
http://www.microsoft.com/technet/security/bulletin/MS00-043.asp
and MS00-046
http://www.microsoft.com/technet/security/bulletin/MS00-046.asp
Customers who already have taken the corrective action discussed
in either of these bulletins do not need to take any additional
action.
Note: Additional security patches are available at the Microsoft
Download Center http://www.microsoft.com/downloads
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-045,
http://www.microsoft.com/technet/security/bulletin/fq00-045.asp
- Microsoft Knowledge Base article Q261255 discusses this
vulnerability and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- June 20, 2000: Bulletin Created.
[This message has been edited by socalgal (edited 07-20-2000).]
socalgal
07-24-2000, 07:14 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-050)
- --------------------------------------
Patch Available for "Telnet Server Flooding" Vulnerability
Originally Posted: July 24, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the Telnet Server that ships as part of Microsoft(r)
Windows 2000. The vulnerability could allow a malicious user to
prevent an affected machine from providing Telnet services.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-050.asp
Issue
======
A remote denial of service vulnerability has been discovered in the
Telnet Server that ships with Microsoft Windows 2000. The denial of
service can occur when a malicious client sends a particular
malformed string to the server.
Although the Telnet service is provided as part of Windows 2000
products, the service is not enabled by default, and customers who
have not enabled it would not be at risk. Even in affected systems,
the effect of the vulnerability is limited to Telnet itself - there
is no capability to cause other services to fail, or to cause Windows
2000 to fail.
Telnet services could be restored after an attack by restarting the
Telnet Server.
Affected Software Versions
==========================
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Microsoft Windows 2000 All Versions:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22753
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-050,
http://www.microsoft.com/technet/security/bulletin/fq00-050.asp
- Microsoft Knowledge Base (KB) article, Q267843 discusses this
issue.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- July 24, 2000: Bulletin Created.
socalgal
07-26-2000, 07:07 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Updated to correct a packaging and regression problem with the
original patch.
Microsoft Security Bulletin (MS00-032)
- --------------------------------------
Patch and Tool Available for "Protected Store Key Length"
Vulnerability
Originally Posted: June 01, 2000
Updated: July 26, 2000
Summary
=======
On June 01, 2000, Microsoft released the original version of this
bulletin. However, an error was subsequently discovered in the patch,
and on July 26, 2000, Microsoft released a corrected version.
Microsoft has released a patch and a tool that eliminate a security
vulnerability in Microsoft(r) Windows(r) 2000. The vulnerability
could make it easier for a malicious user who had complete control
over a Windows 2000 machine to compromise users' sensitive
information.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-032.asp
Issue
======
A Protected Store is provided as part of CryptoAPI, in order to
provide secure storage for sensitive information such as private keys
and certificates. By design, the Protected Store should always
encrypt the information using the strongest cryptography available on
the machine. However, the Windows 2000 implementation uses 40-bit key
to encrypt the Protected Store, even if stronger cryptography is
installed on the machine.
This vulnerability weakens the protection on the Protected Store, but
does not eliminate it. An attacker would need to gain complete
administrative control over the machine that houses the Protected
Store in order to gain access to it, and even then would still need
to mount a brute-force cryptographic attack against it. However,
customers who follow the recommended remediation for this
vulnerability can ensure that such an attack would be significantly
more difficult, if not impossible.
The patch package to eliminate this vulnerability contains a new
version of PSBASE.DLL, the module that provides the Protected Store
functionality, and a tool named Keymigrt.exe. Installing PSBASE.DLL
will ensure that all future additions to the Protected Store are
encrypted using the strongest cryptography available on the machine.
However, the Keymigrt tool also needs to be run, in order to
re-encrypt all items currently in the Protected Store. We recommend
that system administrators place the Keymigrt tool into users' logon
scripts to ensure that the tool is run the next time they log on.
Affected Software Versions
==========================
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-032,
http://www.microsoft.com/technet/security/bulletin/fq00-032.asp
- Microsoft Knowledge Base (KB) article Q260219,
http://www.microsoft.com/technet/support/kb.asp?ID=260219
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- June 01, 2000: Bulletin Created.
- July 26, 2000: Updated to correct a regression and
packaging problem with the original patch.
socalgal
07-27-2000, 07:25 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-047)
- --------------------------------------
Patch Available for "NetBIOS Name Server Protocol Spoofing"
Vulnerability
Originally Posted: July 27, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in a protocol implemented in Microsoft(r) Windows(r)
systems. It could be used to cause a machine to refuse to respond to
requests for service.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
Issue
=====
The NetBIOS Name Server (NBNS) protocol, part of the NetBIOS over
TCP/IP (NBT) family of protocols, is implemented in Windows systems
as the Windows Internet Name Service (WINS). By design, NBNS allows
network peers to assist in managing name conflicts. Also by design,
it is an unauthenticated protocol and therefore subject to spoofing.
A malicious user could misuse the Name Conflict and Name Release
mechanisms to cause another machine to conclude that its name was in
conflict. Depending on the scenario, the machine would as a result
either be unable to register a name on the network, or would
relinquish a name it already had registered. The result in either
case would be the same - the machine would not respond requests sent
to the conflicted name anymore.
If normal security practices have been followed, and port 137 UDP has
been blocked at the firewall, external attacks would not be possible.
A patch is available that changes the behavior of Windows systems in
order to give administrators additional flexibility in managing their
networks. The patch allows administrators to configure a machine to
only accept a name conflict datagram in direct response to a name
registration attempt, and to configure machines to reject all name
release datagrams. This will reduce but not eliminate the threat of
spoofing. Customers needing additional protection may wish to
consider using IPSec in Windows 2000 to authenticate all sessions on
ports 137-139.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000
Patch Availability
==================
- Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370
- Windows NT 4.0 Workstation, Server, and Server, Enterprise
Edition:Patch to be released shortly.
- Windows NT 4.0 Server, Terminal Server Edition: Patch to be
released shortly.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-047,
http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
- Microsoft Knowledge Base article Q269239 discusses this issue
and will be available soon.
- Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:
Concepts and Methods, RFC 1001.
- Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:
Detailed Specification, RFC 1002.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks the following customers for working with us to
protect customers:
COVERT Labs at PGP Security, Inc., for reporting the unsolicited
NetBIOS Name Conflict datagram issue to us.
Sir Dystic of Cult of the Dead Cow for reporting the Name Release
issue to us.
Revisions
=========
July 27, 2000: Bulletin Created.
socalgal
07-28-2000, 09:59 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-052)
- --------------------------------------
Patch Available for "Relative Shell Path" Vulnerability
Originally posted: July 28, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT(r) 4.0 and Windows(r) 2000.
Under certain conditions, the vulnerability could enable a malicious
user to cause code of his choice to run when another user
subsequently logged onto the same machine.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-052.asp
Issue
=====
The registry entry that specifies the Windows Shell executable
(Explorer.exe) provides a relative, rather than absolute, path name.
(As discussed in the FAQ, it does this because of legacy application
compatibility concerns). Because of the circumstances in place at
system startup time, the normal search order would cause any file
named Explorer.exe in the %Systemdrive%\ directory to be loaded in
place of the bona fide version. This could provide an opportunity for
a malicious user to cause code of his choice to run when another user
subsequently logged onto the same machine.
Under normal conditions, the malicious user could only exploit this
vulnerability on machines that he could interactively log onto. As a
result, workstations and terminal servers would be the machines
primarily at risk. If standard security recommendations have been
followed, normal users will not be given permission to interactively
log onto security-critical machines such as domain controllers,
print/file servers, ERP servers, web servers, and so forth.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Microsoft Windows NT 4.0 Workstation, Windows NT 4.0 Server,
and Windows NT 4.0 Server, Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360
- Microsoft Windows NT 4.0 Server, Terminal Server Edition patches
will be available soon.
- Microsoft Windows 2000 Professional, Server, and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23359
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-052,
http://www.microsoft.com/technet/security/bulletin/fq00-052.asp
- Microsoft Knowledge Base (KB) article Q269049,
http://www.microsoft.com/technet/support/kb.asp?ID=269049
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product
Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- July 28, 2000: Bulletin Created.
socalgal
08-02-2000, 04:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-053)
- --------------------------------------
Patch Available for "Service Control Manager Named Pipe
Impersonation" Vulnerability
Originally posted: August 02, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 2000(r). The vulnerability
could allow a user logged onto a Windows 2000 machine from the
keyboard to become an administrator on the machine.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-053.asp
Issue
=====
The Service Control Manager (services.exe) is an administrative tool
provided in Windows 2000 that allows system services (Server,
Workstation, Alerter, ClipBook, etc.) to be created or modified. The
SCM creates a named pipe for each service as it starts, however,
should a malicious program predict and create the named pipe for a
specific service before the service starts, the program could
impersonate the privileges of the service. This could allow the
malicious program to run in the context of the given service, with
either specific user or LocalSystem privileges.
The primary risk from this vulnerability is that a malicious user
could exploit this vulnerability to gain additional privileges on
the local machine. A malicious user would require the ability to log
onto the target machine interactively and run arbitrary programs in
order to exploit this vulnerability, and as a result, workstations
and terminal servers would be at greatest risk.
Affected Software Versions
==========================
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23432
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-053,
http://www.microsoft.com/technet/security/bulletin/fq00-053.asp
- Microsoft Knowledge Base article Q269523 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks the R&D department of Guardent www.guardent.com (http://www.guardent.com)
for reporting this issue to us and working with us to protect
customers.
Revisions
=========
August 02, 2000: Bulletin Created.
socalgal
08-03-2000, 08:13 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-054)
- --------------------------------------
Patch Available for "Malformed IPX Ping Packet" Vulnerability
Date Published: August 03, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 95, 98 and 98 Second Edition.
The vulnerability could be used to cause an affected system to fail,
and depending on the number of affected machines on a network,
potentially could be used to flood the network with superfluous
data. The affected system component generally is present only if it
has been deliberately installed.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-054.asp
Issue
=====
The Microsoft IPX/SPX protocol implementation (NWLink) supports the
IPX Ping command via the diagnostic port 0x456. Because of a flaw in
the implementation of the protocol in Windows 95, Windows 98 and
Windows 98 Second Edition, NWLink in these systems will respond to
an IPX ping packet even when the source network address has been
purposely modified to a broadcast address. This would give a
malicious user an opportunity to launch an attack by broadcasting a
single ping request - each affected machine that received the ping
would respond to it, potentially resulting in a broadcast storm. In
a large network, this could temporarily swamp the network's
bandwidth. In addition, upon seeing its own response, each affected
machine would attempt to process it, triggering a scenario that
would culminate in the machine's failure. A machine that failed due
to this vulnerability could be put back into service by rebooting.
IPX is not installed by default in Windows 98 and 98 Second Edition,
and is only installed by default in Windows 95 if there is a network
card present in the machine at installation time. Even when IPX is
installed, a malicious user's ability to exploit this vulnerability
would depend on whether he could deliver a Ping packet to an affected
machine. Routers frequently are configured to drop IPX packets, and
if such a router lay between the malicious user and an affected
machine, he could not attack it. Routers on the Internet, as a rule,
do not forward IPX packets, and this would tend to protect intranets
from outside attack, as well as protecting machines connected to the
Internet via dial-up connections. As discussed in the FAQ, the most
likely scenario in which this vulnerability could be exploited would
be one in which a malicious user on an intranet would attack
affected machines on the same intranet, or one in which a malicious
user on the Internet attacked affected machines on on his cable
modem or DSL subnet.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
Patch Availability
==================
- Microsoft Windows 95:
http://download.microsoft.com/download/win95/Update/8982/
W95/EN-US/265334US5.EXE
- Microsoft Windows 98 and Windows 98 Second Edition:
http://download.microsoft.com/download/win98/Update/8982/
W98/EN-US/265334USA8.EXE
Note: Line breaks have been inserted into the URLs above for
readability.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-054,
http://www.microsoft.com/technet/security/bulletin/fq00-054.asp
- Microsoft Knowledge Base article Q265334 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- August 03, 2000: Bulletin Created.
socalgal
08-09-2000, 08:32 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
We are re-releasing this bulletin to notify our customers of an
available patch for the "IE Script" vulnerability described in the
bulletin. We also recommend that all users consider installing the
patch for both issues described here if they are running any of the
affected products.
----------------------------------------
Microsoft Security Bulletin (MS00-049)
- --------------------------------------
Patches Available for "Office HTML Script" and "IE Script"
Vulnerabilities
Originally Posted: July 13, 2000
Re-released: August 09, 2000
Summary
=======
On July 13, 2000, Microsoft released the original version of this
bulletin. It provided a patch to eliminate a security vulnerability
in Microsoft(r) Office 2000 and PowerPoint 97, and a workaround to
protect against a vulnerability in Internet Explorer. On August 09,
2000, the bulletin was re-released to announce the availability of a
patch for the vulnerability in Internet Explorer.
The effect of both vulnerabilities are the same -- they could allow a
malicious web site operator to cause code of his choice to run on the
computer of a visiting user.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
Issue
=====
Two vulnerabilities have recently been discovered, one affecting
Microsoft Office 2000 and PowerPoint 97, and the other affecting
Internet Explorer 4.01 Service Pack 2 and higher. Although they
involve different products, the effect, risk and exploit scenario are
exactly the same. As a result, we have chosen to discuss them in the
same bulletin. The vulnerabilities are:
The "Office Script" vulnerability. This vulnerability could allow
script hosted on a malicious user's web site to save an Excel 2000,
Powerpoint 2000, or Powerpoint 97 file to the computer of a visiting
user. Depending on where and how the file were saved to the user's
computer, it could be made to launch automatically. If this were
done, macro or VBA code could be made to run.
The "IE Script" vulnerability. This vulnerability could allow script
hosted on a malicious user's web site to reference a Microsoft Access
file on the site. In turn, the Access file, when opened, could cause
macro or VBA code to run.
Affected Software Versions
===========================
The Office HTML Script vulnerability affects the following Office
products when used in conjunction with Internet Explorer 4.x or 5.x:
- Microsoft Excel 2000
- Microsoft Powerpoint 2000
- Microsoft PowerPoint 97
The IE Script vulnerability affects Internet Explorer 4.01 SP2 and
higher, when Microsoft Access 97 or Access 2000 is present on the
user machine.
Patch Availability
==================
Office HTML Script vulnerability:
- Microsoft Excel 2000 and PowerPoint 2000:
- http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
- Microsoft PowerPoint 97:
- http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm
Note: The patch for the IE Script vulnerability also eliminates a
number of other security vulnerabilities. Please see Microsoft
Security Bulletin MS00-055 for more information.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-049,
http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
- Microsoft Knowledge Base (KB) articles:
Q268365 (Excel 2000), Q268457 (PowerPoint 2000), and Q268477
(PowerPoint 97) discusses "The Office HTML Script" vulnerability.
- The Microsoft Office Update Site, http://officeupdate.microsoft.com
- Knowledge Base (KB) article Q269368 explaining the "IE Script"
Vulnerability in more detail will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
==========
July 13, 2000: Bulletin Created.
August 09, 2000: Bulletin updated to advise availability of a patch
for the "IE Script" vulnerability.
socalgal
08-09-2000, 08:35 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-055)
- --------------------------------------
Patch Available for "Scriptlet Rendering" Vulnerability
Originally Posted: August 09, 2000
Summary
=======
Microsoft has released a patch that eliminates two security
vulnerabilities in Microsoft(r) Internet Explorer. The
vulnerabilities could allow a malicious web site operator to read -
but not add, change, or delete - files on the computer of a visiting
user.
As discussed in the Patch Availability section below, this patch also
provides protection against several security vulnerabilities that
have been discussed in previous security bulletins. We have delivered
a comprehensive patch in order to minimize the number of patches
customers need to apply.
Frequently asked questions regarding this vulnerability
and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-055.asp
Issue
=====
There are two vulnerabilities at issue here:
- The "Scriptlet Rendering" vulnerability. The ActiveX
control that is used to invoked scriptlets is essentially
a rendering engine for HTML. However, it will render any
file type, rather than rendering HTML files only. This
opens the door to a scenario in which a malicious web
site operator could provide bogus information consisting
of script, solely for the purpose of introducing it into
an IE system file with a known name, then use the
Scriptlet control to render the file. The net effect
would be to make the script run in the Local Computer
Zone, at which point it could access files on the user's
local file system.
- A new variant of the "Frame Domain Verification"
vulnerability. As discussed in Microsoft Security Bulletin
MS00-033, two functions do not enforce proper separation
of frames in the same window that reside in different
domains. The new variant involves an additional function
with the same flaw. The net effect of the vulnerability
would be to enable a malicious web site operator to open
two frames, one in his domain and another on the user's
local file system, and enable the latter to pass information
to the former.
In order to exploit either vulnerability, a malicious web site
operator would need to know or guess the exact name and path of each
file he wanted to view. Even then, he could only view file types that
can be opened in a browser window - for instance, .txt or .doc files,
but not .exe or .dat files. If the web site were in a Zone in which
Active Scripting were disabled, neither vulnerability could be
exploited.
Affected Software Versions
==========================
- Microsoft Internet Explorer 4.x
- Microsoft Internet Explorer 5.x
Note: In addition to eliminating the two vulnerabilities discussed
above, this patch also protects against several previously-discussed
vulnerabilities. Customers who apply this patch will also be
protected against the vulnerabilities discussed in the following
Security Bulletins:
- Microsoft Security Bulletin MS00-033
- Microsoft Security Bulletin MS00-039
- Microsoft Security Bulletin MS00-049
In addition, for IE 5.5 systems only, this patch also eliminates the
vulnerability discussed in Microsoft Security Bulletin MS00-042.
Note: Customers who install this patch on versions other than IE
5.01, IE 5.01 SP1, or IE 5.5 may receive a message reading "This
update does not need to be installed on this system". This message is
incorrect. More information is available in KB article Q266336.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-055,
http://www.microsoft.com/technet/security/bulletin/fq00-055.asp
- Microsoft Knowledge Base article Q266336 discusses this issue
and will be available soon.
- Microsoft Security Bulletin MS00-033,
Patch Available for "Frame Domain Verification", "Unauthorized
Cookie Access", and "Malformed Component Attribute"
Vulnerabilities,
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
- Microsoft Security Bulletin MS00-039,
Patch Available for "SSL Certificate Validation" Vulnerabilities,
http://www.microsoft.com/technet/security/bulletin/ms00-039.asp
- Microsoft Security Bulletin MS00-042,
Patch Available for "Active Setup Download" Vulnerability,
http://www.microsoft.com/technet/security/bulletin/ms00-042.asp
- Microsoft Security Bulletin MS00-049,
Patches Available for "Office HTML" and "IE Script" Security
Vulnerabilities,
http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Juan Carlos Garcia Cuartango of Spain
www.kriptopolis.com (http://www.kriptopolis.com) for reporting the "Scriptlet Rendering" issue
to us and working with us to protect customers.
Revisions
=========
- August 09, 2000: Bulletin Created.
socalgal
08-09-2000, 08:37 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-056)
- --------------------------------------
Patch Available for "Microsoft Office HTML Object Tag" Vulnerability
Originally posted: August 09, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in certain Microsoft(r) Office 2000 products. The
vulnerability could allow a user to construct a HyperText Markup
Language (HTML) file that, when read, would crash a Microsoft Office
2000 application or potentially run arbitrary or malicious code.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-056.asp
Issue
=====
Microsoft Office 2000 applications are capable of reading HTML files
saved as Office documents. A malformed data object tag embedded in
one of these documents could cause the Office application to crash
and allow arbitrary code to be executed.
In order for this behavior to occur, a malicious user would need to
entice a user into opening the malformed Office document. Word 2000
users can protect themselves from opening malformed HTML documents
within Word by disabling "Confirm conversion at Open" from the
Tools-Options-General tab. In addition, Outlook users who have
applied the Outlook Security Update will be prompted before opening
web hosted or mail-borne Office documents.
Affected Software Versions
==========================
- Microsoft Word 2000
- Microsoft Excel 2000
- Microsoft PowerPoint 2000
(These products ship as part of the Office 2000 suite and as
stand-alone products)
Note: Previous versions of these products are not affected by this
vulnerability.
Note: Office 2000 products other than those specifically listed above
are not affected by this vulnerability.
Patch Availability
==================
- Microsoft Word 2000, Excel 2000, PowerPoint 2000:
http://officeupdate.microsoft.com/2000/downloadDetails/Of9data.htm
Note: Office 2000 SR-1 is required before this patch can be applied.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-056,
http://www.microsoft.com/technet/security/bulletin/fq00-056.asp
- Microsoft Knowledge Base (KB) article Q269880,
http://www.microsoft.com/technet/support/kb.asp?ID=269880
- Microsoft TechNet Security website,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Jesper M. Johansson for reporting this issue to us
and working with us to protect customers.
Revisions
=========
- August 09, 2000: Bulletin Created.
socalgal
08-10-2000, 05:09 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-057)
- --------------------------------------
Patch Available for "File Permission Canonicalization" Vulnerability
Originally posted: August 10, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. Under very
restricted conditions, the vulnerability could allow a malicious user
to gain additional permissions to certain types of files hosted on a
web server.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-057.asp
Issue
=====
A canonicalization error can, under certain conditions, cause IIS 4.0
or 5.0 to apply incorrect permissions to certain types of files. If
an affected file residing in a folder with restrictive permissions
were requested via a particular type of malformed URL, the
permissions actually used would be those of a folder in the file's
parentage chain, but not those of the folder the file actually
resides in. If the ancestor folder's permissions were more permissive
than those of the correct folder, the malicious user would gain
additional privileges to the affected file.
The vulnerability is subject to several significant restrictions:
- It only affects CGI scripts and file types that are implemented
via ISAPI extensions. It does not affect static web page or
non-web file types such as .exe, .doc or .bat
- It only affects servers that expose a web folder structure that
mirrors the physical folder structure on the server.
- It does not allow arbitrary permissions to be selected, only
permissions present on an ancestor folder
- It provides no way to enumerate the server and locate files that
could be affected by the vulnerability.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Patch Availability
==================
- Microsoft Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23667
- Microsoft Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23665
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-057,
http://www.microsoft.com/technet/security/bulletin/fq00-057.asp
- Microsoft Knowledge Base article Q269862 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Burt Abreu & Søren Skov of VBExplorer.com for
reporting this issue to us and working with us to protect customers.
Revisions
=========
August 10, 2000: Bulletin Created.
socalgal
08-10-2000, 07:26 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Due to a typographical error, the original version of this Bulletin
stated that Word 2000 users who have not applied this patch could
protect themselves by "disabling" Confirm conversion on Open. This
should have read "enabling". We are re-releasing this Bulletin to
correct this error.
=============================================
Microsoft Security Bulletin (MS00-056)
- - ---------------------------------------
Patch Available for "Microsoft Office HTML Object Tag" Vulnerability
Originally posted: August 09, 2000
Re-released: August 10, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in certain Microsoft (r) Office 2000 products. The
vulnerability could allow a user to construct a HyperText Markup
Language (HTML) file that, when read, would crash a Microsoft Office
2000 application or potentially run arbitrary or malicious code.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-056.asp
Issue
=====
Microsoft Office 2000 applications are capable of reading HTML files
saved as Office documents. A malformed data object tag embedded in
one of these documents could cause the Office application to crash
and allow arbitrary code to be executed.
In order for this behavior to occur, a malicious user would need to
entice a user into opening the malformed Office document. Word 2000
users can protect themselves from opening malformed HTML documents
within Word by enabling "Confirm conversion at Open" from the
Tools-Options-General tab. In addition, Outlook users who have
applied the Outlook Security Update will be prompted before opening
web hosted or mail-borne Office documents.
Affected Software Versions
==========================
- Microsoft Word 2000
- Microsoft Excel 2000
- Microsoft PowerPoint 2000
(These products ship as part of the Office 2000 suite and as
stand-alone products)
Note: Previous versions of these products are not affected by this
vulnerability.
Note: Office 2000 products other than those specifically listed above
are not affected by this vulnerability.
Patch Availability
==================
- Microsoft Word 2000, Excel 2000, PowerPoint 2000:
http://officeupdate.microsoft.com/2000/downloadDetails/Of9data.htm
Note: Office 2000 SR-1 is required before this patch can be applied.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-056,
http://www.microsoft.com/technet/security/bulletin/fq00-056.asp
- Microsoft Knowledge Base (KB) article Q269880
http://www.microsoft.com/technet/support/kb.asp?ID=269880
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Jesper M. Johansson for reporting this issue to us
and working with us to protect customers.
Revisions
- August 09, 2000: Bulletin Created.
- August 10, 2000: Bulletin updated to change 'disabling'
to 'enabling' in the second paragraph under Issue.
socalgal
08-14-2000, 08:45 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-058)
- --------------------------------------
Patch Available for "Specialized Header" Vulnerability
Originally posted: August 14, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Internet Information Server that ships with
Microsoft(r) Windows 2000. Under certain conditions, the
vulnerability could cause a web server to send the source code of
certain types of web files to a visiting user.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-058.asp
Issue
=====
If an IIS server receives a file request that contains a specialized
header as well as one of several particular characters at the end,
the expected ISAPI extension processing may not occur. The result is
that the source code of the file would be sent to the browser.
It is important to note that normal security recommendations militate
strongly against ever including sensitive information in .ASP files
and, if these recommendations have been followed, there would be no
sensitive information to compromise. The specialized header at issue
here cannot be created via a standard Internet browser, so the
request would need to be created by an alternate method.
Affected Software Versions
==========================
- Microsoft Internet Information Server 5.0
Note: This vulnerability is eliminated by installing Windows 2000
Service Pack 1 http://www.microsoft.com/windows2000/downloads/recommended/sp1/
We recommend that customers apply SP1 as the preferred option for
eliminating this vulnerability, as it has been fully regression
tested and includes fixes for additional issues.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-058,
http://www.microsoft.com/technet/security/bulletin/fq00-058.asp
- Microsoft Knowledge Base article Q256888 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
- Obtaining Support on this Issue
- This is a fully supported patch. Information on contacting
Microsoft Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
August 14, 2000: Bulletin Created.
socalgal
08-21-2000, 10:46 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-059)
- --------------------------------------
Patch Available for "Java VM Applet" Vulnerability
Originally posted: August 21, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the Microsoft(r) virtual machine (Microsoft VM). If
a malicious web site operator were able to coax a user into visiting
his site, the vulnerability could allow him to masquerade as the
user, visit other sites using his identity, and relay the information
back to his site.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-059.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98, or Windows
NT(r), or Windows 2000. It ships as part of each operating system,
and also as part of Microsoft Internet Explorer. The version of the
Microsoft VM that ships with Microsoft Internet Explorer 4.x and
Internet Explorer 5.x contains a security vulnerability that could
allow a Java applet to operate outside the bounds set by the sandbox.
By design, an applet should only be able to communicate with the web
site that hosted it. However, this vulnerability would allow an
applet to bypass this restriction. If a user visited a web site
operated by a malicious user, the site could start an applet that
would be able to establish a connection with another web site and
forward any information from the web session to the malicious user's
site.
The session would be established in the guise of the visiting user,
rather than that of the malicious user. Thus, the vulnerability could
be used to access an intranet site located behind a firewall, access
information in the guise of the user, and relay it to the malicious
user. The only prerequisite is that the malicious user would need to
know or guess the name of the intranet site. Although the applet
would be able to make use of the user's credentials to authenticate
to the site, this vulnerability would not provide a
way to compromise them.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3100 series.
- All builds in the 3200 series.
- All builds in the 3300 series.
Patch Availability
==================
- All 2000 series Microsoft VM customers:
Install Microsoft VM build 2446
- All 3100 series Microsoft VM customers:
Upgrade to build 3309 and install the 3314 security patch
- 3200 series Microsoft VM customers should do one of the following:
All 3200 builds:
Upgrade to build 3309 and install the 3314 security patch
Builds 3229-3234:
Install the security patch from Bulletin MS00-011 before
installing
this new 3314 security patch
Build 3240:
Install the 3314 security patch
- All 3300 series Microsoft VM customers should install the 3314
security patch
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-059,
http://www.microsoft.com/technet/security/bulletin/fq00-059.asp
- Microsoft Knowledge Base (KB) article Q271752 (available soon),
discusses this issue in more detail.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
August 21, 2000: Bulletin Created.
socalgal
08-22-2000, 06:06 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Re-releasing to include the links for the patches to our mailing
list. The links are live on our website, but have had numerous
inquiries on including it with this mailing. We would highly
recommend
that all our customers use http://www.microsoft.com/technet/security/bulletin
as the main source of information for any of our bulletins sent
through this list.
Revision dates have not been changed since the original bulletin on
our
security site has not been modified. We only updated the mailing list
version
to include the links already referenced on our site.
=============================================
Microsoft Security Bulletin (MS00-059)
- --------------------------------------
Patch Available for "Java VM Applet" Vulnerability
Originally posted: August 21, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the Microsoft(r) virtual machine (Microsoft VM). If
a malicious web site operator were able to coax a user into visiting
his site, the vulnerability could allow him to masquerade as the
user, visit other sites using his identity, and relay the information
back to his site.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-059.asp
Issue
=====
The Microsoft VM is a virtual machine for the Win32(r) operating
environment. It runs atop Microsoft Windows(r) 95, 98, or Windows
NT(r), or Windows 2000. It ships as part of each operating system,
and also as part of Microsoft Internet Explorer. The version of the
Microsoft VM that ships with Microsoft Internet Explorer 4.x and
Internet Explorer 5.x contains a security vulnerability that could
allow a Java applet to operate outside the bounds set by the sandbox.
By design, an applet should only be able to communicate with the web
site that hosted it. However, this vulnerability would allow an
applet to bypass this restriction. If a user visited a web site
operated by a malicious user, the site could start an applet that
would be able to establish a connection with another web site and
forward any information from the web session to the malicious user's
site.
The session would be established in the guise of the visiting user,
rather than that of the malicious user. Thus, the vulnerability could
be used to access an intranet site located behind a firewall, access
information in the guise of the user, and relay it to the malicious
user. The only prerequisite is that the malicious user would need to
know or guess the name of the intranet site. Although the applet
would be able to make use of the user's credentials to authenticate
to the site, this vulnerability would not provide a
way to compromise them.
Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3100 series.
- All builds in the 3200 series.
- All builds in the 3300 series.
Patch Availability
==================
- All 2000 series Microsoft VM customers:
Install Microsoft VM build 2446
http://www.microsoft.com/java/vm/dl_vmsp2.htm
- All 3100 series Microsoft VM customers:
Upgrade to build 3309:
http://www.microsoft.com/java/vm/dl_vm40.htm
and install the 3314 security patch: http://download.microsoft.com/download/vm/Patch/3314/WIN98Me/EN-US/vmsecfix.exe
Note: Links may be broken above for better readability. Please use
the bulletin on http://www.microsoft.com/technet/security/bulletin/ms00-059.asp if
you have
any questions on the appropriate link.
- 3200 series Microsoft VM customers should do one of the following:
All 3200 builds:
Upgrade to build 3309:
http://www.microsoft.com/java/vm/dl_vm40.htm
and install the 3314 security patch http://download.microsoft.com/download/vm/Patch/3314/WIN98Me/EN-US/vmsecfix.exe
Builds 3229-3234:
Install the security patch from Bulletin MS00-011 before
installing
this new 3314 security patch
Build 3240:
Install the 3314 security patch
Note: Links may be broken above for better readability. Please use
the bulletin on http://www.microsoft.com/technet/security/bulletin/ms00-059.asp if
you have
any questions on the appropriate link.
- All 3300 series Microsoft VM customers should install the 3314
security patch: http://download.microsoft.com/download/vm/Patch/3314/WIN98Me/EN-US/vms
ecfix.exe
Note: Links may be broken above for better readability. Please use
the bulletin on http://www.microsoft.com/technet/security/bulletin/ms00-059.asp if
you have
any questions on the appropriate link.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-059,
http://www.microsoft.com/technet/security/bulletin/fq00-059.asp
- Microsoft Knowledge Base (KB) article Q271752 (available soon),
discusses this issue in more detail.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
August 21, 2000: Bulletin Created.
socalgal
08-25-2000, 05:13 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-060)
- --------------------------------------
Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
Originally posted: August 25, 2000
Summary
=======
Microsoft has released a patch that eliminates security
vulnerabilities in Microsoft(r) Internet Information Server. The
vulnerabilities could allow a malicious web site operator to misuse
another web site as a means of attacking users.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-060.asp
Issue
=====
On February 20, 2000, Microsoft and CERT (www.cert.org) published
information on a newly-identified security vulnerability affected all
web server products. This vulnerability, known as Cross-Site
Scripting (CSS), results when web applications don't properly
validate inputs before using them in dynamic web pages. If a
malicious web site operator were able to lure a user to his site, and
had identified a third-party web site that was vulnerable to CSS, he
could potentially use the vulnerability to "inject" script into a web
page created by the other web site, which would then be delivered to
the user. The net effect would be to cause the malicious user's
script to run on the user's machine using the trust afforded the
other site.
The vulnerability can affect any software that runs on a web server,
accepts user input, and blindly uses it to generate web pages.
Microsoft recommended that all vendors check their products to see if
any are affected by the vulnerability, and initiated a check of its
own products as well. Several features in IIS were found to be
affected - some were found by Microsoft internal teams, and others
were identified by customers - and this patch eliminates all of them.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24000
- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23999
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-060,
http://www.microsoft.com/technet/security/bulletin/fq00-060.asp
- Information on Cross-Site Scripting Security Vulnerability,
http://www.microsoft.com/technet/security/crssite.asp
- CERT(r) Advisory CA-2000-02: Malicious HTML Tags Embedded in
Client Web Requests,
http://www.cert.org/advisories/CA-2000-02.html
- Microsoft Knowledge Base article Q260347 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- August 25, 2000: Bulletin Created.
socalgal
08-25-2000, 05:18 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-061)
- --------------------------------------
Patch Available for "Money Password" Vulnerability
Originally posted: August 25, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Money. The vulnerability could allow a
malicious user to obtain the password of a Money data file.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-061.asp
Issue
=====
Microsoft Money provides a password protection feature that prevents
unauthorized access to your Money file. However, due to the way the
password is currently handled, the password may be written in
plaintext under certain conditions.
The vulnerability only affects Money data stored on the user's local
computer - it does not affect the security of Money's online services
in any way. Moreover, a malicious user would need to gain physical
access to an affected file in order to exploit the vulnerability - it
could not be exploited remotely. It's important to note that password
protection in Money is not intended to be a substitute for file-level
access control, and even in the absence of this vulnerability,
customers need to protect such files. Microsoft recommends that
computer users follow best practices when securing their systems,
including ensuring that machines with important data are physically
secure, and not sharing important data files with untrusted or
unknown sources.
Affected Software Versions
==========================
- Microsoft Money 2001
- Microsoft Money 2000
Patch Availability
==================
This patch is available for automatic download using the "Update
Internet Information" feature in Money.
1. On the Tools menu, click Update Internet Information.
2. Follow the instructions on the screen to install the patch.
3. Microsoft recommends users change their password after applying
this fix as a best practice.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-061,
http://www.microsoft.com/technet/security/bulletin/fq00-061.asp
- Microsoft Knowledge Base article Q272232 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks ken for reporting this issue to us and working with
us to protect customers.
Revisions
=========
- August 25, 2000: Bulletin Created.
socalgal
08-28-2000, 05:35 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-062)
- --------------------------------------
Patch Available for "Local Security Policy Corruption" Vulnerability
Originally posted: August 28, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 2000. The vulnerability
could allow a malicious user to disrupt normal operation of an
affected machine, and potentially of an entire network. Customers
who have applied Windows 2000 Service Pack 1 are already protected
against the vulnerability and do not need to take any further
action.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-062.asp
Issue
=====
This vulnerability could allow a malicious user to corrupt parts of a
Windows 2000 system's local security policy, with the effect of
disrupting domain membership and trust relationship information. If a
workstation or member server were attacked via this vulnerability,
it would effectively remove the machine from the domain; if a domain
controller were attacked, it could no longer process domain logon
requests. Recovering from such an attack would likely require that a
known-working configuration be restored from backup.
It would not be necessary to be an authenticated domain member in
order to mount an attack via this vulnerability. Any user who could
establish a RPC connection with an affected machine and send the
proper command sequence to it could exploit the vulnerability. If
the malicious user were an intranet user, he could likely attack any
machine within the network; if the malicious user were on the
Internet, he could likely attack only machines on the network edge
that allow RPC connections.
The vulnerability was discovered by an internal security team at
Microsoft, and, to the best of our knowledge, it is not known "in
the wild". Nevertheless, because of the serious consequences of the
vulnerability, Microsoft encourages all Windows 2000 users to either
apply the patch or Windows 2000 Service Pack 1 immediately.
Affected Software Versions
==========================
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Note: Microsoft Windows 2000 Datacenter Server is not affected by
this vulnerability.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-062,
http://www.microsoft.com/technet/security/bulletin/fq00-062.asp
- Microsoft Knowledge Base article Q269609 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product
Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- August 28, 2000: Bulletin Created.
socalgal
09-05-2000, 09:01 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-063)
- --------------------------------------
Patch Available for "Invalid URL" Vulnerability
Originally posted: September 05, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server (IIS). The
vulnerability could enable a malicious user to prevent an affected
web server from providing useful service.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-063.asp
Issue
=====
If an affected web server received a particular type of invalid URL,
it could, under certain conditions, start a chain of events that
would culminate in an invalid memory request that would cause the IIS
service to fail. This would prevent the server from providing web
services.
This vulnerability does not provide the opportunity to compromise any
data on the server or to usurp any administrative privileges on the
server. An affected machine could be put back into service by
restarting the IIS service.
Although the effect of the vulnerability manifests itself through
IIS, the underlying problem actually lies within Windows NT 4.0.
Microsoft engineers worked extensively to identify scenarios for
exploiting the vulnerability directly through Windows NT 4.0, but did
not find any - the only scenarios identified to date involve IIS.
Nevertheless, it is possible that scenarios for exploiting the
vulnerability through Windows NT 4.0 do exist, and as a result, we
recommend that customers using Windows NT 4.0 consider applying the
patch.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
Note: As noted above in "Issue", the root cause of this vulnerability
lies in Windows NT 4.0, and Microsoft recommends that customers
using Windows NT 4.0 consider applying the patch.
Patch Availability
==================
- Microsoft Windows NT 4.0 Workstation, Server and Server,
Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24079
- Microsoft Windows NT 4.0 Server, Terminal Server Edition: To be
released shortly
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-063,
http://www.microsoft.com/technet/security/bulletin/fq00-063.asp
- Microsoft Knowledge Base article Q271652 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Peter Grundl of VIGILANTe http://www.vigilante.com
for reporting this issue to us and working with us to protect
customers.
Revisions
=========
- September 05, 2000: Bulletin Created.
socalgal
09-06-2000, 07:42 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-064)
- ---------------------------------------
Patch Available for "Unicast Service Race Condition" Vulnerability
Originally posted: September 06, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows Media(tm) Services. The
vulnerability could allow a malicious user to prevent an affected
server from providing useful service.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-064.asp
Issue
======
If a client sends a particular type of malformed request to a Windows
Media server, it could induce a race condition. Once the server has
been put into such a state, subsequent requests - even ones that
would normally be legitimate - could cause the Windows Media Unicast
Service to fail. If this happened, any ongoing sessions would be
lost, and the server would stop providing unicast streaming media
services.
An affected server could be put back into service by restarting the
Unicast Service. The vulnerability would not cause any data loss, nor
would it enable the malicious user to usurp any administrative
privileges on the machine.
Affected Software Versions
==========================
- Microsoft Windows Media Services 4.0
- Microsoft Windows Media Services 4.1
Patch Availability
==================
- Microsoft Windows Media Services 4.1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24167
Note: Customers using Windows Media Services 4.0 should upgrade to
Windows Media Services 4.1 and then apply the above patch.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-064,
http://www.microsoft.com/technet/security/bulletin/fq00-064.asp
- Microsoft Knowledge Base article Q273014 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Kit Knox of NaviSite www.navisite.com (http://www.navisite.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
September 06, 2000: Bulletin Created.
socalgal
09-07-2000, 05:06 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-065)
- ----------------------------------------
Patch Available for
"Still Image Service Privilege Escalation" Vulnerability
Originally posted: September 6, 2000
====================================
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 2000. The vulnerability could
allow a user logged onto a Windows 2000 machine from the keyboard to
become an administrator on the machine.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-065.asp
Issue
=====
An unchecked buffer exists in the 'Still Image Service' on Windows
2000 hosts. A locally logged-on user can execute malicious code that
will use the still image service to escalate their permissions equal
to that of the Still Image Service, namely, LocalSystem.
The Still Image Service is not installed by default, but is
automatically installed, via plug-n-play, when a user attaches a
still image device (i.e. digital camera, scanner, etc.) to a Windows
2000 host.
Affected Software Versions
==========================
- Microsoft Windows 2000
Patch Availability
==================
- Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24200
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-065,
http://www.microsoft.com/technet/security/bulletin/fq00-065.asp
- Microsoft Knowledge Base article Q272736 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
========================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
================
Microsoft thanks *****g of @Stake Inc. www.atstake.com (http://www.atstake.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
September 6, 2000: Bulletin Created.
socalgal
09-11-2000, 05:53 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-066)
======================================
Patch Available for "Malformed RPC Packet" Vulnerability
Originally posted: September 11, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows 2000. The vulnerability could
allow a malicious user to cause a Denial of Service on a Windows 2000
computer.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-066.asp
Issue
=====
A remote denial of service vulnerability has been discovered in
Microsoft Windows 2000 Server. The denial of service can occur when a
malicious client sends a particular malformed RPC (Remote Procedure
Call) packet to the server, causing the RPC service to fail.
Windows 2000 servers that are directly exposed to the Internet are at
greatest risk from this vulnerability. A server behind a firewall
that blocks ports 135-139 and 445 will not be affected by this
vulnerability from the Internet.
RPC services and the functioning of the server could be restored
after an attack by rebooting the affected computer.
Affected Software Versions
===========================
- Microsoft Windows 2000 All Versions
Note: Microsoft Windows NT 4.0 is not affected by this vulnerability.
Patch Availability
==================
Microsoft Windows 2000:
- http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24229
- This patch will also be included in the next Service Pack for
Windows 2000 -- it can be applied to a computer with or without
Service Pack 1.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-066,
http://www.microsoft.com/technet/security/bulletin/fq00-066.asp
- Microsoft Knowledge Base article Q272303 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- September 11, 2000: Bulletin Created.
socalgal
09-14-2000, 07:22 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-067)
- ---------------------------------------
Patch Available for "Windows 2000 Telnet Client NTLM Authentication"
Vulnerability
Originally posted: September 14, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the telnet client that ships with Microsoft(r)
Windows 2000. The vulnerability could, under certain circumstances,
allow a malicious user to obtain cryptographically protected logon
credentials from another user.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
Issue
=====
Windows 2000 includes a telnet client capable of using NTLM
authentication when connecting to a remote NTLM enabled telnet
server. A vulnerability exists because the client will, by default,
perform NTLM authentication when connecting to the remote telnet
server. This could allow a malicious user to obtain another user's
NTLM authentication credentials without the user's knowledge.
A malicious user could exploit this behavior by creating a
carefully-crafted HTML document that, when opened, could attempt to
initiate a Telnet session to a rogue telnet server - automatically
passing NTLM authentication credentials to the malicious server's
owner. The malicious user could then use an offline brute force
attack to derive the password or, with specialized tools, could
submit a variant of these credentials in an attempt to access
protected resources.
This vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of
another user. It would not, by itself, allow a malicious user to gain
control of another user's computer. In order to leverage the NTLM
credentials (or subsequently cracked password), the malicious user
would have to be able to remotely logon to the target system.
However, best practices dictate that remote logon services be blocked
at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target
system. Best practices also strongly recommend that Windows 2000
users logon to their hosts with User level credentials, and if these
practices were followed, they would prevent a malicious user from
obtaining Administrator level NTLM credentials.
Affected Software Versions
==========================
- Microsoft Windows 2000
Patch Availability
==================
- Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319
Note: The above URL may not be accessible.
If this is the case, please download the patch from the following
URL:
(this URL may be wrapped) http://download.microsoft.com/download/win2000platform/patch/q272743/n
t5/en-us/q272743_w2k_sp2_x86_en.exe
Note: This patch may be applied to both Windows 2000 (pre SP1) and
Windows 2000 Service Pack 1 systems.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
- Microsoft Knowledge Base article Q272743 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks *****g of @Stake Inc. www.atstake.com (http://www.atstake.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
September 14, 2000: Bulletin Created.
socalgal
09-16-2000, 06:46 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft is re-releasing this Bulletin to update important
information in the Patch Availability section.
- --------------------------------------------------------
Microsoft Security Bulletin (MS00-067)
- ------------------------------------------
Patch Available for "Windows 2000 Telnet Client NTLM Authentication"
Vulnerability
Originally posted: September 14, 2000
Re-Released: September 15, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in the telnet client that ships with Microsoft(r)
Windows 2000. The vulnerability could, under certain circumstances,
allow a malicious user to obtain cryptographically protected logon
credentials from another user.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
Issue
=====
Windows 2000 includes a telnet client capable of using NTLM
authentication when connecting to a remote NTLM enabled telnet
server. A vulnerability exists because the client will, by default,
perform NTLM authentication when connecting to the remote telnet
server. This could allow a malicious user to obtain another user's
NTLM authentication credentials without the user's knowledge.
A malicious user could exploit this behavior by creating a
carefully-crafted HTML document that, when opened, could attempt to
initiate a Telnet session to a rogue telnet server - automatically
passing NTLM authentication credentials to the malicious server's
owner. The malicious user could then use an offline brute force
attack to derive the password or, with specialized tools, could
submit a variant of these credentials in an attempt to access
protected resources.
This vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of
another user. It would not, by itself, allow a malicious user to gain
control of another user's computer. In order to leverage the NTLM
credentials (or subsequently cracked password), the malicious user
would have to be able to remotely logon to the target system.
However, best practices dictate that remote logon services be blocked
at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target
system. Best practices also strongly recommend that Windows 2000
users logon to their hosts with User level credentials, and if these
practices were followed, they would prevent a malicious user from
obtaining Administrator level NTLM credentials.
Affected Software Versions
==========================
- Microsoft Windows 2000
Patch Availability
==================
- Microsoft Windows 2000:
Due to continuing operational issues with the Microsoft.com download
servers, the final patch for this issue was not uploaded to the
download servers. Instead, a beta version of the patch was made
available. This patch has subsequently been removed.
Those who have downloaded and applied the beta patch are protected
from the vulnerability discussed in this Bulletin. The beta patch
will prompt users before passing NTLM credentials to the remote
server and
will only present NTLM credentials if approved by the user, as
discussed in the FAQ.
A bug exists in the beta patch wherein the telnet client may crash
while requesting an NTLM authentication session with a non-Windows
2000 NTLM enabled telnet server. At no time will NTLM credentials be
passed to the remote server if the user does not specifically choose
to send the credentials.
The correct version of the patch will uploaded to the download center
shortly. Users who have installed the beta patch can overwrite that
version with the soon to be released final version.
Users without the beta patch can perform the following workaround
until such time as the final patch can be made available.
To disable NTLM authentication, perform the following steps:
- Type 'telnet' at the command prompt.
- Type 'unset ntlm' and hit Enter.
- Type 'quit' to exit telnet and save your preferences.
To determine what form of authentication you are currently using,
perform the following steps:
- Type 'telnet' at a command prompt.
- Type 'display' at the telnet prompt.
- A value of 'Will Auth (NTLM Authentication)' means telnet will
use NTLM authentication by default.
- A value of 'Not Auth (NTLM Authentication)' means telnet will
not use NTLM authentication.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
- Microsoft Knowledge Base article Q272743 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks *****g of @Stake Inc. www.atstake.com (http://www.atstake.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
September 14, 2000: Bulletin Created.
September 15, 2000: Bulletin Re-Released to update Patch Availability.
socalgal
09-21-2000, 07:59 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-067)
- -------------------------------------
Re-release: Patch Available for "Windows 2000 Telnet Client NTLM
Authentication" Vulnerability
Originally posted: September 14, 2000
Re-Released: September 21, 2000
Summary
=======
On September 14, 2000, Microsoft released the original version of
this bulletin, which was revised the following day to advise of a
problem with the patch. On September 21, 2000, a new version of the
patch was released, and the bulletin was updated to advise of its
availability. Microsoft recommends that all customers, including
those who applied the original version of the patch, apply the new
version.
The patch eliminates a security vulnerability in the telnet client
that ships with Microsoft(r) Windows 2000. The vulnerability could,
under certain circumstances, allow a malicious user to obtain
cryptographically protected logon credentials from another user.
Frequently asked questions regarding this vulnerability and
the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
Issue
=====
Windows 2000 includes a telnet client capable of using NTLM
authentication when connecting to a remote NTLM enabled telnet
server. A vulnerability exists because the client will, by default,
perform NTLM authentication when connecting to the remote telnet
server. This could allow a malicious user to obtain another user's
NTLM authentication credentials without the user's knowledge.
A malicious user could exploit this behavior by creating a
carefully-crafted HTML document that, when opened, could attempt to
initiate a Telnet session to a rogue telnet server - automatically
passing NTLM authentication credentials to the malicious server's
owner. The malicious user could then use an offline brute force
attack to derive the password or, with specialized tools, could
submit a variant of these credentials in an attempt to access
protected resources.
This vulnerability would only provide the malicious user with the
cryptographically protected NTLM authentication credentials of
another user. It would not, by itself, allow a malicious user to gain
control of another user's computer. In order to leverage the NTLM
credentials (or subsequently cracked password), the malicious user
would have to be able to remotely logon to the target system.
However, best practices dictate that remote logon services be blocked
at border devices, and if these practices were followed, they would
prevent an attacker from using the credentials to logon to the target
system. Best practices also strongly recommend that Windows 2000
users logon to their hosts with User level credentials, and if these
practices were followed, they would prevent a malicious user from
obtaining Administrator level NTLM credentials.
Affected Software Versions
==========================
- Microsoft Windows 2000
Patch Availability
==================
- Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399
Note: Customers who applied the original version of the patch should
consider applying the current version. The original version
eliminated the vulnerability; however, if a malicious user attempted
to exploit the vulnerability, the patch caused the Telnet client to
fail. The current version of the patch eliminates the vulnerability
without interfering with Telnet connections.
Note: This patch will also be included in the next Service Pack for
Windows 2000. It can be applied to computers with or without Service
Pack 1.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-067,
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
- Microsoft Knowledge Base (KB) article Q272743,
http://www.microsoft.com/technet/support/kb.asp?ID=272743
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks *****g of @Stake Inc. (www.atstake.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
- September 14, 2000: Bulletin Created.
- September 15, 2000: Bulletin re-released to advise of problem with
patch.
- September 21, 2000: Bulletin re-released to advise of availability
of new patch.
socalgal
09-26-2000, 08:00 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-068)
- --------------------------------------
Patch Available for "OCX Attachment" Vulnerability
Originally posted: September 26, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows Media Player (WMP) 7 but
primarily affects e-mail applications. The net effect of the
vulnerability is that it could enable a malicious user to create an
e-mail that, when closed after being read, could cause the e-mail
application to fail.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-068.asp
Issue
=====
OCX controls are containers that can hold multiple ActiveX controls.
A particular OCX control, associated with Windows Media Player, could
be used in a denial of service attack against RTF-enabled e-mail
clients such as Outlook and Outlook Express. If the affected control
were programmatically embedded into an RTF mail and then sent to
another user, the user's mail client would fail when he closed the
mail.
The vulnerability would not cause any lasting effects. The user could
resume normal operation by restarting the mail client and deleting
the affected mail.
Affected Software Versions
===========================
- Microsoft Windows Media Player 7
Patch Availability
==================
- Microsoft Windows Media Player 7
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24421
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-068,
http://www.microsoft.com/technet/security/bulletin/fq00-068.asp
- Microsoft Knowledge Base article Q274303 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks Luciano Martins of USSR Labs www.ussrback.com (http://www.ussrback.com) for
reporting this issue to us and working with us to protect customers.
Revisions
=========
September 26, 2000: Bulletin Created.
socalgal
09-30-2000, 08:42 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-069)
- --------------------------------------
Patch Available for "Simplified Chinese IME State Recognition"
Vulnerability
Originally posted: September 29, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 2000. The vulnerability
could allow a malicious user to gain complete control over an
affected machine.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-069.asp
Issue
=====
Input Method Editors (IMEs) enable character-based languages such as
Chinese to be entered via a standard 101-key keyboard. When an IME is
installed as part of the system setup, it is available by default as
part of the logon screen. In such a case, the IME should recognize
that it is running in the context of the LocalSystem and not in the
context of a user, and restrict certain functions. However, the IME
for Simplified Chinese does not correctly recognize the machine
state, and exposes inappropriate functions as part of the logon
screen. As a result, a malicious user who had access to either a
physical keyboard or a terminal server session on an affected machine
could gain LocalSystem privilege even without logging onto the
machine.
This vulnerability only affects the Simplified Chinese version of
Windows 2000 by default - customers using any other version of
Windows 2000 are not affected. Even if the Simplified Chinese IMEs
were installed after setup as part of a language pack, it would not
be present as part of the logon screen and therefore would not pose a
security threat. The vulnerability allows only the local machine to
be compromised, but does not grant any domain privileges (unless, of
course, the local machine happens to be a domain controller). Because
the vulnerability is exposed as part of the logon screen, it could
only be exploited by a user who had physical access to a keyboard, or
who could start a terminal server session on an affected machine. If
best practices - which strongly recommend against giving normal users
physical access to critical servers, or allowing terminal server
session on such servers - have been followed, this vulnerability
would affect only workstations and terminal servers.
Affected Software Versions
==========================
- Microsoft Windows 2000
Note: Only the Simplified Chinese version of Windows 2000 is affected
by default. Customers running any other language version of Windows
2000 only need to take action if they installed a Simplified Chinese
IME during system setup.
Patch Availability
==================
- Microsoft Windows 2000, Simplified Chinese version:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24631
- Microsoft Windows 2000, English version:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24627
Note: This patch can be installed on systems running Windows 2000,
either with or without Service Pack 1. The patch will be incorporated
into Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-069,
http://www.microsoft.com/technet/security/bulletin/fq00-069.asp
- Microsoft Knowledge Base article Q270676 discusses this issue and
will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- September 29, 2000: Bulletin Created.
socalgal
10-03-2000, 07:26 PM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-070)
- --------------------------------------
Patch Available for Multiple LPC and LPC Ports Vulnerabilities
Originally posted: October 03, 2000
Summary
=======
Microsoft has released a patch that eliminates several security
vulnerabilities in Microsoft(r) Windows NT(r) 4.0 and Windows(r)
2000. The vulnerabilities could allow a range of effects, from denial
of service attacks to, in some cases, privilege elevation.
Frequently asked questions regarding this vulnerability and the
patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-070.asp.
Issue
=====
Several vulnerabilities have been identified in the Windows NT 4.0
and Windows 2000 implementations of LPC and LPC ports:
- The "Invalid LPC Request" vulnerability, which affects only
Windows NT 4.0. By levying an invalid LPC request, it would
be possible to make the affected system fail.
- The "LPC Memory Exhaustion" vulnerability, which affects both
Windows NT 4.0 and Windows 2000. By levying spurious LPC
requests, it could be possible to increase the number of
queued LPC messages to the point where kernel memory would
be depleted.
- The "Predictable LPC Message Identifier" vulnerability,
which affects both Windows NT 4.0 and Windows 2000. Any
process that knows the identifier of an LPC message can
access it; however, the identifiers can be predicted. In the
simplest case, a malicious user could access other process'
LPC ports and feed them random data as a denial of service
attack. In the worst case, it could be possible under certain
conditions to send bogus requests to a privileged process in
order to gain additional local privileges
- A new variant of the previously-reported "Spoofed LPC Port
Request" vulnerability. (For more information, please see
http://www.microsoft.com/technet/security/bulletin/ms00-003.asp ).
This vulnerability affects Windows NT 4.0 and Windows 2000,
and could, under a very restricted set of conditions, allow
a malicious user to create a process that would run under
the security context of an already-running process,
potentially including System processes.
Because LPC can only be used on the local machine, none of these
vulnerabilities could be exploited remotely. Instead, a malicious
user could only exploit them on machines that he could log onto
interactively. Typically, workstations and terminal servers would be
chiefly at risk, because, if normal security practices have been
followed, normal users will not be allowed to log onto critical
servers interactively. This also means that, even in the worst case,
the vulnerability would only confer additional local - not domain -
privileges on the malicious user.
Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Patch Availability
==================
- Microsoft Windows NT 4.0 Workstation, Server, and Server,
Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly
- Microsoft Windows 2000 Professional, Server, Advanced Server,
and Datacenter Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Note: The Windows NT 4.0 patch can be installed on systems running
Service Pack 6a, and will be included in Service Pack 7. The Windows
2000 patch can be installed on systems with or without Service Pack
1, and will be included in Service Pack 2.
Note: Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-070,
http://www.microsoft.com/technet/security/bulletin/fq00-070.asp
- Microsoft Knowledge Base article Q266433 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Acknowledgments
===============
Microsoft thanks BindView's Razor Team http://razor.bindview.com
for reporting these issues to us and helping us protect our
customers. The issues involved in these vulnerabilities required
several months of detailed engineering, and BindView worked closely
with us throughout the process. We'd like to thank them for their
ongoing commitment to responsible reporting practices.
Revisions
=========
- October 03, 2000: Bulletin Created.
socalgal
10-06-2000, 05:12 AM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
Microsoft Security Bulletin (MS00-071)
======================================
Patch Available for "Word Mail Merge" Vulnerability
Originally posted: October 5, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Word 2000 and 97. The vulnerability
could allow a malicious user to run arbitrary code on a victim's
computer without their approval.
Frequently asked questions regarding this vulnerability and the patch
can be found at http://www.microsoft.com/technet/security/bulletin/fq00-071.asp
Issue
=====
If an Access database is specified as a data source via DDE in a Word
mail merge document, macro code can run without the user's approval
when the user opens that document.
If a user could be enticed into opening a specially constructed mail
merge Word document, which was provided either as an e-mail
attachment or as a link hosted on a hostile web site, it would be
possible to cause arbitrary code to run on the user's machine. For
such an attack to succeed, the victim would also need the ability to
reach the Access database via a UNC share or file:// protocol. If the
user is behind a firewall and security best practices have been
followed, the ports required to access the database would be blocked.
Affected Software Versions
==========================
- Microsoft Word 2000
- Microsoft Word 97
Patch Availability
==================
- Microsoft Word 2000:
http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm
- Microsoft Word 97: Patch will be available shortly.
Note Additional security patches are available at the Microsoft
Download Center
More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-071,
http://www.microsoft.com/technet/security/bulletin/fq00-071.asp
- Microsoft Knowledge Base article Q274226 (Word 2000)
http://www.microsoft.com/technet/support/kb.asp?ID=274226
- Microsoft Knowledge Base article Q272749 (Word 97) will be
available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at http://support.microsoft.com/support/contact/default.asp
Revisions
=========
October 5, 2000: Bulletin Created.
socalgal
10-10-2000, 08:26 PM
Continued to MS Security Bulletins - Vol. 10 (http://sysopt.earthweb.com/forum/Forum1/HTML/009009.html)
[This message has been edited by socalgal (edited 10-17-2000).]
SysOpt.com
Copyright Internet.com Inc. All Rights Reserved.