Text Truncated. Only the first 1MB is shown below. Download the file for the complete contents.
<?xml version="1.0"?>
<BulletinDatastore DataVersion="1.0.1.387" LastDataUpdate="9/10/2002" SchemaVersion="1.0.0.11" LastSchemaUpdate="6/6/2001" ToolVersion="3.32" MBSAToolVer="1.0" MBSAToolURL="http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp" RevisionHistory=".298 includes various sqnumber updates">
<!--Built for Microsoft by Shavlik Technologies. On the web at: www.shavlik.com/security-->
<Bulletins>
<Bulletin BulletinID="MS98-001" BulletinLocationID="1159" FAQLocationID="73" FAQPageName="FQ98-001" Title="Disabling Creation of Local Groups on a Domain by Non-Administrative Users " DatePosted="1998/06/01" DateRevised="1999/03/24" Supported="Yes" Summary="The ability for non-administrative users to create aliases on the domain could be abused if they create a large number of local groups in the domain and cause the size of the account database to grow without restrictions. Unlimited local group creation could crash the domain controller and lead to excessive network traffic due to the replication of local group information to backup domain controllers." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-002" BulletinLocationID="1160" FAQLocationID="73" FAQPageName="FQ98-002.asp" Title="Error Message Vulnerability Against Secured Internet Servers " DatePosted="1998/06/26" DateRevised="1998/07/06" Supported="Yes" Summary="Due to the large number of messages needed, a Web site operator could detect an attack through observations such as abnormal network or CPU utilization." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-003" BulletinLocationID="1161" FAQLocationID="73" FAQPageName="FQ98-003.asp" Title="File Access Issue with Windows NT Internet Information Server " DatePosted="1998/07/02" DateRevised="1998/07/08" Supported="Yes" Summary="The issue is a result of the way IIS parses file names. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to make the file name canonical." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-004" BulletinLocationID="1162" FAQLocationID="73" FAQPageName="FQ98-004.asp" Title="Unauthorized ODBC Data Access with RDS and IIS" DatePosted="1998/07/14" DateRevised="1998/07/17" Supported="Yes" Summary="The risk of security vulnerability caused by the DataFactory is even greater if newer OLE DB Providers are installed on the server. "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual Studio? 98) allow shell commands to be executed. If the DataFactory is enabled on such a server, Internet clients can use these providers to execute shell commands, which can potentially bring down the server or otherwise severely affect its performance." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-005" BulletinLocationID="1163" FAQLocationID="73" FAQPageName="FQ98-005.asp" Title="Unwanted Data Issue with Office 98 for the Macintosh " DatePosted="1998/07/17" DateRevised="1998/07/17" Supported="Yes" Summary="The Mac OS, like many other Operating System (OS) file systems does not erase files when you delete them, it simply removes a reference to them in the disk's catalog, and marks the space they occupied as free. Office 98 does not clear the disk space when the Mac OS allocates it during a File Save operation. Instead, Office 98 simply writes the file contents to the allocated disk space, overwriting any random data that physically existed on the disk. Since the Mac OS allocates the disk space in set chucks, called clusters, the small amount of unused space at the end of the file's last cluster may contain random data from previously deleted files. The data cannot be viewed when opened as a native Office file. However, an ASCII text editor can be used to view the extraneous data.
The chance that sensitive data will be transferred through this bug is unlikely, since multiple unusual scenarios must occu" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-006" BulletinLocationID="1164" FAQLocationID="73" FAQPageName="FQ98-006.asp" Title="Potential Denial-of-Service in IIS FTP Server due to Passive Connections " DatePosted="1998/07/23" DateRevised="1998/07/23" Supported="Yes" Summary="When multiple passive connections are made to a single FTP server through the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a computer share a common thread pool, and exhausting the FTP thread pool will also cause a failure in connection requests for the WWW service." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-007" BulletinLocationID="1165" FAQLocationID="73" FAQPageName="FQ98-007.asp" Title="Potential SMTP and NNTP Denial-of-Service Vulnerabilities" DatePosted="1998/07/24" DateRevised="1998/09/09" Supported="Yes" Summary="This issue involves a denial of service vulnerability that can potentially be used by someone with malicious intent to unexpectedly cause multiple components of the Microsoft Exchange Server to stop." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-008" BulletinLocationID="1166" FAQLocationID="73" FAQPageName="FQ98-008.asp" Title="Long file name Security Issue affecting Microsoft Outlook 98 and Microsoft Outlook Express 4.x " DatePosted="1998/07/27" DateRevised="1998/09/25" Supported="Yes" Summary="When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email client to shut down unexpectedly. These very long filenames do not normally occur in mail or news messages, and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious email message to run arbitrary computer code contained in the long string." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-009" BulletinLocationID="1167" FAQLocationID="73" FAQPageName="FQ98-009.asp" Title="Windows NT Privilege Elevation Attack" DatePosted="1998/07/27" DateRevised="1998/07/27" Supported="Yes" Summary="In this attack, a non-administrative user obtains administrative access to the system by virtue of being able to gain debug-level access on a system process." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-010" BulletinLocationID="1168" FAQLocationID="73" FAQPageName="FQ98-010.asp" Title="Information on the Back Orifice Program" DatePosted="1998/08/04" DateRevised="1998/08/12" Supported="Yes" Summary="It is unclear from the author's statements what "Back Orifice" is intended to do. In the press release that accompanied its release, "Back Orifice" is alternately described as an administrative tool or as something that demonstrates some security vulnerability in the Windows platform. Potential threads:
Remotely controlling and monitoring a computer running Windows
Reading everything that the user types at the keyboard
Capturing images that are displayed on the monitor
Uploading and downloading files remotely
Redirecting information to a remote Internet si" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-011" BulletinLocationID="1169" FAQLocationID="73" FAQPageName="FQ98-011.asp" Title="Window.External JScript Vulnerability in Microsoft Internet Explorer 4.0" DatePosted="1998/08/17" DateRevised="1998/08/17" Supported="Yes" Summary="Microsoft Internet Explorer 4.0, 4.01, and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a Web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate.
Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long strin" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-013" BulletinLocationID="1170" FAQLocationID="73" FAQPageName="FQ98-013.asp" Title="Internet Explorer Cross Frame Navigate Vulnerability" DatePosted="1998/09/04" DateRevised="1998/10/04" Supported="Yes" Summary="The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-015" BulletinLocationID="1171" FAQLocationID="73" FAQPageName="FQ98-015.asp" Title="Untrusted Scripted Paste Issue in Microsoft Internet Explorer 4.01" DatePosted="1998/10/16" DateRevised="1998/11/18" Supported="Yes" Summary="The "Untrusted Scripted Paste" issue involves a vulnerability in Internet Explorer that could allow a malicious web site operator to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for the operator to read the contents of a file on the user's computer if he knows the exact name and path of the targeted file. This could also be used to view the contents of a file on the user's network, if the user has access to it and the malicious operator knows its direct path nam" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-016" BulletinLocationID="1172" FAQLocationID="73" FAQPageName="FQ98-016.asp" Title="Dotless IP Address Issue in Microsoft Internet Explorer 4" DatePosted="1998/10/23" DateRevised="1998/10/23" Supported="Yes" Summary="The "Dotless IP Address" issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious web site operator to misrepresent the URL of an Internet web site and make it appear as if the machine is on the user's "Local Intranet Zone". Internet Explorer has the ability to set security settings differently between different zones. By this means, a malicious site could potentially perform actions that had been disabled in the Internet Zone or Restricted Sites Zone, but is permitted in the Local Intranet Zon" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-019" BulletinLocationID="1173" FAQLocationID="73" FAQPageName="FQ98-019.asp" Title="IIS GET Vulnerability" DatePosted="1998/12/21" DateRevised="1998/12/21" Supported="Yes" Summary="This vulnerability involves the HTTP GET method, which is used to obtain information from an IIS web server. Specially-malformed GET requests can create a denial of service situation that consumes all server resources, causing a server to "hang." In some cases, the server can be put back into service by stopping and restarting IIS; in others, the server may need to be rebooted." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-018" BulletinLocationID="1174" FAQLocationID="73" FAQPageName="FQ98-018.asp" Title="Excel CALL Vulnerability" DatePosted="1998/12/10" DateRevised="1998/12/10" Supported="Yes" Summary="Excel generates a warning to the user before running macros, including those containing the CALL function, and allows the user to decide whether or not to run them. However, Excel does not generate a warning before executing worksheet functions, and if used in this manner, CALL could be used to call an external DLL without a warning to the user.
An attacker could exploit this functionality by embedding a CALL function within an Excel spreadsheet and sending it to an unwary user. The attacker would be able to control whether the CALL function fired when the victim opened the spreadsheet or when another event occurre" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-020" BulletinLocationID="1175" FAQLocationID="73" FAQPageName="FQ98-020.asp" Title="Frame Spoof Vulnerability" DatePosted="1998/12/23" DateRevised="1998/12/23" Supported="Yes" Summary="This vulnerability exists because Internet Explorer's cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site's window. If done properly, the user might not be able to tell that the frame contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-017" BulletinLocationID="1176" FAQLocationID="73" FAQPageName="FQ98-017.asp" Title="Named Pipes Over RPC Vulnerability" DatePosted="1998/11/19" DateRevised="1998/11/19" Supported="Yes" Summary="The underlying problem is the way that Windows NT 4.0 attempts to shut down invalid named pipe RPC connections. An attacker could exploit this problem to create a denial of service condition by opening multiple named pipe connections and sending random data. When the RPC service attempts to close the invalid connections, the service consumes all CPU resources and memory use grows considerably, which may result in the system hanging. This is a denial of service vulnerability only; there is no risk of compromise or loss of data from the attacked syste" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-012" BulletinLocationID="1177" FAQLocationID="73" FAQPageName="FQ98-012.asp" Title="Updates available for Security Vulnerabilities in Microsoft PPTP" DatePosted="1998/08/18" DateRevised="1998/08/18" Supported="Yes" Summary="The Microsoft implementation of PPTP uses MS-CHAP for user authentication and Microsoft Point-to-Point Encryption (MPPE) to protect the confidentiality of user data. Potential vulnerabilities addressed by these updates include:
Dictionary attack against the LAN Manager authentication information
Password theft
PPTP server spoofing
Reuse of MPPE session keys." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS98-014" BulletinLocationID="1178" FAQLocationID="73" FAQPageName="FQ98-014.asp" Title="RPC Spoofing Denial of Service on Windows NT" DatePosted="1998/09/29" DateRevised="1998/09/29" Supported="Yes" Summary="It is possible for a malicious attacker to send spoofed RPC datagrams to UDP destination port 135 so that it appears as if one RPC server sent bad data to another RPC server. The second server returns a REJECT packet and the first server (the spoofed server) replies with another REJECT packet creating a loop that is not broken until a packet is dropped, which could take a few minutes. If this spoofed UDP packet is sent to multiple computers, a loop could possibly be created, consuming processor resources and network bandwidt" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-001" BulletinLocationID="1179" FAQLocationID="73" FAQPageName="FQ99-001.asp" Title="Exposure in Forms 2.0 TextBox Control that allows data to be read from user's Clipboard" DatePosted="1999/01/21" DateRevised="1999/01/21" Supported="Yes" Summary="A malicious hacker could use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a web site set up by the malicious hacker or opens a HTML email created by the malicious hacker." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-002" BulletinLocationID="1180" FAQLocationID="73" FAQPageName="FQ99-002.asp" Title="Word 97 Template Vulnerability" DatePosted="1999/01/21" DateRevised="1999/01/21" Supported="Yes" Summary="A standard safety feature of Word 97 is that it warns users when a document containing macros is opened; however, if that document does not itself contain macros, but rather is linked to a template that does contains macros, no warning is issued. A malicious hacker could exploit this vulnerability to cause malicious macro code to run without warning if a user opens a Word document attached to an email sent by the malicious hacker, or if the user opens a Word document on a web site controlled by the malicious hacker. This malicious macro could possibly be used to damage or retrieve data on a user's syste" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-003" BulletinLocationID="1181" FAQLocationID="73" FAQPageName="FQ99-003.asp" Title="IIS Malformed FTP List Request Vulnerability" DatePosted="1999/02/03" DateRevised="1999/02/03" Supported="Yes" Summary="It is noteworthy that the "list" command is only available to users after they have authenticated to the server. As a result, only users who are authorized to use the server would be able to mount such an attack, and their presence on the server could be logged if the owner of the site chose to do so. However, many sites provide guest accounts, and this could allow a malicious user to attack the server anonymously." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-007" BulletinLocationID="1182" FAQLocationID="73" FAQPageName="FQ99-007.asp" Title="Taskpads Scripting Vulnerability" DatePosted="1999/02/22" DateRevised="1999/02/22" Supported="Yes" Summary="A vulnerability exists because certain methods provided by Taskpads are incorrectly marked as "safe for scripting" and can be misused by a web site operator to invoke executables on a visiting user's workstation without their knowledge or permission." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-010" BulletinLocationID="1183" FAQLocationID="73" FAQPageName="FQ99-010.asp" Title="File Access Vulnerability in Personal Web Server" DatePosted="1999/03/26" DateRevised="1999/03/26" Supported="Yes" Summary="This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-005" BulletinLocationID="1184" FAQLocationID="73" FAQPageName="FQ99-005.asp" Title="BackOffice Server 4.0 Does Not Delete Installation Setup File" DatePosted="1999/02/12" DateRevised="1999/02/12" Supported="Yes" Summary="When a user chooses to install SQL Server, Exchange Server or Microsoft Transaction Server as part of a BackOffice 4.0 installation, the BackOffice installer program requests the name and password for the accounts associated with these services. Specifically, it asks for the account name and password for the SQL Executive Logon account, the Exchange Services Account, and the MTS Remote Administration Account. These values are stored in %systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini, and used to install the associated services.
BackOffice Server does not erase this file when the installation process is completed. This is true regardless of whether the installation process completes successfully or unsuccessfull" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-004" BulletinLocationID="1185" FAQLocationID="73" FAQPageName="FQ99-004.asp" Title="Authentication Processing Error in Windows NT 4.0 Service Pack 4" DatePosted="1999/02/08" DateRevised="1999/02/08" Supported="Yes" Summary="The logic error in Service Pack 4 incorrectly allows a null "NT hash" value to be used for authentication from Windows NT systems. The result is that if a user account's password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can logon into that account from a Windows NT system using a blank password.By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this proble" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-006" BulletinLocationID="1186" FAQLocationID="73" FAQPageName="FQ99-006.asp" Title="Windows NT Known DLLs List Vulnerability" DatePosted="1999/02/19" DateRevised="1999/03/05" Supported="Yes" Summary="In Windows NT, core operating system DLLs are kept in virtual memory and shared between the programs running on the system. This is done to avoid having redundant copies of the DLLs in memory, and improves memory usage and system performance. When a program calls a function provided by one of these DLLs, the operating system references a data structure called the KnownDLLs list to determine the location of the DLL in virtual memory. The Windows NT security architecture protects in-memory DLLs against modification, but by default it allows all users to read from and write to the KnownDLLs list. This is the root problem underlying the vulnerability.A user can programmatically load into memory a malicious DLL that has the same name as a system DLL, then change the entry in the KnownDLLs list to point to the malicious copy. From that point forward, programs that request the system DLL will instead be directed to the malicious copy. When called by a program with sufficiently high privileges, it could take any desired action, such as adding the malicious user to the Administrators group.It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privileges. There are two types of machines at risk:Machines that allow non-administrative users to interactively log on. Workstation and terminal servers typically do allow this, but, per standard security practices, most other servers only allow administrators to interactively log o" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-008" BulletinLocationID="1187" FAQLocationID="73" FAQPageName="FQ99-008.asp" Title="Windows NT Screen Saver Vulnerability" DatePosted="1999/03/12" DateRevised="1999/03/12" Supported="No" Summary="Windows NT provides a screen saver feature, in which a user-selected screen saver program is run when the machine has been idle for a specified length of time. Windows NT initially launches a screen saver in the local system context, then immediately changes its security context to match that of the user. However, Windows NT does not check whether this context change was successfully made. This is the underlying problem in this vulnerability. If the context change can be made to fail, the screen saver will remain running in a highly-privileged state. The risk is that a malicious user could develop a screen saver program that, for example, uses the elevated privileges to add the author to the Administrators group.It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privilege" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-009" BulletinLocationID="1188" FAQLocationID="73" FAQPageName="FQ99-009.asp" Title="Malformed Bind Request Vulnerability" DatePosted="1999/03/16" DateRevised="1999/03/16" Supported="Yes" Summary="The Bind function in the Exchange 5.5 Directory Service has an unchecked buffer that poses two threats to safe operation. The first is a denial of service threat. A malformed Bind request could overflow the buffer, causing the Exchange Directory service to crash. The server would not need to be rebooted, but the Exchange Directory service, and possibly dependent services as well, would need to be restarted in order to resume messaging service. The second threat is more esoteric and would be far more difficult to exploit. A carefully-constructed Bind request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither attack could occur accidentall" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-013" BulletinLocationID="1189" FAQLocationID="73" FAQPageName="FQ99-013.asp" Title="File Viewers Vulnerability" DatePosted="1999/05/07" DateRevised="1999/05/19" Supported="Yes" Summary="Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can vie" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-015" BulletinLocationID="1190" FAQLocationID="73" FAQPageName="FQ99-015.asp" Title="Malformed Help File Vulnerability" DatePosted="1999/05/17" DateRevised="1999/05/17" Supported="Yes" Summary="The Windows Help utility parses and displays help information for applications. The help information is contained in files of several types that are generated by the Help Compiler (part of the AppWizard utility), and is stored by default in the WINNT\help folder. By default, users can write to this folder. An unchecked buffer exists in the Help utility, and a help file that has been carefully modified could be used to execute arbitrary code on the local machine via a classic buffer overrun technique. Because the Help Compiler's output files do not generate the specific malformation at issue here, this vulnerability could not be accidentally exploite" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-016" BulletinLocationID="1191" FAQLocationID="73" FAQPageName="FQ99-016.asp" Title="Malformed Phonebook Entry Vulnerability" DatePosted="1999/05/20" DateRevised="1999/05/20" Supported="Yes" Summary="The component of the RAS client that processes phonebook entries has an unchecked buffer. This results in a vulnerability that poses two threats to safe operation. The first is a denial of service threat; a malformed phonebook entry could overflow the buffer, causing the RAS client service to crash. The second is more esoteric and would be far more difficult to exploit. A carefully-constructed phonebook entry could cause arbitrary code to execute on the client via a classic buffer overrun technique. Neither variant could be exploited accidentally.It is important to stress that the vulnerability affects RAS client machines, not RAS servers, and that the user must have permission to add or modify phonebook entries in order to mount the attack. (Permissions can be set via the phonebook's ACL). The machines primarily at risk from this vulnerability are workstations that are configured to dial out to other systems, because servers, including terminal servers, are not typically configured to act as RAS clients. It also is important to note that this vulnerability would affect only the local machine; there is no capability to directly attack a remote machine via this vulnerabilit" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-017" BulletinLocationID="1192" FAQLocationID="73" FAQPageName="FQ99-017.asp" Title="RAS and RRAS Password Vulnerability" DatePosted="1999/05/27" DateRevised="1999/05/27" Supported="Yes" Summary="When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads ";Save password"; and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.Cached security credentials, which include the password, are stored and encrypted in the registry and protected by ACLs whose default values authorize only local administrators and the owner of the credentials to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY featur" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-020" BulletinLocationID="1193" FAQLocationID="73" FAQPageName="FQ99-020.asp" Title="Malformed LSA Request Vulnerability" DatePosted="1999/06/23" DateRevised="1999/07/20" Supported="Yes" Summary="Windows NT provides the ability to manage user privileges programmatically via the Local Security Authority (LSA) API. The API allows a program to query user names, modify privileges, and change other elements of the security policy, subject to the program's authorizations. Calls to the LSA API can be made from either the local machine or remotely via RPC.Certain API methods do not correctly handle certain types of invalid arguments. The vulnerability is a denial of service threat only, and service can be restored by restarting the machine. There is no capability to use this vulnerability to obtain unauthorized services from LS" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-021" BulletinLocationID="1194" FAQLocationID="73" FAQPageName="FQ99-021.asp" Title="CSRSS Worker Thread Exhaustion Vulnerability" DatePosted="1999/06/23" DateRevised="1999/06/23" Supported="Yes" Summary="If all worker threads in CSRSS.EXE are occupied awaiting user input, no other requests can be serviced, effectively causing the server to hang. When user input is provided, processing returns to normal." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-023" BulletinLocationID="1195" FAQLocationID="73" FAQPageName="FQ99-023.asp" Title="Malformed Image Header Vulnerability" DatePosted="1999/06/30" DateRevised="1999/06/30" Supported="Yes" Summary="If an executable file with a specially-malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-024" BulletinLocationID="1196" FAQLocationID="73" FAQPageName="FQ99-024.asp" Title="Unprotected IOCTLs Vulnerability" DatePosted="1999/07/06" DateRevised="1999/07/06" Supported="Yes" Summary="An unprivileged program can disable the local mouse or keyboard on a server or workstation, and disable the console mouse or keyboard on a terminal server." Issue="On a terminal server, such a program could disable the keyboard and mouse on the console." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-025" BulletinLocationID="1197" FAQLocationID="73" FAQPageName="FQ99-025.asp" Title="Unauthorized Access to IIS Servers through ODBC Data Access with RDS" DatePosted="1999/07/17" DateRevised="1999/07/23" Supported="Yes" Summary="The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including:
Allowing unauthorized users to execute shell commands on the IIS system as a privileged user.
On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network.
Allowing unauthorized accessing to secured, non-published files on the IIS syste" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-026" BulletinLocationID="1198" FAQLocationID="73" FAQPageName="FQ99-026.asp" Title="Malformed Dialer Entry Vulnerability" DatePosted="1999/07/29" DateRevised="1999/07/29" Supported="Yes" Summary="Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique.The circumstances of this vulnerability require a fairly complicated attack scenario that limits its scope. Dialer.exe runs in the security context of the user, so it would not benefit an attacker to simply modify a dialer.ini file and run it, as he or she would not gain additional privileges. Instead, the attacker would need to modify the dialer.ini file of another user who had higher privileges, then wait for that user to run Dialer.Although the unchecked buffer is present in all versions of Windows NT 4.0, the attack scenario would result in workstations that have dial-out capability being chiefly at ris" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-027" BulletinLocationID="1199" FAQLocationID="73" FAQPageName="FQ99-027.asp" Title="Encapsulated SMTP Address Vulnerability" DatePosted="1999/08/06" DateRevised="1999/08/06" Supported="Yes" Summary="Exchange Server implements features designed to defeat "mail relaying", a practice in which an attacker causes an e-mail server to forward mail from the attacker, as though the server were the sender of the mail. However, a vulnerability exists in this feature, and could allow an attacker to circumvent the anti-relaying features in an Internet-connected Exchange Server.
The vulnerability lies in the way that site-to-site relaying is performed via SMTP. Encapsulated SMTP addresses could be used to send mail to any desired e-mail address" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-028" BulletinLocationID="1200" FAQLocationID="73" FAQPageName="FQ99-028.asp" Title="Terminal Server Connection Request Flooding Vulnerability" DatePosted="1999/08/09" DateRevised="1999/08/09" Supported="Yes" Summary="When a request to open a new terminal connection is received by a Terminal Server, the server undertakes a resource-intensive series of operations to prepare for the connection. It does this before authenticating the request. This would allow an attacker to mount a denial of service attack by levying a large number of bogus connection requests and consuming all memory on the Terminal Server. This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection reques" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-029" BulletinLocationID="1201" FAQLocationID="73" FAQPageName="FQ99-029.asp" Title="Malformed HTTP Request Header Vulnerability" DatePosted="1999/08/11" DateRevised="1999/08/16" Supported="Yes" Summary="If multiple HTTP requests containing specially-malformed headers are sent to an affected server, IIS may consume all memory on the server. If this happens, IIS would be unable to service requests until either the clients that issued the requests were closed, or the IIS service were stopped and restarted. Once either of these actions have occurred, normal service would be restored." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-031" BulletinLocationID="1202" FAQLocationID="73" FAQPageName="FQ99-031.asp" Title="Virtual Machine Sandbox Vulnerability" DatePosted="1999/08/25" DateRevised="1999/09/08" Supported="Yes" Summary="The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox and take any desired action on the user's computer. If such an applet were hosted on a web site, it could act against the computer of any user who visited the site." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-034" BulletinLocationID="1203" FAQLocationID="73" FAQPageName="FQ99-034.asp" Title="Fragmented IGMP Packet Vulnerability" DatePosted="1999/09/03" DateRevised="1999/09/09" Supported="Yes" Summary="By sending fragmented IGMP packets to a Windows 95, 98 or Windows NT 4.0 machine, it is possible to disrupt the normal operation of the machine. This vulnerability primarily affects Windows 95 and 98 machines. Depending on a variety of factors, sending such packets to a Windows 95 or 98 machine may elicit behavior ranging from slow performance to crashing.Windows NT contains the same vulnerability, but other system mechanisms compensate and make it much more difficult to mount a successful attack." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-036" BulletinLocationID="1204" FAQLocationID="73" FAQPageName="FQ99-036.asp" Title="Windows NT 4.0 Does Not Delete Unattended Installation File" DatePosted="1999/09/10" DateRevised="1999/09/10" Supported="Yes" Summary="When an unattended installation of Windows NT 4.0 is performed, the installation parameters are included in a file named Unattend.txt. A vulnerability exists because the installation process copies the parameter file to a file in %windir%\system32 ($winnt$.inf for a normal unattended installation, or $nt4pre$.inf if Sysprep was used) but does not delete it when the installation completes. By default, this file can be read by any user who can perform an interactive logon. If sensitive information such as account passwords were provided in the installation parameters file, the information could be compromise" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-038" BulletinLocationID="1205" FAQLocationID="73" FAQPageName="FQ99-038.asp" Title="Spoofed Route Pointer Vulnerability" DatePosted="1999/09/20" DateRevised="1999/09/20" Supported="Yes" Summary="Windows NT 4.0 Service Pack 5 introduced the ability to disable source routing on a multi-homed Windows NT machine that acts as a router. However, even if source routing is disabled, it is possible to bypass it by including a specific type of incorrect information within the route pointer in the data packet. Windows 95 and 98 also provide this capability, and are affected by the same vulnerability. The patch restores correct operation to the anti-source routing feature. In addition, it provides additional functionality that enables source routing to be disabled on single-homed machines and on multi-homed machines that are not used as router" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-039" BulletinLocationID="1206" FAQLocationID="73" FAQPageName="FQ99-039.asp" Title="Domain Resolution and FTP Download Vulnerabilities" DatePosted="1999/09/23" DateRevised="1999/09/30" Supported="Yes" Summary="IIS 4.0 provides the ability to restrict access to a web site based on the user's domain. However, if IIS cannot resolve a user's IP address to a domain, it will grant the user's first request for a session. It will correctly deny them thereafter. This vulnerability affects IIS 4.0 only; it does not any other Microsoft product, including MCIS.
A user who accesses an FTP site via a browser will be able to download files even if they are marked No Access. This vulnerability is due to a regression error that was introduced in hotfixes released after Windows NT 4.0 Service Pack 5; it does not exist in SP5 or in previous versions. This vulnerability affects both IIS 4.0 and MCIS 2.5, but no other Microsoft product" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-041" BulletinLocationID="1207" FAQLocationID="73" FAQPageName="FQ99-041.asp" Title="RASMAN Security Descriptor Vulnerability" DatePosted="1999/09/30" DateRevised="1999/09/30" Supported="Yes" Summary="The vulnerability could enable a user to execute arbitrary code on a Windows NT machine under certain conditions. A malicious user could substitute arbitrary code for the legitimate service, which then would run in a System Context." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-045" BulletinLocationID="1208" FAQLocationID="73" FAQPageName="FQ99-045.asp" Title="Virtual Machine Verifier Vulnerability" DatePosted="1999/10/21" DateRevised="1999/11/02" Supported="Yes" Summary="The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard driv" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-046" BulletinLocationID="1209" FAQLocationID="73" FAQPageName="FQ99-046.asp" Title="Improve TCP Initial Sequence Number Randomness" DatePosted="1999/10/22" DateRevised="1999/12/23" Supported="Yes" Summary="The ISNs used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. This patch improves the randomness of the Windows NT 4.0 TCP/IP ISN generation, providing 15 bits of entropy." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-047" BulletinLocationID="1210" FAQLocationID="73" FAQPageName="FQ99-047.asp" Title="Malformed Spooler Request Vulnerability" DatePosted="1999/11/04" DateRevised="1999/11/04" Supported="Yes" Summary="Certain APIs in the Windows NT 4.0 print spooler subsystem have unchecked buffers. If an affected API were provided with random data as input, it could crash the print spooler service. If it were provided with a specially-malformed argument, it could be used to run arbitrary code on the server via a classic buffer overrun attack. The majority of the affected APIs require the caller to be a member of the Power Users or Administrators group; however, at least one is callable by normal users. None of the calls could be made by anonymous users, but the calls could be made remotely.A second vulnerability exists because incorrect permissions would allow a normal user to specify his or her own code as a print provider. Because print providers run in a local System context, this would allow the user to gain additional privileges on the local machine" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-050" BulletinLocationID="1211" FAQLocationID="73" FAQPageName="FQ99-050.asp" Title="Server-side Page Reference Redirect Vulnerability" DatePosted="1999/12/08" DateRevised="1999/12/08" Supported="Yes" Summary="Under favorable timing conditions, it is possible for a web server to create a reference to a client window that the server is permitted to view, then use a server-side redirect to a client-local file, and bypass the security restrictions. The result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-055" BulletinLocationID="1212" FAQLocationID="73" FAQPageName="FQ99-055" Title="Malformed Resource Enumeration Argument Vulnerability" DatePosted="1999/12/09" DateRevised="1999/12/09" Supported="Yes" Summary="This update fixes a denial of service vulnerability affecting services.exe in NT4.0. The effect is to take out named pipes, which renders the server useless but doesn't crash it. This is also referred to as "RFPoison". " Issue="The primary effect of the failure is to cause named pipes to fail, which prevents many other system services from operating." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-056" BulletinLocationID="1213" FAQLocationID="73" FAQPageName="FQ99-056.asp" Title="Syskey Keystream Reuse Vulnerability" DatePosted="1999/12/16" DateRevised="1999/12/16" Supported="Yes" Summary="Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-057" BulletinLocationID="1214" FAQLocationID="73" FAQPageName="FQ99-057.asp" Title="Malformed Security Identifier Request Vulnerability" DatePosted="1999/12/16" DateRevised="1999/12/16" Supported="Yes" Summary="The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful wor" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-001" BulletinLocationID="1215" FAQLocationID="73" FAQPageName="FQ00-001" Title="Malformed IMAP Request Vulnerability" DatePosted="2000/01/04" DateRevised="2000/01/04" Supported="Yes" Summary="The IMAP service included in MCIS Mail has an unchecked buffer. If a malformed request containing random data were passed to the service, it could cause the web publishing, IMAP, SMTP, LDAP and other services to crash. If the malformed request contained specially crafted data, it could also be used to run arbitrary code on the server via a classic buffer overrun attack." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-002" BulletinLocationID="1216" FAQLocationID="73" FAQPageName="FQ00-002.asp" Title="Malformed Conversion Data Vulnerability" DatePosted="2000/01/20" DateRevised="2000/01/20" Supported="Yes" Summary="Microsoft Office includes a conversion utility that converts older Word documents to more recent formats. The conversion utility for Word 5 documents in East Asian languages (Japanese, Korean, Simplified Chinese and Traditional Chinese) has an unchecked buffer. By using a hexadecimal editor to insert specially malformed information into a document, a malicious user could cause Word to run code of his or her choice when the document was opened using an affected version of the converter." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-003" BulletinLocationID="1217" FAQLocationID="73" FAQPageName="FQ00-003.asp" Title="Spoofed LPC Port Request Vulnerability" DatePosted="2000/01/12" DateRevised="2000/01/12" Supported="Yes" Summary="The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. However, it also could be used to cause audit logs to indicate that certain actions were taken by another user. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-004" BulletinLocationID="1218" FAQLocationID="73" FAQPageName="FQ00-004" Title="RDISK Registry Enumeration File Vulnerability" DatePosted="2000/01/21" DateRevised="2000/02/04" Supported="Yes" Summary="On January 21, 2000, Microsoft released the original version of this bulletin, discussing a security vulnerability in a Microsoft Windows NT 4.0 administrative utility. The original version of the bulletin discussed the vulnerability within the context of Windows NT 4.0 Server, Terminal Server Edition. However, we have since learned of scenarios under which the vulnerability could also affect Windows NT 4.0 servers and workstations, and have revised the bulletin accordingly.The utility creates a temporary file during execution that can contain security-sensitive information, but does not appropriately restrict access to it. Under certain conditions, it could be possible for a malicious user to read the file as it was being cre" Issue="The RDISK utility is used to create an Emergency Repair Disk (ERD) in order to record machine state information as a contingency against system failure. During execution, RDISK creates a temporary file containing an enumeration of the registry. The ACLs on the file allow global read permission, and as a result, a malicious user who knew that the administrator was running RDISK could open the file and read the registry enumeration information as it was being created. RDISK erases the file upon successful completion, so under normal conditions there would be no lasting vulnerability.By default, the file is not shared and therefore could not be read by other network user" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-005" BulletinLocationID="1219" FAQLocationID="73" FAQPageName="FQ00-005.asp" Title="Malformed RTF Control Word Vulnerability" DatePosted="2000/01/17" DateRevised="2000/01/17" Supported="Yes" Summary="The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-006" BulletinLocationID="1220" FAQLocationID="73" FAQPageName="FQ00-006" Title="Malformed Hit-Highlighting Argument Vulnerability" DatePosted="2000/01/26" DateRevised="2000/03/31" Supported="Yes" Summary="Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft Index Server. The first vulnerability could allow a malicious user to view -- but not to change, add or delete -- files on a web server. The second vulnerability could reveal where web directories are physically located on the server. " Issue="The first vulnerability is the "Malformed Hit-Highlighting Argument" vulnerability. The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. By providing a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual directory. This would allow any file residing on the server itself, and on the same logical drive as the web root directory, to be retrieved regardless of permissions. This variant could allow the source of server-side files such as .ASP files to be read. The new variant affects only Index Server 2.0, and Windows 2000 customers who applied the original patch were never at risk from it. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file. The error message provides the physical path to the web directory that was contained in the request. Although this vulnerability would not allow a malicious user to alter or view any data, it could be a valuable reconnaissance tool for mapping the file structure of a web server. This variant could allow a malicious user to read files. The variant was eliminated by the original patch, and customers who applied the original version of the patch were never at risk from it. Indexing Services in Windows 2000 is affected only by the "Malformed Hit-Highlighting" vulnerability - it is not affected by the second vulnerability." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-007" BulletinLocationID="1221" FAQLocationID="73" FAQPageName="FQ00-007.asp" Title="Recycle Bin Creation Vulnerability" DatePosted="2000/02/01" DateRevised="2000/02/01" Supported="Yes" Summary="A malicious user could create, delete or modify files in the Recycle Bin of another user who shared the machine. In most cases, the vulnerability would not allow the malicious user to read the files unless they already had read permission to do so." Issue="The Windows NT Recycle Bin for a given user maps to a folder, whose name is based on the owner's SID. The folder is created the first time the user deletes a file, and the owner is given sole permissions to it. However, if a malicious user could create the folder before the bona fide one were created, he or she could assign any desired permissions to it. This would allow him or her to create, modify or delete files in the Recycle Bin" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-008" BulletinLocationID="1222" FAQLocationID="73" FAQPageName="FQ00-008.asp" Title="Registry Permissions Vulnerability" DatePosted="2000/03/09" DateRevised="2000/04/14" Supported="Yes" Summary="This vulnerability involves three sets of registry keys whose default permissions are too permissive. These permissions could allow a malicious user who could interactively log onto a target machine (or,in one case, access an affected machine from the network) to:
. Cause code to run in a local system context.
. Cause code to run the next time another user logged onto the same machine. Disable the security protection for a previously-reported vulnerability." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-011" BulletinLocationID="1223" FAQLocationID="73" FAQPageName="FQ00-011" Title="VM File Reading Vulnerability" DatePosted="2000/02/18" DateRevised="2000/02/18" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in the Microsoft virtual machine (Microsoft VM). The vulnerability could enable a malicious web site operator to read files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet. " Issue="The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-021" BulletinLocationID="1224" FAQLocationID="73" FAQPageName="FQ00-021" Title="Malformed TCP/IP Print Request Vulnerability" DatePosted="2000/03/30" DateRevised="2000/03/30" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in the TCP/IP Printing Services for Microsoft Windows NT 4.0 and Windows 2000. If this service is installed, the vulnerability could allow a malicious user to disrupt printing services. " Issue="A specially-malformed print request could cause TCPSVC.EXE to crash, which would not only prevent the server from providing printing services, but also would stop several other services, most importantly DHCP." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-020" BulletinLocationID="1225" FAQLocationID="73" FAQPageName="FQ00-020" Title="Desktop Separation Vulnerability" DatePosted="2000/06/15" DateRevised="2000/06/15" Supported="Yes" Summary="This update eliminates the "Desktop Separation" vulnerability found in Windows 2000. Installing this update will prevent malicious users from gaining additional privileges on your computer when they log on at your keyboard. " Issue="By design, processes are constrained to run within a windows station, and the threads in the process run in one or more desktops. A process in one windows station should not be able to access desktops belonging to another windows station. However, due to an implementation error, this could happen under very specific circumstances. This could allow a process belonging to a low-privilege user to view inputs or output that belong to another desktop within the same session, and potentially obtain information such as passwords" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-026" BulletinLocationID="1226" FAQLocationID="73" FAQPageName="FQ00-026.asp" Title="Mixed Object Access Vulnerability" DatePosted="2000/04/20" DateRevised="2000/04/20" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000 that could, under very specific conditions, allow a malicious user to change information in the Active Directory that he should not be able to change." Issue="Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify.The vulnerability does not afford the malicious user an opportunity to modify all objects in a class ? only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by wh" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-027" BulletinLocationID="1227" FAQLocationID="73" FAQPageName="FQ00-027.asp" Title="Malformed Environment Variable Vulnerability" DatePosted="2000/04/20" DateRevised="2000/04/20" Supported="Yes" Summary="The vulnerability could allow a malicious user to make some or all of the memory on an affected server unavailable, potentially slowing or stopping an affected server's response time." Issue="CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings. It could be used to mount denial of service attacks in certain cases. If a server provides batch or other script files, a malicious user could potentially provide arguments that would create an extremely large environment string and overflow the buffer. This would cause the process to fail, and the memory allocated to the process would not be made available again until a dialogue had been cleared on the operator's console. By repeatedly running the batch file, the malicious user could potentially make some or all of the memory on the server temporarily unavailabl" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-029" BulletinLocationID="1228" FAQLocationID="73" FAQPageName="FQ00-029" Title="IP Fragment Reassembly Vulnerability" DatePosted="2000/05/19" DateRevised="2000/05/19" Supported="Yes" Summary="This update resolves the "IP Fragment Reassembly" security vulnerability in Windows 2000. Installing this update will minimize the negative effects that fragmented Internet Protocol (IP) datagrams could have on your computer's central processing unit (CPU)." Issue="The affected systems contain a flaw in the code that performs IP fragment reassembly. If a continuous stream of fragmented IP datagrams with a particular malformation were sent to an affected machine, it could be made to devote most or all of its CPU availability to processing them. The data rate needed to completely deny service varies depending on the machine and network conditions, but in most cases even relatively moderate rates would suffice.The vulnerability would not allow a malicious user to compromise data on the machine or usurp administrative control over it. Although it has been reported that the attack in some cases will cause an affected machine to crash, affected machines in all Microsoft testing returned to normal service shortly after the fragments stopped arriving. Machines protected by a proxy server or a firewall that drops fragmented packets would not be affected by this vulnerability. The machines most likely to be affected by this vulnerability would be machines located on the edge of a network such as web servers or proxy servers" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-032" BulletinLocationID="1229" FAQLocationID="73" FAQPageName="FQ00-032" Title="Protected Store Key Length Vulnerability" DatePosted="2000/06/01" DateRevised="2000/07/16" Supported="Yes" Summary="Microsoft has released a patch and a tool that eliminate a security vulnerability in Microsoft Windows 2000. The vulnerability could make it easier for a malicious user who had complete control over a Windows 2000 machine to compromise users' sensitive information." Issue="By design, the Protected Store should always encrypt the information using the strongest cryptography available on the machine. An attacker would need to gain complete administrative control over the machine that houses the Protected Store in order to gain access to it, and even then would still need to mount a brute-force cryptographic attack against it." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-036" BulletinLocationID="1230" FAQLocationID="73" FAQPageName="FQ00-036" Title="ResetBrowser Frame and Host Announcement Frame Vulnerabilities" DatePosted="2000/05/25" DateRevised="2000/05/25" Supported="Yes" Summary="This update resolves the "ResetBrowser Frame" and "HostAnnouncement Flooding" security vulnerabilities in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-036. Download now to prevent a malicious user from denying network users the ability to locate services or other computers on the network. " Issue="The two vulnerabilities are:The "ResetBrowser Frame" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. However, there is no capability to configure a browser to ignore ResetBrowser frames. This could allow a malicious user to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser.The "HostAnnouncement Flooding" vulnerability, which does not affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, a malicious user could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume The "ResetBrowser Frame" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. However, there is no capability to configure a browser to ignore ResetBrowser frames. This could allow a malicious user to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser.
The "HostAnnouncement Flooding" vulnerability, which does not affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, a malicious user could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume most or all of the network bandwidth and cause other problems in processing the table as well." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-040" BulletinLocationID="1231" FAQLocationID="73" FAQPageName="FQ00-040.asp" Title="Remote Registry Access Authentication Vulnerability" DatePosted="2000/06/08" DateRevised="2000/06/08" Supported="Yes" Summary="Before a request to access the registry from a remote machine can be processed, it must first be authenticated by the Remote Registry server. If the request is malformed in a specific fashion, it could be misinterpreted by the remote registry server, causing it to fail. Because the Remote Registry server is contained within the winlogon.exe system process on Windows NT 4.0, a failure in that process would cause the entire system to fail.Only an authenticated user could levy such a request." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-047" BulletinLocationID="1232" FAQLocationID="73" FAQPageName="FQ00-047" Title="NetBIOS Name Server Protocol Spoofing Vulnerability " DatePosted="2000/07/27" DateRevised="2000/07/27" Supported="Yes" Summary="This update resolves the "NetBIOS Name Server Protocol Spoofing" security vulnerability in some Windows-based networks and is discussed in Microsoft Security Bulletin MS00-047. Download now to prevent a malicious user from misusing the Name Conflict and Name Release mechanisms that are part of Windows Internet Name Service (WINS). " Issue="By design, NBNS allows network peers to assist in managing name conflicts. Also by design, it is an unauthenticated protocol and therefore subject to spoofing. A malicious user could misuse the Name Conflict and Name Release mechanisms to cause another machine to conclude that its name was in conflict. Depending on the scenario, the machine would as a result either be unable to register a name on the network, or would relinquish a name it already had registered. The result in either case would be the same - the machine would not respond requests sent to the conflicted name anymore. This will reduce but not eliminate the threat of spoofing. Customers needing additional protection may wish to consider using IPSec in Windows 2000 to authenticate all sessions on ports 137-139" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-052" BulletinLocationID="1233" FAQLocationID="73" FAQPageName="FQ00-052" Title="Relative Shell Path Vulnerability" DatePosted="2000/07/28" DateRevised="2000/07/28" Supported="Yes" Summary="This update resolves the "Relative Shell Path" security vulnerability in Windows NT 4.0 and Windows 2000 and is discussed in Microsoft Security Bulletin MS00-052. Download now to prevent a malicious user from altering the functionality of your desktop. " Issue="Because of the circumstances in place at system startup time, the normal search order would cause any file named Explorer.exe in the %Systemdrive%\ directory to be loaded in place of the bona fide version. This could provide an opportunity for a malicious user to cause code of his choice to run when another user subsequently logged onto the same machine." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-053" BulletinLocationID="1234" FAQLocationID="73" FAQPageName="FQ00-053" Title="Service Control Manager Named Pipe Impersonation Vulnerability" DatePosted="2000/08/02" DateRevised="2000/08/02" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could allow a user logged onto a Windows 2000 machine from the keyboard to become an administrator on the machine." Issue="The Service Control Manager (services.exe) is an administrative tool provided in Windows 2000 that allows system services (Server, Workstation, Alerter, ClipBook, etc.) to be created or modified. The SCM creates a named pipe for each service as it starts, however, should a malicious program predict and create the named pipe for a specific service before the service starts, the program could impersonate the privileges of the service. This could allow the malicious program to run in the context of the given service, with either specific user or LocalSystem privileges.
The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-057" BulletinLocationID="1235" FAQLocationID="73" FAQPageName="FQ00-057" Title="File Permission Canonicalization Vulnerability " DatePosted="2000/08/10" DateRevised="2000/08/10" Supported="Yes" Summary="This update resolves the "Web Server Folder Traversal" security vulnerability in Internet Information Server (IIS) and is discussed in Microsoft Security Bulletin MS00-057. Download now to prevent a malicious user from executing operating system commands on a Web server. " Issue="A canonicalization error can, under certain conditions, cause IIS 4.0 or 5.0 to apply incorrect permissions to certain types of files. If an affected file residing in a folder with restrictive permissions were requested via a particular type of malformed URL, the permissions actually used would be those of a folder in the file's parentage chain, but not those of the folder the file actually resides in. If the ancestor folder's permissions were more permissive than those of the correct folder, the malicious user would gain additional privileges to the affected file." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-059" BulletinLocationID="1236" FAQLocationID="73" FAQPageName="FQ00-059" Title="Java VM Applet Vulnerability " DatePosted="2000/08/21" DateRevised="2001/01/26" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in the Microsoft virtual machine (Microsoft VM). If a malicious web site operator were able to coax a user into visiting his site, the vulnerability could allow him to masquerade as the user, visit other sites using his identity, and relay the information back to his site. " Issue="This vulnerability would allow an applet to bypass this restriction. If a user visited a web site operated by a malicious user, the site could start an applet that would be able to establish a connection with another web site and forward any information from the web session to the malicious user?s site." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-060" BulletinLocationID="1237" FAQLocationID="73" FAQPageName="FQ00-060" Title="IIS Cross-Site Scripting Vulnerabilities " DatePosted="2000/08/25" DateRevised="2000/11/02" Supported="Yes" Summary="This update resolves the "IIS Cross-Site Scripting" security vulnerability in Internet Information Services (IIS). Download now to prevent a malicious user from introducing code on your Web server and returning that code as a Web page (hosted by your server) to visiting browsers. " Issue="If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to "inject" script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site.
The vulnerability can affect any software that runs on a web server, accepts user input, and blindly uses it to generate web pages." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-062" BulletinLocationID="1238" FAQLocationID="73" FAQPageName="FQ00-062" Title="Local Security Policy Corruption Vulnerability" DatePosted="2000/08/28" DateRevised="2000/08/28" Supported="Yes" Summary="This update resolves the "Local Security Policy Corruption" security vulnerability in Windows 2000. Download now to prevent a malicious user from corrupting parts of your computer's local security policy and disabling your network access. " Issue="This vulnerability could allow a malicious user to corrupt parts of a Windows 2000 system's local security policy, with the effect of disrupting domain membership and trust relationship information. If a workstation or member server were attacked via this vulnerability, it would effectively remove the machine from the domain; if a domain controller were attacked, it could no longer process domain logon requests." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-063" BulletinLocationID="1239" FAQLocationID="73" FAQPageName="FQ00-063.asp" Title="Invalid URL Vulnerability" DatePosted="2000/09/05" DateRevised="2000/09/05" Supported="Yes" Summary="If an affected web server received a particular type of invalid URL, it could, under certain conditions, start a chain of events that would culminate in an invalid memory request that would cause the IIS service to fail. This would prevent the server from providing web services. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-065" BulletinLocationID="1240" FAQLocationID="73" FAQPageName="FQ00-065" Title="Still Image Service Privilege Escalation Vulnerability" DatePosted="2000/09/06" DateRevised="2000/09/06" Supported="Yes" Summary="This update resolves the "Still Image Service Privilege Escalation" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-065. Download now to prevent a malicious user from logging on to a Windows 2000 computer interactively and running a program that could enable the malicious user to obtain administrative privileges on the host computer. " Issue="An unchecked buffer exists in the 'Still Image Service' on Windows 2000 hosts. A locally logged-on user can execute malicious code that will use the still image service to escalate their permissions equal to that of the Still Image Service, namely, LocalSystem." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-066" BulletinLocationID="1241" FAQLocationID="73" FAQPageName="FQ00-066" Title="Malformed RPC Packet Vulnerability " DatePosted="2000/09/11" DateRevised="2000/09/11" Supported="Yes" Summary="This update resolves the "Malformed RPC Packet" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-066. Download now to prevent a malicious user from launching a Denial of Service attack via the Remote Procedure Call (RPC) client. " Issue="A denial of service can occur when a malicious client sends a particular malformed RPC (Remote Procedure Call) packet to the server, causing the RPC service to fail. A server behind a firewall that blocks ports 135-139 and 445 will not be affected by this vulnerability from the Internet." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-067" BulletinLocationID="1242" FAQLocationID="73" FAQPageName="FQ00-067" Title="Windows 2000 Telnet Client NTLM Authentication Vulnerability" DatePosted="2000/09/14" DateRevised="2000/09/21" Supported="Yes" Summary="This update resolves the "Windows 2000 Telnet Client NTLM Authentication" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-067. Download now to prevent a malicious user from acquiring your authentication credentials. " Issue="A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to the remote telnet server. This could allow a malicious user to obtain another user's NTLM authentication credentials without the user's knowledge. A malicious user could exploit this behavior by creating a carefully-crafted HTML document that, when opened, could attempt to initiate a Telnet session to a rogue telnet server - automatically passing NTLM authentication credentials to the malicious server's owner. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-068" BulletinLocationID="1243" FAQLocationID="73" FAQPageName="FQ00-068.asp" Title="OCX Attachment Vulnerability" DatePosted="2000/09/26" DateRevised="2000/09/26" Supported="Yes" Summary="OCX controls are containers that can hold multiple ActiveX controls. A particular OCX control, associated with Windows Media Player, could be used in a denial of service attack against RTF-enabled e-mail clients such as Microsoft® Outlook and Outlook Express. If the affected control were programmatically embedded into an RTF mail and then sent to another user, the user?s mail client would fail when he closed the mail." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-069" BulletinLocationID="1244" FAQLocationID="73" FAQPageName="FQ00-069" Title="Simplified Chinese IME State Recognition Vulnerability" DatePosted="2000/09/29" DateRevised="2000/09/29" Supported="Yes" Summary="This update resolves the "Simplified Chinese IME State Recognition" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-069. Download now to prevent a malicious user from exploiting the logon screen for Simplified Chinese IME to run code, add users to the computer, install or remove system components, add or remove software and compromise data. " Issue="Input Method Editors (IMEs) enable character-based languages such as Chinese to be entered via a standard 101-key keyboard. When an IME is installed as part of the system setup, it is available by default as part of the logon screen. In such a case, the IME should recognize that it is running in the context of the LocalSystem and not in the context of a user, and restrict certain functions. This vulnerability only affects the Simplified Chinese version of Windows 2000 by default - customers using any other version of Windows 2000 are not affected. Even if the Simplified Chinese IMEs were installed after setup as part of a language pack, it would not be present as part of the logon screen and therefore would not pose a security threat. The vulnerability allows only the local machine to be compromised, but does not grant any domain privileges (unless, of course, the local machine happens to be a domain controller). Because the vulnerability is exposed as part of the logon screen, it could only be exploited by a user who had physical access to a keyboard, or who could start a terminal server session on an affected machine." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-070" BulletinLocationID="1245" FAQLocationID="73" FAQPageName="FQ00-070" Title="Multiple LPC and LPC Ports Vulnerabilities" DatePosted="2000/10/03" DateRevised="2000/10/03" Supported="Yes" Summary="This update resolves the "Multiple LPC and LPC Ports" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletins MS00-070 and MS00-003. Download now to prevent a malicious user from causing your computer to fail, impersonating your privileges, or causing the client or server to fail by posing as the client or server and sending random data. " Issue="The "Invalid LPC Request" vulnerability, which affects only Windows NT 4.0. By levying an invalid LPC request, it would be possible to make the affected system fail. The "LPC Memory Exhaustion" vulnerability, which affects both Windows NT 4.0 and Windows 2000. By levying spurious LPC requests, it could be possible to increase the number of queued LPC messages to the point where kernel memory was depleted. The "Predictable LPC Message Identifier" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Any process that knows the identifier of an LPC message can access it; however, the identifiers can be predicted. In the simplest case, a malicious user could access other process' LPC ports and feed them random data as a denial of service attack. In the worst case, it could be possible under certain conditions to send bogus requests to a privileged process in order to gain additional local privileges. A new variant of the previously-reported "Spoofed LPC Port Request" vulnerability. This vulnerability affects Windows NT 4.0 and Windows 2000, and could, under a very restricted set of conditions, allow a malicious user to create a process that would run under the security context of an already-running process, potentially including System processes. Because LPC can only be used on the local machine, none of these vulnerabilities could be exploited remotely. Instead, a malicious user could only exploit them on machines that he could log onto interactively. Typically, workstations and terminal servers would be chiefly at risk, because, if normal security practices have been followed, normal users will not be allowed to log onto critical servers interactively. This also means that, even in the worst case, the vulnerability would only confer additional local - not domain - privileges on the malicious user" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-072" BulletinLocationID="1246" FAQLocationID="73" FAQPageName="FQ00-072.asp" Title="Share Level Password Vulnerability " DatePosted="2000/10/10" DateRevised="2001/02/16" Supported="Yes" Summary="Due to the way the password feature is currently implemented, a file share could be compromised, by a malicious user who used a special client utility, without that user knowing the entire password required to access that share." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-073" BulletinLocationID="1247" FAQLocationID="73" FAQPageName="FQ00-073.asp" Title="Malformed IPX NMPI Packet Vulnerability" DatePosted="2000/10/11" DateRevised="2001/04/13" Supported="Yes" Summary="The Microsoft IPX/SPX protocol implementation (NWLink) includes an NMPI (Name Management Protocol on IPX) listener that will reply to any requesting network address. The NMPI listener software does not filter the requesting computer's network address correctly, and will therefore reply to a network broadcast address. Such a reply would in turn cause other IPX NMPI listener programs to also reply. This sequence of broadcast replies could generate a large amount of unnecessary network traffic." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-074" BulletinLocationID="1248" FAQLocationID="73" FAQPageName="FQ00-074.asp" Title="WebTV for Windows Denial of Service Vulnerability " DatePosted="2000/10/11" DateRevised="2000/10/11" Supported="Yes" Summary="There is a denial of service vulnerability in WebTV for Windows that may allow a malicious user to remotely crash either the WebTV for Windows application and/or the computer system running WebTV for Windows. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-076" BulletinLocationID="1249" FAQLocationID="73" FAQPageName="FQ00-076" Title="Cached Web Credentials Vulnerability " DatePosted="2000/10/12" DateRevised="2000/10/12" Supported="Yes" Summary="This update resolves the "Cached Web Credentials" security vulnerability in Internet Explorer. Download now to prevent a malicious user from learning the credentials of another user and then using them to log onto a Web site as the other user. This vulnerability does not give a malicious user the ability to add, change, or delete files on your computer. " Issue="When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. If a malicious user had complete control of another user?s network communications, he could wait until another user logged onto a secured site, then spoof a request for a non-secured page in order to collect the credentials." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-077" BulletinLocationID="1250" FAQLocationID="73" FAQPageName="FQ00-077" Title="NetMeeting Desktop Sharing Vulnerability" DatePosted="2000/10/13" DateRevised="2001/06/20" Supported="Yes" Summary="This update resolves the "NetMeeting Desktop Sharing" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS00-077. Download now to prevent a malicious user from denying or interrupting NetMeeting services. " Issue="The denial of service can occur when a malicious client sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-078" BulletinLocationID="1251" FAQLocationID="73" FAQPageName="FQ00-078" Title="Web Server Folder Traversal Vulnerability" DatePosted="2000/10/17" DateRevised="2000/10/17" Supported="Yes" Summary="This update resolves the "Web Server Folder Traversal" security vulnerability in Internet Information Server (IIS) and is discussed in Microsoft Security Bulletin MS00-078. Download now to prevent a malicious user from executing operating system commands on a Web server. " Issue="Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine ? specifically, it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-079" BulletinLocationID="1252" FAQLocationID="73" FAQPageName="FQ00-079" Title="HyperTerminal Buffer Overflow Vulnerability " DatePosted="2000/10/18" DateRevised="2001/08/30" Supported="Yes" Summary="The HyperTerminal application is a communications utility that installs by default on all versions of Windows 98, 98SE, Windows ME, Windows NT 4.0, and Windows 2000. The product contains two unchecked buffers through which an attacker could potentially cause code of her choice to run on another userΓÇÖs machine." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-080" BulletinLocationID="1253" FAQLocationID="73" FAQPageName="FQ00-080" Title="Session ID Cookie Marking Vulnerability" DatePosted="2000/10/23" DateRevised="2000/11/20" Supported="Yes" Summary="This update resolves the "Session ID Cookie Marking" security vulnerability in Internet Information Services (IIS) and is discussed in Microsoft Security Bulletin MS00-080. Download now to prevent a malicious user from connecting to the Web page you are viewing, assuming your identity, and placing orders or viewing your personal information. " Issue="If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user?s session with the secure page. At that point, he could take any action on the secure page that the user could take." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-081" BulletinLocationID="1254" FAQLocationID="73" FAQPageName="FQ00-081" Title="New Variant of VM File Reading Vulnerability" DatePosted="2000/10/25" DateRevised="2001/01/26" Supported="Yes" Summary="This update resolves the "VM File Reading" security vulnerability in the Microsoft virtual machine (Microsoft VM) and is discussed in Microsoft Security Bulletin MS00-081. Download now to prevent a malicious Web site operator from reading - but not changing, adding, or deleting - the files on your computer or viewing the Web content on your intranet. " Issue="The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read ? but not change, delete or add ? files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-082" BulletinLocationID="1255" FAQLocationID="73" FAQPageName="FQ00-082" Title="Malformed MIME Header Vulnerability " DatePosted="2000/10/31" DateRevised="2000/10/31" Supported="Yes" Summary="As part of its normal processing of incoming mails, Exchange server checks for invalid values in the MIME header fields. However, if a particular type of invalid value is present in certain fields, the Exchange service will fail. Normal operations can be restored by restarting the Exchange service and deleting the offending mail.
There is no capability via this vulnerability to add, delete or modify emails, nor is there any capability to usurp administrative privileges on the server. The vulnerability can be eliminated either by applying the patch or Exchange 5.5 Service Pack 4, which is due to be released shortly. Exchange 2000 is not affected by the vulnerability. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-083" BulletinLocationID="1256" FAQLocationID="73" FAQPageName="FQ00-083.asp" Title="Netmon Protocol Parsing Vulnerability" DatePosted="2000/11/01" DateRevised="2000/11/01" Supported="Yes" Summary="Several parsers of Netmon have unchecked buffers. If a malicious user delivered a specially-malformed frame to a server that was monitoring network traffic, and the administrator parsed it using an affected parser, it would have the effect of either causing Netmon to fail or causing code of the malicious user's choice to run on the machine." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-084" BulletinLocationID="1257" FAQLocationID="73" FAQPageName="FQ00-084" Title="Indexing Services Cross Site Scripting Vulnerability" DatePosted="2000/11/02" DateRevised="2000/11/02" Supported="Yes" Summary="This update resolves the "Indexing Services Cross Site Scripting" vulnerability in Indexing Services for Windows 2000 and is discussed in Microsoft Security Bulletin MS00-084. Download now to prevent a malicious user from introducing code on your Web server and returning it as a Web page to a visiting browser. " Issue="The Cross-Site Scripting (CSS) vulnerability results when web applications don?t properly validate inputs before using them in dynamic web pages. If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to ?inject? script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user?s script to run on the user?s machine using the trust afforded the other site. The vulnerability can affect any software that runs on a web server, accepts user input, and uses it to generate web pages without sufficient validation. Microsoft has identified an Indexing Service component (CiWebHitsFile) that, when called from a specially crafted URL, is vulnerable to this scenario." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-085" BulletinLocationID="1258" FAQLocationID="73" FAQPageName="FQ00-085" Title="ActiveX Parameter Validation Vulnerability " DatePosted="2000/11/02" DateRevised="2000/11/02" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability affecting customers using Microsoft Windows 2000. The vulnerability could allow enable a malicious user to potentially run code on another user?s machine. " Issue="An ActiveX control that ships as part of Windows 2000 contains an unchecked buffer. If the control was called from a web page or HTML mail using a specially-malformed parameter, it would be possible to cause code to execute on the machine via a buffer overrun. This could potentially enable a malicious user to take any desired action on the user's machine, limited only by the permissions of the user." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-086" BulletinLocationID="1259" FAQLocationID="73" FAQPageName="FQ00-086" Title="Web Server File Request Parsing Vulnerability" DatePosted="2000/11/06" DateRevised="2000/11/30" Supported="Yes" Summary="This update resolves the "Web Server File Request Parsing" security vulnerability in Internet Information Services (IIS) and is discussed in Microsoft Security Bulletin MS00-086. Download now to prevent a malicious user from modifying Web pages, adding, changing, or deleting files by sending malformed file requests. " Issue="The ability to execute operating system commands on the web server would enable a malicious user to take virtually any action that an interactively-logged on user could take. He could, for instance, add, delete or change files on the server, run code that was already on the server, or upload code of his choice and run it." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-087" BulletinLocationID="1260" FAQLocationID="73" FAQPageName="FQ00-087.asp" Title="Terminal Server Login Buffer Overflow Vulnerability " DatePosted="2000/11/08" DateRevised="2000/11/08" Supported="Yes" Summary="An unchecked buffer in the Terminal Server login prompt could allow a malicious user to cause the Terminal Server to execute arbitrary code. The ability to execute arbitrary code would enable the malicious user to add, change, or delete data, run code already on the server, or upload new code to the server and run it. The malicious user would not need to successfully login to the Terminal Server in order to initiate this attack. This vulnerability could be exploited remotely if connection requests are not filtered. By default, Terminal Server listens on tcp port 3389. This port should be blocked at the firewall and/or router if Terminal Server access from the Internet is not require" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-088" BulletinLocationID="1261" FAQLocationID="73" FAQPageName="FQ00-088.asp" Title="Exchange User Account Vulnerability" DatePosted="2000/11/16" DateRevised="2000/11/16" Supported="Yes" Summary="If Exchange 2000 were installed on a Domain Controller, the account would also have Domain user privileges, and could thus gain access to other resources in the affected Domain." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-089" BulletinLocationID="1262" FAQLocationID="73" FAQPageName="FQ00-089.asp" Title="Domain Account Lockout Vulnerability" DatePosted="2000/11/21" DateRevised="2000/12/21" Supported="Yes" Summary="A flaw in the way that NTLM authentication operates in Windows 2000 could allow a domain account lockout policy to be bypassed on a local Windows 2000 machine, even if the domain administrator had set such a policy. The ability of a malicious user to avoid the domain account lockout policy could increase the threat from a brute force password-guessing attack. This vulnerability only affects Windows 2000 machines that are members of non-Windows 2000 domains. In addition, the vulnerability only affects domain user accounts that have previously logged into the target machine and already have cached credentials established on that machine. If a domain account lockout policy is in place and an attacker attempts a brute force password-guessing attack, the domain user account will be locked out as expected at the domain controller. However, if the attacker is able find the correct password, the local Windows 2000 machine will log the attacker on using cached credentials in violation of the account lockout polic" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-090" BulletinLocationID="1263" FAQLocationID="73" FAQPageName="FQ00-090" Title=".ASX Buffer Overrun and .WMS Script Execution Vulnerabilities " DatePosted="2000/11/22" DateRevised="2000/11/23" Supported="Yes" Summary="Microsoft has released a patch that eliminates two security vulnerabilities in Microsoft Windows Media Player. These vulnerabilities could potentially enable a malicious user to cause a program of his choice to run on another user?s computer. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-091" BulletinLocationID="1264" FAQLocationID="73" FAQPageName="FQ00-091" Title="Incomplete TCP/IP Packet Vulnerability " DatePosted="2000/11/30" DateRevised="2000/11/30" Supported="Yes" Summary="This update resolves the "Incomplete TCP/IP Packet" security vulnerability in Windows NT 4.0. If a malicious user sends a large number of specifically malformed data packets to a Windows NT 4.0 computer on a network that uses the NetBIOS over TCP/IP (NBT) protocol, the affected computer temporarily stops responding to all network requests. This occurs because Windows NT 4.0 cannot process these data packets correctly using the NBT protocol. In rare cases, an attack can cause the affected computer to remain unresponsive until it is rebooted. Download now to ensure your Windows NT 4.0 computer is able to process invalid TCP/IP packets correctly." Issue="There is a denial of service vulnerability that affects Windows NT 4.0 Windows 95, 98, 98 Second Edition and Windows Me. By sending a flood of specially malformed TCP/IP packets to a victim?s machine a malicious user could cause either of two effects. In the most likely case, the flood would temporarily prevent any networking resources on an affected computer from responding to client requests; as soon as the packets stopped arriving, the machine would resume normal operation. In a less likely case, the system could hang, and remain unresponsive until it was rebooted. This vulnerability could only be exploited if TCP port 139 was open on the target machine. If the server service or File/Print sharing were disabled on a computer it would not be susceptible to this vulnerability" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-092" BulletinLocationID="1265" FAQLocationID="73" FAQPageName="FQ00-092" Title="Extended Stored Procedure Parameter Parsing Vulnerability" DatePosted="2000/12/01" DateRevised="2000/12/01" Supported="Yes" Summary="This vulnerability would be most useful to a malicious user who had already compromised a web server and become a valid SQL Server user on the back-end server." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-093" BulletinLocationID="1266" FAQLocationID="73" FAQPageName="FQ00-093" Title="Browser Print Template and File Upload via Form Vulnerabilities " DatePosted="2000/12/01" DateRevised="2000/12/01" Supported="Yes" Summary="This update resolves the "Browser Print Template," "File Upload via Form," and "Frame Domain Verification" security vulnerabilities in Internet Explorer. Under certain conditions, a malicious Web site operator can use Print Templates or Web forms to run code or view files on a visiting user's computer. Download now to prevent a malicious Web site operator from reading files or taking other unauthorized action on your computer. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-094" BulletinLocationID="1267" FAQLocationID="73" FAQPageName="FQ00-094.asp" Title="Phone Book Service Buffer Overflow Vulnerability " DatePosted="2000/12/04" DateRevised="2000/12/04" Supported="Yes" Summary="Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web serve" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-095" BulletinLocationID="1268" FAQLocationID="73" FAQPageName="FQ00-095.asp" Title="Registry Permissions Vulnerability " DatePosted="2000/12/06" DateRevised="2001/03/27" Supported="Yes" Summary="Three registry keys have default permissions that are inappropriately loose. The keys, and the risk they pose, are as follows: The SNMP Parameters key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. SNMP community strings may allow either read or read-write access to the SNMP service. If no read-write access strings exist, the user could only use this vulnerability to read information through SNMP that is normally available to local users. If read-write access strings do exist, a malicious user could use this vulnerability to make changes to any system using the same community string for read-write access. It is important to remember that SNMP v1.0 has no security by design, and any user who could monitor network traffic could also obtain the SNMP community strings. SNMP is not installed on Windows NT 4.0 machines by default. The RAS Administration key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS, provides a way to install third-party RAS products that work with the Windows NT native RAS service. By changing one of the values in this key, it would be possible for a malicious user to specify code of her choice as a third-party management tool. The code would then run in the LocalSystem security context. Although it might be possible to make the needed registry changes remotely, the malicious user?s code would need to reside on the affected machine itself. RAS is not installed on Windows NT 4.0 machines by default. The MTS Package Administration key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server\Packages, includes information about which users are allowed to install and change MTS packages. By adding herself as an MTS manager, a malicious user could gain the ability to add, delete or change MTS packages. Although it might be possible in some cases to make the needed registry changes remotely, the malicious user would still need the ability to log onto the affected machine interactively in order to exercise her new privilege" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-096" BulletinLocationID="1269" FAQLocationID="73" FAQPageName="FQ00-096" Title="SNMP Parameters Vulnerability " DatePosted="2000/12/06" DateRevised="2000/12/06" Supported="Yes" Summary="This update eliminates the "SNMP Parameters" vulnerability in Windows 2000. Download now to correct the permission values for SNMP registry keys. " Issue="This vulnerability is virtually identical to the SNMP Parameters vulnerability affecting Windows NT 4.0 systems and discussed in Microsoft Security Bulletin MS00-095. The SNMP Parameters key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. SNMP community strings may allow either read or read-write access to the SNMP service. If no read-write access strings exist, the user could only use this vulnerability to read information through SNMP that is normally available to local users. If read-write access strings do exist, a malicious user could use this vulnerability to make changes to any system using the same community string for read-write access. It is important to remember that SNMP v1.0 has no security by design, and any user who could monitor network traffic could also obtain the SNMP community strings. SNMP is not installed on Windows NT 4.0 machines by default. It should be noted that the information revealed by this vulnerability is normally transmitted in plaintext across SNMP-managed networks. As a result, even in the absence of incorrect registry permissions, a malicious user could carry out the same attack if she could monitor network communicatio" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-097" BulletinLocationID="1270" FAQLocationID="73" FAQPageName="FQ00-097.asp" Title="Severed Windows Media Server Connection Vulnerability" DatePosted="2000/12/15" DateRevised="2000/12/15" Supported="Yes" Summary="By repeatedly making and then severing connections in this manner, a malicious user could exhaust the resources on a server, thereby preventing it from providing streaming media services." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-098" BulletinLocationID="1271" FAQLocationID="73" FAQPageName="FQ00-098" Title="Indexing Service File Enumeration Vulnerability" DatePosted="2000/12/19" DateRevised="2000/12/19" Supported="Yes" Summary="This update resolves the "Indexing Service File Enumeration" vulnerability in Indexing Service 3.0 and is discussed in Microsoft Security Bulletin MS00-098. Download now to prevent a malicious Web site operator from gathering information about your files and folders." Issue="An ActiveX control that ships as part of Indexing Service is incorrectly marked as safe for scripting, thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user?s computer." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-099" BulletinLocationID="1272" FAQLocationID="73" FAQPageName="FQ00-099.asp" Title="Directory Service Restore Mode Password Vulnerability" DatePosted="2000/12/20" DateRevised="2001/01/31" Supported="Yes" Summary="If the Configure Your Server tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-100" BulletinLocationID="1273" FAQLocationID="73" FAQPageName="FQ00-100" Title="Malformed Web Form Submission Vulnerability" DatePosted="2000/12/22" DateRevised="2000/12/22" Supported="Yes" Summary="This update resolves the "Malformed Web Form Submission" security vulnerability in FrontPage Server Extensions (FPSE) that ship as part of Internet Information Services (IIS) and is discussed in Microsoft Security Bulletin MS00-100. Download now to prevent a malicious user from disrupting the operation of your Web server." Issue="The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions. Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied a specially-malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-001" BulletinLocationID="1274" FAQLocationID="73" FAQPageName="FQ01-001" Title="Web Client Will Perform NTLM Authentication Regardless of Security Settings" DatePosted="2001/01/11" DateRevised="2001/01/15" Supported="Yes" Summary="This update resolves the "Web Client NTLM Authentication" security vulnerability in Windows 2000 and Office 2000 and is discussed in Microsoft Security Bulletin MS01-001. Download now to ensure that your Web Extender Client (WEC) components are set to the recommended Internet Explorer security levels, to prevent a malicious Web site operator from capturing your logon credentials. " Issue="The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user?s web site ? either by browsing to the site or by opening an HTML mail that initiated a session with it an application on the site could capture the user?s NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources. The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-002" BulletinLocationID="1275" FAQLocationID="73" FAQPageName="FQ01-002" Title="PowerPoint 2000 File Parser Contains Unchecked Buffer" DatePosted="2001/01/22" DateRevised="2001/01/25" Supported="Yes" Summary="The Microsoft PowerPoint 2000 SR-1 Extended Parsing Vulnerability Update protects you from a vulnerability in PowerPoint that could allow arbitrary code to be executed on your computer. Malicious hackers could lure users into opening a PowerPoint file that causes undesired and possibly damaging effects on a user's hard disk drive. This update replaces the Powerpoint.exe file and prevents unauthorized code from being executed." Issue="If an attacker inserted specially chosen data into a PowerPoint file and could entice another user into opening the file on his machine, the data would overrun the buffer, causing either of two effects." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-003" BulletinLocationID="1276" FAQLocationID="73" FAQPageName="FQ01-003" Title="Weak Permissions on Winsock Mutex Can Allow Service Failure" DatePosted="2001/01/24" DateRevised="2001/01/24" Supported="Yes" Summary="This update resolves the "Winsock Mutex" security vulnerability in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-003. Download now to prevent a malicious user from running a special program to disable your network functionality." Issue="This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-004" BulletinLocationID="1277" FAQLocationID="73" FAQPageName="FQ01-004" Title="Malformed .HTR Request Allows Reading of File Fragments" DatePosted="2001/01/29" DateRevised="2001/01/29" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in the Microsoft Internet Information Service. The vulnerability could allow enable an attacker, under very unusual conditions, to read fragments of files from a web server. " Issue="This one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-005" BulletinLocationID="1278" FAQLocationID="73" FAQPageName="FQ01-005" Title="Packaging Anomaly Could Cause Hotfixes to be Removed" DatePosted="2001/01/30" DateRevised="2001/01/30" Supported="Yes" Summary="Microsoft has released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English language versions of Microsoft Windows 2000. Under certain circumstances, these anomalies could cause the removal of some hotfixes, which could include some security patches, from a Windows 2000 system. " Issue="Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that lists all of the valid hotfixes that have been issued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid. An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer?s system to revert to a version of a Windows 2000 module that contained a security vulnerability. Windows File Protection will only remove valid hotfixes from a Windows 2000 system under a very restrictive set of circumstances" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-006" BulletinLocationID="1279" FAQLocationID="73" FAQPageName="FQ01-006" Title="Invalid RDP Data Can Cause Terminal Server Failure" DatePosted="2001/01/31" DateRevised="2001/01/31" Supported="Yes" Summary="This update resolves the "Invalid RDP Data" security vulnerability in Windows 2000 terminal servers, and is discussed in Microsoft Security Bulletin MS01-006. Download now to prevent a malicious user from sending a specific series of data packets to your server, causing it to fail." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-007" BulletinLocationID="1280" FAQLocationID="73" FAQPageName="FQ01-007" Title="Network DDE Agent Requests Can Enable Code to Run in System Context" DatePosted="2001/02/05" DateRevised="2001/02/09" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could, under certain conditions, allow an attacker to gain complete control over an affected machine. " Issue="A vulnerability exists because, in Windows 2000, the Network DDE Agent runs using the Local System security context and processes all requests using this context, rather than that of the user. This would give an attacker an opportunity to cause the Network DDE Agent to run code of her choice in Local System context, as a means of gaining complete control over the local machine. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-008" BulletinLocationID="1281" FAQLocationID="73" FAQPageName="FQ01-008" Title="Malformed NTLMSSP Request Can Enable Code to Run with System Privileges" DatePosted="2001/02/07" DateRevised="2001/02/07" Supported="Yes" Summary="This update resolves the "NTLMSSP Privilege Elevation" security vulnerability present in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-008. Download now to prevent a malicious user from gaining administrative access to your computer." Issue="A flaw in the NTLM Security Support Provider (NTLMSSP) service could potentially allow a non-administrative user to gain administrative control over the system. In order to perform this attack the user would need a valid login account and the ability to execute arbitrary code on the system.
This vulnerability could only be exploited by an attacker who could log onto the affected machine interactively. However, best practices strongly suggest that unprivileged users not be allowed to interactively log onto business-critical servers like domain controllers, ERP servers, print and file servers, database servers, and others. If this recommendation has been followed, machines such as these would not be at risk from this vulnerability and, as a result, the machines most likely to be affected would be workstations and terminal servers." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-009" BulletinLocationID="1282" FAQLocationID="73" FAQPageName="FQ00-009" Title="Image Source Redirect Vulnerability" DatePosted="2000/02/16" DateRevised="2000/02/16" Supported="Yes" Summary="Installing this security update will eliminate the "Image Source Redirect" vulnerability found in Internet Explorer. Without this update, a malicious Web site operator could read (but not add, change, or delete) certain types of files on your computer. " Issue="When a web server navigates a window from one domain into another one, the IE security model checks the server's permissions on the new page. However, it is possible for a web server to open a browser window to a client-local file, then navigate the window to a page that is in the web site's domain in such a way that the data in the client-local file is accessible to the new window. The data would only be accessible to the new window for a very brief period, but the result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-009" BulletinLocationID="1283" FAQLocationID="73" FAQPageName="FQ01-009" Title="Malformed PPTP Packet Stream Can Cause Kernel Exhaustion" DatePosted="2001/02/13" DateRevised="2001/02/20" Supported="Yes" Summary="This update resolves the "Malformed PPTP Packet Stream" security vulnerability in Windows NT 4.0, and is discussed in Microsoft Security Bulletin MS01-009. Download now to prevent a malicious user from causing your server to stop responding or fail. " Issue="The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory resulting in a denial of service vulnerability." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-010" BulletinLocationID="1284" FAQLocationID="73" FAQPageName="FQ01-010" Title="Windows Media Player Skins Files Can Enable Java Code to Execute" DatePosted="2001/02/14" DateRevised="2001/02/14" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows Media Player 7. This vulnerability could potentially enable a malicious user to cause a program of his choice to run on another user?s computer. " Issue="If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site, it could potentially cause the deployment of zipped Java code to a known location on the visiting user?s machine. Since the Java code would reside in a known location on the machine, script hosted on a hostile web site or embedded in a hostile HTML mail message could potentially invoke the script in the local computer security zone to take arbitrary action on the user?s machine." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-011" BulletinLocationID="1285" FAQLocationID="73" FAQPageName="FQ01-011" Title="Malformed Request to Domain Controller Can Cause CPU Exhaustion" DatePosted="2001/02/20" DateRevised="2001/02/20" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. By sending a continuous stream of specially malformed packets to a domain controller, an attacker could consume most or all of the machine?s resources, potentially preventing it from authenticating users. " Issue="A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a flaw affecting how it processes a certain type of invalid service request. Specifically, the service should handle the request at issue here by determining that it is invalid and simply dropping it; in fact, the service performs some resource-intensive processing and then sends a response.
If an attacker sent a continuous stream of such requests to an affected machine, it could consume most or all of the machine?s CPU availability. This could cause the domain controller to process requests for service slowly or not at all, and could limit the number of new logons the machine could process and the number of Kerberos tickets that could be issued.
<Bulletin BulletinID="MS00-075" BulletinLocationID="1286" FAQLocationID="73" FAQPageName="FQ00-075" Title="Microsoft VM ActiveX Component Vulnerability" DatePosted="2000/10/12" DateRevised="2001/01/26" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft virtual machine (Microsoft VM). If a malicious web site operator were able to coax a user into visiting his site, the vulnerability could allow him to take any desired action on a visiting user?s machine. " Issue="If a user visited a malicious web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable the malicious web site operator to take any desired action on the user?s machine." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-071" BulletinLocationID="1287" FAQLocationID="73" FAQPageName="FQ00-071.asp" Title="Word Mail Merge Vulnerability " DatePosted="2000/10/05" DateRevised="2000/10/05" Supported="Yes" Summary="If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document.
If a user could be enticed into opening a specially constructed mail merge Word document, which was provided either as an e-mail attachment or as a link hosted on a hostile web site, it would be possible to cause arbitrary code to run on the user's machine." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-044" BulletinLocationID="1288" FAQLocationID="73" FAQPageName="FQ00-044" Title="Absent Directory Browser Argument Vulnerability" DatePosted="2000/07/14" DateRevised="2001/01/20" Supported="Yes" Summary="This update resolves two security vulnerabilities in Internet Information Services (IIS), the "Absent Directory Browser Argument" vulnerability and the "File Fragment Reading via .HTR" vulnerability. Install this update to prevent a malicious user from exploiting these vulnerabilities to slow performance on an affected Web server or, under very specific conditions, obtain the source code of certain types of files on a Web server. " Issue="The vulnerabilities could allow a malicious user to stop the web server from providing useful service, or to extract certain types of information from it." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-045" BulletinLocationID="1289" FAQLocationID="73" FAQPageName="FQ00-045" Title="Persistent Mail-Browser Link Vulnerability" DatePosted="2000/07/20" DateRevised="2000/07/20" Supported="Yes" Summary="This update resolves the "Persistent Mail Browser Link," "Cache Bypass," and "Malformed E-mail Header" security vulnerabilities in Outlook Express. Download now to prevent a malicious user from reading e-mails and files on your computer, or using your computer to send damaging e-mails to others. These vulnerabilities do not give a malicious user the ability to add, change, or delete files on your computer. " Issue="This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-046" BulletinLocationID="1290" FAQLocationID="73" FAQPageName="FQ00-046" Title="Cache Bypass Vulnerability " DatePosted="2000/07/20" DateRevised="2000/07/20" Supported="Yes" Summary="This update resolves the "Persistent Mail Browser Link," "Cache Bypass," and "Malformed E-mail Header" security vulnerabilities in Outlook Express. Download now to prevent a malicious user from reading e-mails and files on your computer, or using your computer to send damaging e-mails to others. These vulnerabilities do not give a malicious user the ability to add, change, or delete files on your computer. " Issue="If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-048" BulletinLocationID="1291" FAQLocationID="73" FAQPageName="FQ00-048.asp" Title="Stored Procedure Permissions Vulnerability" DatePosted="2000/07/07" DateRevised="2000/07/07" Supported="Yes" Summary="Execute permission checks on stored procedures may be bypassed when a stored procedure is referenced from a temporary stored procedure. This omission would allow a malicious user to run a stored procedure that, by design, he should not be able to access." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-051" BulletinLocationID="1292" FAQLocationID="73" FAQPageName="FQ00-051.asp" Title="Excel REGISTER.ID Function Vulnerability" DatePosted="2000/07/26" DateRevised="2000/07/26" Supported="Yes" Summary="A vulnerability has been discovered in REGISTER.ID, a worksheet function. When REGISTER.ID is invoked from an Excel worksheet, it can reference any DLL on the system. If the referenced DLL contains malicious code, harmful effects can occur. By design, there is no warning given to the user when REGISTER.ID calls a DLL from a worksheet." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-054" BulletinLocationID="1293" FAQLocationID="73" FAQPageName="FQ00-054.asp" Title="Malformed IPX Ping Packet Vulnerability" DatePosted="2000/08/03" DateRevised="2000/08/03" Supported="Yes" Summary="A malicious user could launch an attack by broadcasting a single ping request - each affected machine that received the ping would respond to it, potentially resulting in a broadcast storm. In a large network, this could temporarily swamp the network's bandwidth. In addition, upon seeing its own response, each affected machine would attempt to process it, triggering a scenario that would culminate in the machine's failure." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-056" BulletinLocationID="1294" FAQLocationID="73" FAQPageName="FQ00-056.asp" Title="Microsoft Office HTML Object Tag Vulnerability" DatePosted="2000/08/09" DateRevised="2000/08/10" Supported="Yes" Summary="Microsoft Office 2000 applications are capable of reading HTML files saved as Office documents. A malformed data object tag embedded in one of these documents could cause the Office application to crash and allow arbitrary code to be executed." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-058" BulletinLocationID="1295" FAQLocationID="73" FAQPageName="FQ00-058" Title="Specialized Header Vulnerability" DatePosted="2000/08/14" DateRevised="2000/08/14" Supported="Yes" Summary="This update resolves the "Specialized Header" vulnerability in Internet Information Services (IIS) 5.0, which ships with Windows 2000. Download now to prevent a malicious user from exploiting this vulnerability and causing your Web server to send the source code of .asp or .htr files to a visiting browser. " Issue="If an IIS server receives a file request that contains a specialized header as well as one of several particular characters at the end, the expected ISAPI extension processing may not occur. The result is that the source code of the file would be sent to the browser." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-061" BulletinLocationID="1296" FAQLocationID="73" FAQPageName="FQ00-061.asp" Title="Money Password Vulnerability" DatePosted="2000/08/25" DateRevised="2000/08/25" Supported="Yes" Summary="Microsoft Money provides a password protection feature that prevents unauthorized access to your Money file. However, due to the way the password is currently handled, the password may be written in plaintext under certain conditions.
The vulnerability only affects Money data stored on the user's local computer - it does not affect the security of Money's online services in any way." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<BulletinComments/>
<QNumbers>
<QNumber QNumber="Q272232"/>
</QNumbers>
<Patches>
<Patch PatchName="Update Internet Information" PatchLocationID="374" SBID="" SQNumber="" NoReboot="0">
<PatchComments>
<PatchComment CommentID="17"/>
</PatchComments>
<AffectedProduct ProductID="41" FixedInSP="0">
<AffectedServicePack ServicePackID="103"/>
</AffectedProduct>
<AffectedProduct ProductID="40" FixedInSP="0">
<AffectedServicePack ServicePackID="102"/>
</AffectedProduct>
</Patch>
</Patches>
</Bulletin>
<Bulletin BulletinID="MS00-042" BulletinLocationID="1297" FAQLocationID="73" FAQPageName="FQ00-042" Title="Active Setup Download Vulnerability" DatePosted="2000/06/29" DateRevised="2000/08/09" Supported="Yes" Summary="This update resolves the "Active Setup Download" security vulnerability in an ActiveX control that ships as part of Internet Explorer. Download now to prevent a malicious Web site operator from overwriting files on your computer. " Issue="The flaws in downloading .cab file would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-043" BulletinLocationID="1298" FAQLocationID="73" FAQPageName="FQ00-043" Title="Malformed E-mail Header Vulnerability" DatePosted="2000/07/18" DateRevised="2000/07/23" Supported="Yes" Summary="This update resolves the "Persistent Mail Browser Link," "Cache Bypass," and "Malformed E-mail Header" security vulnerabilities in Outlook Express. Download now to prevent a malicious user from reading e-mails and files on your computer, or using your computer to send damaging e-mails to others. These vulnerabilities do not give a malicious user the ability to add, change, or delete files on your computer. " Issue="Under certain conditions, the vulnerability could allow a malicious user to cause code of his choice to execute on another user's computer." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-064" BulletinLocationID="1299" FAQLocationID="73" FAQPageName="FQ00-064.asp" Title="Unicast Service Race Condition Vulnerability " DatePosted="2000/09/06" DateRevised="2000/09/06" Supported="Yes" Summary="If a client sends a particular type of malformed request to a Windows Media server, it could induce a race condition. Once the server has been put into such a state, subsequent requests - even ones that would normally be legitimate - could cause the Windows Media Unicast Service to fail. If this happened, any ongoing sessions would be lost, and the server would stop providing unicast streaming media services." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-033" BulletinLocationID="1300" FAQLocationID="73" FAQPageName="FQ00-033.asp" Title="Frame Domain Verification and Unauthorized Cookie Access and Malformed Component Attribute Vulnerabilities" DatePosted="2000/05/17" DateRevised="2000/08/09" Supported="Yes" Summary="The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user.
The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user.
The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-039" BulletinLocationID="1301" FAQLocationID="73" FAQPageName="FQ00-039.asp" Title="SSL Certificate Validation Vulnerabilities" DatePosted="2000/06/05" DateRevised="2000/08/09" Supported="Yes" Summary="The vulnerabilities involve how IE handles digital certificates; under a very daunting set of circumstances, they could allow a malicious web site operator to pose as a trusted web site." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-041" BulletinLocationID="1302" FAQLocationID="73" FAQPageName="FQ00-041.asp" Title="DTS Password Vulnerability" DatePosted="2000/06/13" DateRevised="2000/07/11" Supported="Yes" Summary="Data Transformation Service (DTS) packages in SQL Server 7.0 allow database administrators to create a package that will perform a particular database action at regular intervals. As part of the creation of a DTS package, the administrator provides the account name and password under which the action should be taken. However, the password can be retrieved by programmatically interrogating the package's Properties dialogue." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-049" BulletinLocationID="1303" FAQLocationID="73" FAQPageName="FQ00-049.asp" Title="Office HTML Script and IE Script Vulnerabilities" DatePosted="2000/07/13" DateRevised="2000/08/09" Supported="Yes" Summary="A malicious web site operator to cause code of his choice to run on the computer of a visiting user." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-050" BulletinLocationID="1304" FAQLocationID="73" FAQPageName="FQ00-050" Title="Telnet Server Flooding Vulnerability " DatePosted="2000/07/24" DateRevised="2000/07/24" Supported="Yes" Summary="This update resolves the "Telnet Server Flooding" security vulnerability in Microsoft Windows 2000. Download now to prevent a malicious user from sending invalid input information to your Telnet Server. " Issue="The denial of service can occur when a malicious client sends a particular malformed string to the server through the Telnet service provided as part of Windows 2000 products." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-055" BulletinLocationID="1305" FAQLocationID="73" FAQPageName="FQ00-055.asp" Title="Scriptlet Rendering Vulnerability" DatePosted="2000/08/09" DateRevised="2000/08/09" Supported="Yes" Summary="The Scriptlet Rendering vulnerability: the ActiveX control that is used to invoked scriptlets is essentially a rendering engine for HTML. This opens the door to a scenario in which a malicious web site operator could provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then use the Scriptlet control to render the file. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user?s local file system.
A new variant of the Frame Domain Verification vulnerability: two functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user?s local file system, and enable the latter to pass information to the forme" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-034" BulletinLocationID="1306" FAQLocationID="73" FAQPageName="FQ00-034.asp" Title="Office 2000 UA Control Vulnerability" DatePosted="2000/05/12" DateRevised="2000/05/12" Supported="Yes" Summary="An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-035" BulletinLocationID="1307" FAQLocationID="73" FAQPageName="FQ00-035.asp" Title="SQL Server 7.0 Service Pack Password Vulnerability" DatePosted="2000/05/30" DateRevised="2000/06/15" Supported="Yes" Summary="When SQL Server 7.0 Service Packs 1 or 2 are installed on a machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%\sqlsp.log and %WINNT%\setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-037" BulletinLocationID="1308" FAQLocationID="73" FAQPageName="FQ00-037" Title="HTML Help File Code Execution Vulnerability" DatePosted="2000/06/02" DateRevised="2000/06/02" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in the HTML Help facility that ships with Microsoft(r) Internet Explorer. Under certain conditions, the vulnerability could allow a malicious web site to take inappropriate action on the computer of a visiting user. " Issue="The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-038" BulletinLocationID="1309" FAQLocationID="73" FAQPageName="FQ00-038.asp" Title="Malformed Windows Media Encoder Request Vulnerability" DatePosted="2000/05/30" DateRevised="2000/06/20" Supported="Yes" Summary="This vulnerability would primarily affect streaming media providers that supply real-time broadcasts of streaming media - it would not prevent a Windows Media Server from distributing already-encoded data. The vulnerability cannot be used to cause a machine to crash, nor can it be used to usurp any administrative privileges. Simply locating the server could be a challenge, because the IP address of the Windows Media Encoder would typically not be advertised." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-010" BulletinLocationID="1310" FAQLocationID="73" FAQPageName="FQ00-010.asp" Title="Site Wizard Input Validation Vulnerability" DatePosted="2000/02/18" DateRevised="2000/02/18" Supported="Yes" Summary="Two sample web sites provided as part of Site Server 3.0, Commerce Edition do not follow security best practices; the code generated by one of the wizards is affected by the same problem. The code requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands. If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the databas" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-012" BulletinLocationID="1311" FAQLocationID="73" FAQPageName="FQ00-012.asp" Title="Remote Agent Permissions Vulnerability" DatePosted="2000/02/22" DateRevised="2000/02/22" Supported="Yes" Summary="If a malicious user replaced the client code with code of his or her choosing, it would run automatically in a system context the next time he or she rebooted the machine and logged on." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-013" BulletinLocationID="1312" FAQLocationID="73" FAQPageName="FQ00-013.asp" Title="Misordered Windows Media Services Handshake Vulnerability" DatePosted="2000/02/23" DateRevised="2000/02/23" Supported="Yes" Summary="The handshake sequence between a Windows Media server and a Windows Media Player is asynchronous, because certain resource requests are dependent on the successful completion of previous ones. If the client-side handshake packets are sent in a particular misordered sequence, with certain timing constraints, the server will attempt to use a resource before it has been initialized and will fail catastrophically, causing the Windows Media Unicast Service to crash." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-014" BulletinLocationID="1313" FAQLocationID="73" FAQPageName="FQ00-014.asp" Title="SQL Query Abuse Vulnerability" DatePosted="2000/03/08" DateRevised="2000/03/08" Supported="Yes" Summary="The vulnerability could allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server or MSDE database or on the underlying system that was hosting the SQL Server or MSDE database." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-015" BulletinLocationID="1314" FAQLocationID="73" FAQPageName="FQ00-015.asp" Title="Clip Art Buffer Overrun Vulnerability" DatePosted="2000/03/06" DateRevised="2000/03/06" Supported="Yes" Summary="One of the features of the Clip Art Gallery allows the user to download additional clips from the Microsoft Clip Gallery Live web site, and then install that clip art on their computer. To do this, Clip Art Gallery and Clip Gallery Live use a file format called the CIL format to contain the newly downloaded clips. Under certain circumstances, a very long field embedded in a clip art CIL file could cause a buffer overrun in the Clip Art Gallery software. The buffer overrun could cause the software to crash or, under certain circumstances, could cause the execution of hostile code on the computer where the Clip Art Gallery software was executing.
The risk from this vulnerability results from the facts that any web site can host a CIL file and that clip art will normally be processed without prompting the user for confirmation as would be the case with an executable file forma" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-016" BulletinLocationID="1315" FAQLocationID="73" FAQPageName="FQ00-016.asp" Title="Malformed Media License Request Vulnerability" DatePosted="2000/03/17" DateRevised="2000/03/17" Supported="Yes" Summary="The vulnerability could allow a malicious user to temporarily prevent the license server from issuing further licenses to customers for protected digital content (music and video)." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-017" BulletinLocationID="1316" FAQLocationID="73" FAQPageName="FQ00-017.asp" Title="DOS Device in Path Name Vulnerability" DatePosted="2000/03/16" DateRevised="2000/03/16" Supported="Yes" Summary="Because it is not possible to create files or folders that contain DOS device names, it would be unusual for a user to try to access one under normal circumstances. The chief threat posed by this vulnerability is that a malicious user could attempt to entice a user to attempt such an access. For instance, if a web site operator hosted a hyperlink that referenced such a path, clicking the link would result in the user?s machine crashing. Likewise, a web page or HTML mail that specified a local file as the source of rendering information could cause the user?s machine to crash when it was displaye" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-018" BulletinLocationID="1317" FAQLocationID="73" FAQPageName="FQ00-018.asp" Title="Chunked Encoding Post Vulnerability " DatePosted="2000/03/20" DateRevised="2000/03/20" Supported="Yes" Summary="IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-019" BulletinLocationID="1318" FAQLocationID="73" FAQPageName="FQ00-019" Title="Virtualized UNC Share Vulnerability" DatePosted="2000/03/30" DateRevised="2000/03/30" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Server and products based on it. Under certain fairly unusual conditions, the vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user." Issue="Under certain fairly unusual conditions, the vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-022" BulletinLocationID="1319" FAQLocationID="73" FAQPageName="FQ00-022.asp" Title="XLM Text Macro Vulnerability" DatePosted="2000/04/03" DateRevised="2000/04/03" Supported="Yes" Summary="When an Excel user starts a macro that resides outside of the current spreadsheet (for example, in another spreadsheet), Excel by design will generate a warning dialogue. However, this dialogue is not generated if the macro consists of Excel 4.0 Macro Language (XLM) commands in an external text file." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-023" BulletinLocationID="1320" FAQLocationID="73" FAQPageName="FQ00-023" Title="Myriad Escaped Characters Vulnerability" DatePosted="2000/04/12" DateRevised="2000/04/12" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Server. The vulnerability could allow a malicious user to slow a web server's response or prevent it from providing service altogether for a period of time. " Issue="Special characters can be embedded in URLs by use of so-called escaped character sequences. By providing a specially-malformed URL with an extremely large number of escaped characters, a malicious user could arbitrarily increase the work factor associated with parsing the escaped characters, thereby consuming much or all of the CPU availability on the server and preventing useful work from being done." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-024" BulletinLocationID="1321" FAQLocationID="73" FAQPageName="FQ00-024.asp" Title="OffloadModExpo Registry Permissions Vulnerability" DatePosted="2000/04/12" DateRevised="2000/04/12" Supported="Yes" Summary="This vulnerability involves a registry key used by the CryptoAPI Base CSPs to specify the driver DLL for a hardware accelerator. By design, such a DLL would have access to users' public and private keys. Although only administrators should have permission to add such a DLL, the permissions on the key actually would allow any user who could interactively log onto the machine to do so. By writing a bogus DLL and installing it, a malicious user could compromise the keys of other users who subsequently used the machin" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-025" BulletinLocationID="1322" FAQLocationID="73" FAQPageName="FQ00-025.asp" Title="Link View Server-Side Component Vulnerability" DatePosted="2000/04/14" DateRevised="2000/04/17" Supported="Yes" Summary="Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-028" BulletinLocationID="1323" FAQLocationID="73" FAQPageName="FQ00-028.asp" Title="Server-Side Image Map Components Vulnerability" DatePosted="2000/04/21" DateRevised="2000/04/21" Supported="Yes" Summary="The vulnerability could potentially allow a malicious web site visitor to perform actions that the system permissions authorize him to perform, but which he previously may have had no means of actually carrying out." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-030" BulletinLocationID="1324" FAQLocationID="73" FAQPageName="FQ00-030" Title="Malformed Extension Data in URL Vulnerability" DatePosted="2000/05/11" DateRevised="2000/05/11" Supported="Yes" Summary="This update resolves the "Malformed Extension Data in URL" security vulnerability in Internet Information Server (IIS) 5.0 and IIS 4.0. Installing this update will prevent a malicious user from slowing or temporarily stopping performance on your Web server. " Issue="In compliance with RFC 2396, the algorithm in IIS that processes URLs has flexibility built in to allow it to process any arbitrary sequence of file extensions or subresource identifiers (referred to in the RFC as path_segments). By providing an URL that contains specially-malformed file extension information, a malicious user could misuse this flexibility in order to arbitrarily increase the work factor associated with parsing the URL. This could consume much or all of the CPU availability on the server and prevent useful work from being done." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS00-031" BulletinLocationID="1325" FAQLocationID="73" FAQPageName="FQ00-031" Title="Undelimited .HTR Request and File Fragment Reading via .HTR Vulnerabilities" DatePosted="2000/05/10" DateRevised="2000/07/17" Supported="Yes" Summary="This update resolves two security vulnerabilities in Internet Information Services (IIS), the "Absent Directory Browser Argument" vulnerability and the "File Fragment Reading via .HTR" vulnerability. Install this update to prevent a malicious user from exploiting these vulnerabilities to slow performance on an affected Web server or, under very specific conditions, obtain the source code of certain types of files on a Web server. " Issue="The vulnerabilities could, respectively, be used to slow an affected web server's response or to obtain the source code of certain types of files under very restricted conditions." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-053" BulletinLocationID="1326" FAQLocationID="73" FAQPageName="FQ99-053.asp" Title="Windows Multithreaded SSL ISAPI Filter Vulnerability" DatePosted="1999/12/02" DateRevised="1999/12/02" Supported="Yes" Summary="The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user's session was multi-threaded and traffic volumes were extremely high." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-054" BulletinLocationID="1327" FAQLocationID="73" FAQPageName="FQ99-054.asp" Title="WPAD Spoofing Vulnerability" DatePosted="1999/12/01" DateRevised="1999/12/01" Supported="Yes" Summary="The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choic" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-058" BulletinLocationID="1328" FAQLocationID="73" FAQPageName="FQ99-058.asp" Title="Virtual Directory Naming Vulnerability" DatePosted="1999/12/21" DateRevised="1999/12/21" Supported="Yes" Summary="This vulnerability would be most likely to occur due to administrator error, or if a product generated an affected virtual directory name by default. (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. In any event, an affected virtual directory could be identified during routine testing of the serve" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-059" BulletinLocationID="1329" FAQLocationID="73" FAQPageName="FQ99-059.asp" Title="Malformed TDS Packet Header Vulnerability" DatePosted="1999/12/20" DateRevised="1999/12/20" Supported="Yes" Summary="If a specially-malformed TDS packet is sent to a SQL server, it can cause the server to crash. This vulnerability could only be remotely exploited if port 1433 were open at the firewall." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-060" BulletinLocationID="1330" FAQLocationID="73" FAQPageName="FQ99-060.asp" Title="HTML Mail Attachment Vulnerability" DatePosted="1999/12/22" DateRevised="1999/12/22" Supported="Yes" Summary="It eliminates a security vulnerability in the Microsoft® Outlook Express mail client for Macintosh systems. The vulnerability could allow attachments to HTML mails to be automatically downloaded onto the user's computer.
It provides replacements for several digital certificates that are included in Internet Explorer for Macintosh, and will expire on December 31, 1999." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-061" BulletinLocationID="1331" FAQLocationID="73" FAQPageName="FQ99-061.asp" Title="Escape Character Parsing Vulnerability" DatePosted="1999/12/21" DateRevised="1999/12/21" Supported="Yes" Summary="RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-052" BulletinLocationID="1332" FAQLocationID="73" FAQPageName="FQ99-052.asp" Title="Legacy Credential Caching Vulnerability" DatePosted="1999/11/29" DateRevised="1999/11/29" Supported="Yes" Summary="Windows for Workgroups provided a RAM-based caching mechanism that cached the user's plaintext network credentials for use by real-mode command-line networking utilities. Part of this mechanism was carried forward into the Windows 95 and 98 designs, even though it is not used by either. A malicious user could query this mechanism to obtain the network credentials of the last person to use the machine for network access, as long as they had physical access to the machine and it had not been rebooted since the last networking sessio" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-051" BulletinLocationID="1333" FAQLocationID="73" FAQPageName="FQ99-051.asp" Title="IE Task Scheduler Vulnerability" DatePosted="1999/11/29" DateRevised="1999/11/29" Supported="Yes" Summary="The IE 5 Task Scheduler controls who can create and submit "AT jobs." The utility that is used to create AT jobs can only be run by an administrator, and the Task Scheduler will only execute AT jobs that are owned by administrators. However, if a malicious user had change access to an existing file owned by an administrator (it would not need to be an AT job), he or she could modify it to be a valid AT job and place in the appropriate folder for execution. This would bypass the control mechanism and allow the job to be execute" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-049" BulletinLocationID="1334" FAQLocationID="73" FAQPageName="FQ99-049.asp" Title="File Access URL Vulnerability" DatePosted="1999/11/12" DateRevised="1999/11/12" Supported="Yes" Summary="There is a buffer overflow in the Windows 95 and Windows 98 networking software that processes file name strings. If the networking software were provided with a very long random string as input, it could crash the machine. If provided with a specially-malformed argument, it could be used to run arbitrary code on the machine via a classic buffer overrun attack.
The vulnerability could be exploited remotely in cases where a file:// URL or a Universal Naming Convention (UNC) string on a remote web site included a long file name or where a long file name was included in an e-mail messag" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-048" BulletinLocationID="1335" FAQLocationID="73" FAQPageName="FQ99-048.asp" Title="Active Setup Control Vulnerability" DatePosted="1999/11/11" DateRevised="1999/11/11" Supported="Yes" Summary="A particular ActiveX control allows cabinet files to be launched and executed. This could allow an HTML mail to contain a malicious cabinet file, disguised as a file of an innocuous type. If a user attempted to open this file, the operation would fail but could, depending on the mail package, leave a copy of the file in a known location. The ActiveX control could then be used via a script embedded in the mail to launch the copy, thereby executing the malicious code." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-044" BulletinLocationID="1336" FAQLocationID="73" FAQPageName="FQ99-044.asp" Title="Excel SYLK Vulnerability" DatePosted="1999/10/20" DateRevised="1999/10/20" Supported="Yes" Summary="The primary vulnerability addressed by this patch is the "Excel SYLK" vulnerability. Symbolic Link (SYLK) files can contain macros; if such a file were opened in Excel 97 or 2000, the macro would run without asking for the user's permission. These macros could take any action on the computer that the user could take." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-043" BulletinLocationID="1337" FAQLocationID="73" FAQPageName="FQ99-043.asp" Title="Javascript Redirect Vulnerability" DatePosted="1999/10/18" DateRevised="1999/11/17" Supported="Yes" Summary="Client-local data that is displayed in the browser window can be made available to the server by using a redirect to a Javascript applet running in the same window. This in effect bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machin" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-042" BulletinLocationID="1338" FAQLocationID="73" FAQPageName="FQ99-042.asp" Title="IFRAME ExecCommand Vulnerability" DatePosted="1999/10/11" DateRevised="1999/11/04" Supported="Yes" Summary="Client-local data that is displayed in the browser window can be made available to the server by using a redirect to a Javascript applet running in the same window. This in effect bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-040" BulletinLocationID="1339" FAQLocationID="73" FAQPageName="FQ99-040.asp" Title="Download Behavior Vulnerability" DatePosted="1999/09/28" DateRevised="1999/10/12" Supported="Yes" Summary="IE 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain; this prevents client-side code from exposing files on the user's machine or local intranet to the web site. However, a server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet. This vulnerability would chiefly affect workstations that are connected to the Interne" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-037" BulletinLocationID="1340" FAQLocationID="73" FAQPageName="FQ99-037.asp" Title="ImportExportFavorites Vulnerability" DatePosted="1999/09/10" DateRevised="1999/12/08" Supported="Yes" Summary="IE 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taki" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-035" BulletinLocationID="1341" FAQLocationID="73" FAQPageName="FQ99-035.asp" Title="Set Cookie Header Caching Vulnerability" DatePosted="1999/09/10" DateRevised="1999/09/10" Supported="Yes" Summary="When certain versions of Site Server or MCIS send a web page that contains a Set Cookie Header, they do not flag the page with an expiration header. As a result, such pages may be cached by a web proxy. Multiple customers accessing the same site via a web proxy might be served the same page, containing the same Set Cookie Header. If the cookie information includes a GUID that is used as an index for the server's database, one customer's personal data might be viewable by the others." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-033" BulletinLocationID="1342" FAQLocationID="73" FAQPageName="FQ99-033.asp" Title="Malformed Telnet Argument Vulnerability" DatePosted="1999/09/09" DateRevised="1999/09/09" Supported="Yes" Summary="The Telnet client that ships as part of Windows 95 and 98 has an unchecked buffer. A specially-malformed argument could be passed to the client via a web page in order to cause arbitrary code to execute on the computer via a classic buffer overrun technique." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-032" BulletinLocationID="1343" FAQLocationID="73" FAQPageName="FQ99-032.asp" Title="scriptlet.typelib/Eyedog Vulnerability " DatePosted="1999/08/31" DateRevised="1999/10/12" Supported="Yes" Summary="scriptlet.typelib is a control used by developers to generate Type Libraries for Windows Script Components. It is marked as "safe for scripting", but should not be because it allows local files to be created or modified. The patch removes the "safe for scripting" marking, thereby causing IE to request confirmation from the user before loading the control.
Eyedog is a control used by diagnostic software in Windows. It is marked as "safe for scripting", but should not be because it allows registry information to be queried and machine characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The patch sets the so-called "kill bit", which prevents it from loading within I" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-030" BulletinLocationID="1344" FAQLocationID="73" FAQPageName="FQ99-030.asp" Title="Office ODBC Vulnerabilities" DatePosted="1999/08/20" DateRevised="1999/10/08" Supported="Yes" Summary="The "VBA Shell" vulnerability, which affects all versions of Jet except Jet 4.0. An operating system command embedded within a database query could be executed when the query is processed. This would allow a spreadsheet, database, or other application file that contained such a query to take virtually any action on the user's computer when the query was executed.
The "Text I-ISAM" vulnerability, which affects all versions of Jet. Jet provides a way to modify the contents of text files, as a way of allowing data exchange between it and other systems. However, a malicious user could use this capability to modify system files via a database query. The original patch for this vulnerability allowed "drop table" operations to be used, which could allow files on the user's computer to be deleted; the new patch eliminates this varian" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-022" BulletinLocationID="1345" FAQLocationID="73" FAQPageName="FQ99-022.asp" Title="Double Byte Code Page Vulnerability" DatePosted="1999/06/24" DateRevised="1999/08/19" Supported="Yes" Summary="When IIS is run on a machine on which a double-byte character set code page is used (i.e., the default language on the server is set to Chinese, Japanese, or Korean), and a specific URL construction is used to request a file in a virtual directory, normal server-side processing is bypassed. As a result, the file is simply delivered as text to the browser, thereby allowing the source code to be viewed." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-019" BulletinLocationID="1346" FAQLocationID="73" FAQPageName="FQ99-019.asp" Title="Malformed HTR Request Vulnerability" DatePosted="1999/06/15" DateRevised="1999/07/22" Supported="Yes" Summary="The vulnerability involves an unchecked buffer in the filter DLLs for these file types. This poses two threats to safe operation. The first is a denial of service threat. A malformed request for an .HTR, .STM or .IDC file could overflow the buffer, causing IIS to crash. The server would not need to be rebooted, but IIS would need to be rebooted in order to resume service. The second threat is that a carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither attack could occur accidentally. The vulnerability is present regardless of whether .HTR, .STM or .IDC files are present on the serve" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-018" BulletinLocationID="1347" FAQLocationID="73" FAQPageName="FQ99-018.asp" Title="Malformed Favorites Icon Vulnerability" DatePosted="1999/05/27" DateRevised="1999/05/27" Supported="Yes" Summary="The "Malformed Favorites Icon" vulnerability. The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A specially-malformed icon could overrun the buffer and be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on Windows 95 or 98; it does not affect Windows NT systems.
The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4.0 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive. The update eliminates the vulnerability by removing the contro" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-014" BulletinLocationID="1348" FAQLocationID="73" FAQPageName="FQ99-014.asp" Title="Excel 97 Virus Warning Vulnerabilities" DatePosted="1999/05/07" DateRevised="1999/05/07" Supported="Yes" Summary="Microsoft Excel 97 provides a feature that warns the user before launching an external file that could potentially contain a virus or other malicious software. However, certain scenarios have been identified that could be misused to bypass the warning mechanism. In general, they require the use of infrequently-combined features and commands, and are unlikely to be encountered in normal use." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-012" BulletinLocationID="1349" FAQLocationID="73" FAQPageName="FQ99-012.asp" Title="MSHTML Update Available for Internet Explorer" DatePosted="1999/04/21" DateRevised="1999/04/21" Supported="Yes" Summary="The first vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites.
The second vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a script to paste a filename into the file upload intrinsic control. This should only be possible by explicit user action. Once the filename has been pasted into the control, a subsequent form submission could send the file to a remote web site. If the user has disabled the default warning that is displayed when submitting unencrypted forms, the file would be sent without any warning to the user.
The third vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and MIME type of files on the computer of a visiting use" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS99-011" BulletinLocationID="1350" FAQLocationID="73" FAQPageName="FQ99-011.asp" Title="DHTML Edit Vulnerability" DatePosted="1999/04/21" DateRevised="1999/04/21" Supported="Yes" Summary="The root cause of the vulnerability lies in the fact that a web site that hosts the "safe for scripting" version of the control is able to upload any data entered into the control. A malicious web site operator could trick a user into entering sensitive data into a DHTML Edit control hosted on a web page from the operator's site, and then upload the data. In addition, if the malicious web site operator knows the name of a file on the user's local drive, it is possible for the operator to programmatically load the file into the control and then upload i" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-012" BulletinLocationID="1351" FAQLocationID="73" FAQPageName="FQ01-012" Title="Outlook - Outlook Express VCard Handler Contains Unchecked Buffer" DatePosted="2001/02/22" DateRevised="2001/05/09" Supported="Yes" Summary="This update resolves the "Malformed vCard" security vulnerability in Outlook and Outlook Express. This vulnerability exists because the component in Outlook and Outlook Express that processes the vCard (virtual business card) has an unchecked buffer (a temporary data storage area without a string length limit). Download now to ensure that your e-mail service processes vCards correctly. " Issue="Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer.
By creating a vCard and editing it to contain specially chosen data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of her choice on the user?s machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-013" BulletinLocationID="1352" FAQLocationID="73" FAQPageName="FQ01-013" Title="Windows 2000 Event Viewer Contains Unchecked Buffer" DatePosted="2001/02/26" DateRevised="2001/02/26" Supported="Yes" Summary="This update resolves the "Malformed Event Record" security vulnerability in Windows 2000, and is discussed in Microsoft Security Bulletin MS01-013. Download now to prevent a malicious user from running unauthorized code on your computer. " Issue="This is a buffer overrun vulnerability. By entering a specially malformed record into a machine?s event log, an attacker could cause either of two effects to occur when the record was subsequently opened. In the least serious case, he could cause the event viewer to fail. In the more serious case, he could cause the event viewer?s functionality to be modified while running, in order to perform a task of his choosing on the other user?s machine." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-014" BulletinLocationID="1353" FAQLocationID="73" FAQPageName="FQ01-014" Title="Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000" DatePosted="2001/03/01" DateRevised="2001/03/01" Supported="Yes" Summary="This update resolves the "Malformed URL can cause Service Failure in IIS 5.0 and Exchange 2000" security vulnerability in Internet Information Server (IIS) 5.0 and Exchange 2000, and is discussed in Microsoft Security Bulletin MS01-014. Download now to prevent a malicious user from causing IIS 5.0 to fail. " Issue="This is a denial of service vulnerability. It could enable an attacker to temporarily disrupt service on an affected web, or to temporarily disrupt web-based access to an affected mail server. Although the server in either case would automatically resume normal operation, any sessions in progress at the time of the attack would be lost. The vulnerability does not provide any opportunity for the attacker to usurp administrative control over the server, or to add, change or delete data on it." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-015" BulletinLocationID="1354" FAQLocationID="73" FAQPageName="FQ01-015" Title="IE Can Divulge Location of Cached Content" DatePosted="2001/03/06" DateRevised="2001/05/25" Supported="Yes" Summary="This update resolves a security vulnerability in Internet Explorer, and is discussed in Microsoft Security Bulletin MS01-015. Download now to prevent an unauthorized user from creating and executing programs on your computer. " Issue="The IE security architecture provides a caching mechanism that is used to store content that needs to be downloaded and processed on the user's local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security architecture to access the information. This ensures that the uses of the information can be properly restricted.
A vulnerability exists because it is possible for a web page or HTML e-mail to learn the physical location of cached content. Armed with this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.
<Bulletin BulletinID="MS01-016" BulletinLocationID="1355" FAQLocationID="73" FAQPageName="FQ01-016" Title="Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources" DatePosted="2001/03/08" DateRevised="2001/03/13" Supported="Yes" Summary="This update resolves the "Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources" security vulnerability in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Security Bulletin MS01-016. Download now to prevent a malicious user from temporarily disrupting your Web services. " Issue="WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server." ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-017" BulletinLocationID="1356" FAQLocationID="73" FAQPageName="FQ01-017" Title="Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" DatePosted="2001/03/22" DateRevised="2001/03/28" Supported="Yes" Summary="This update resolves the "Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard" security vulnerability, and is discussed in Microsoft Security Bulletin MS01-017. Download now to prevent an unauthorized user from running code on your computer by digitally signing programs as "Microsoft Corporation." " Issue="VeriSign, Inc., recently advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is ?Microsoft Corporation?. The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.
The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.
However, even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name ?Microsoft Corporation?. The danger, of course, is that even a security-conscious user might agree to let the content execute, and might agree to always trust the bogus certificates.
VeriSign has revoked the certificates, and they are listed in VeriSign?s current Certificate Revocation List (CRL). However, because VeriSign?s code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser?s CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.
<Bulletin BulletinID="MS01-018" BulletinLocationID="1357" FAQLocationID="73" FAQPageName="FQ01-018" Title="Visual Studio VB-TSQL Object Contains Unchecked Buffer" DatePosted="2001/03/27" DateRevised="2001/03/27" Supported="Yes" Summary="Visual Studio 6.0, Enterprise Edition includes a Microsoft Visual Basic feature for debugging T-SQL. This feature contains a problem that could cause a buffer overrun. Because the default installation of the Debugger object allows anyone to start the debugger and run as the logged-on interactive user, this bug potentially could be exploited with malicious intentions." Issue="The VB-TSQL debugger object that ships with Visual Studio 6.0 Enterprise Edition has an unchecked buffer in the code that processes parameters for one of the object?s methods. The object can, by design, be programmatically accessed remotely. If the object were to be referenced by a program that contained specially malformed data within the parameter, either of two outcomes would result. In the less serious case, the attacker could cause the object to fail on the hosting machine. In the more serious case, the attacker could exploit the buffer overrun to run code of the attacker's choice on the hosting machine.
The debugger object (vbsdicli.exe) is installed by default with Visual Studio 6.0 Enterprise Edition and runs in the context of the interactively logged-on user. The attacker could only execute a successful attack if he knew that a user had the component installed and that the user was logged in at the time of the attack.
<Bulletin BulletinID="MS01-019" BulletinLocationID="1358" FAQLocationID="73" FAQPageName="FQ01-019" Title="Passwords for Compressed Folders are Recoverable" DatePosted="2001/03/28" DateRevised="2001/03/28" Supported="Yes" Summary="Windows Millennium Edition (Me) and Plus! 98 provide a data compression feature that provides the ability to password protect a compressed file. However, under certain conditions, the password may be recorded in a file on your computer. " Issue="Plus! 98, an optional package that extends Windows 98 and Windows 98 Second Edition, introduced a data compression feature called Compressed Folders that was also included in Windows Me. For interoperability with leading third-party compression tools, it provides a password protection option for folders that have been compressed. However, due to a flaw in the package?s implementation, the passwords used to protect the folders are recorded in a file on the user?s system. If an attacker gained access to an affected machine on which password-protected folders were stored, she could learn the passwords and access the files.
It is important to understand that, although this flaw does constitute a security vulnerability, the password protection feature is not intended to provide strong security. It was included in the products to enable interoperability with password-protection features in other third-party data compression products, and is only intended to provide protection against casual inspection. Customers who need strong protection for files should use Windows® 2000.
The patch will prevent passwords from being written to the user?s system in the future. However, as discussed in the FAQ, after applying the patch, it is important to also delete c:\windows\dynazip.log, in order to ensure that all previously-recorded passwords are deleted.
<Bulletin BulletinID="MS01-020" BulletinLocationID="1359" FAQLocationID="73" FAQPageName="FQ01-020" Title="Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" DatePosted="2001/03/29" DateRevised="2001/05/25" Supported="Yes" Summary="This update resolves a security vulnerability in Internet Explorer, and is discussed in Microsoft Security Bulletin MS01-020. Download now to prevent a malicious user from running an executable e-mail attachment on your computer. " Issue="Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.
An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user?s permissions on the system.
<Bulletin BulletinID="MS01-021" BulletinLocationID="1360" FAQLocationID="73" FAQPageName="FQ01-021" Title="Web Request Can Cause Access Violation in ISA Server Web Proxy Service" DatePosted="2001/04/16" DateRevised="2001/04/16" Supported="Yes" Summary="The ISA Server Web Proxy service does not correctly handle a certain type of web request if it exceeds a particular length. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted. " Issue="The ISA Server Web Proxy service does not correctly handle web requests that contain a particular type of malformed argument. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-022" BulletinLocationID="1361" FAQLocationID="73" FAQPageName="FQ01-022" Title="WebDAV Service Provider Can Allow Scripts to Levy Requests as User" DatePosted="2001/04/18" DateRevised="2001/04/18" Supported="Yes" Summary="The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by script running in the user?s browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user. " Issue="The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by a script running in the user?s browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability would depend on the Web-based resources available to the user, and the user?s privileges on them. However, it is likely that at a minimum, the attacker could browse the user?s intranet, and potentially access web-based e-mail as well.
<Bulletin BulletinID="MS01-023" BulletinLocationID="1362" FAQLocationID="73" FAQPageName="FQ01-023" Title="Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server" DatePosted="2001/05/01" DateRevised="2001/05/03" Supported="Yes" Summary="This update resolves the "Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server" security vulnerability in Windows 2000 and is discussed in Microsoft Security Bulletin MS01-023. Download now to prevent a malicious user from taking control of your Web server. " Issue="Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately.
Customers who cannot install the patch can protect their systems by removing the mapping for the Internet Printing ISAPI extension. However, it is important to understand that if Web Printing is enabled via Group Policy, this would override the settings made in the Internet Services Manager. As the FAQ discusses in more detail, customers who have enabled Web Printing via Group Policy should disable it first, then unmap the Internet Printing ISAPI extension.
<Bulletin BulletinID="MS01-024" BulletinLocationID="1363" FAQLocationID="73" FAQPageName="FQ01-024" Title="Malformed Request to Domain Controller Can Cause Memory Exhaustion" DatePosted="2001/05/08" DateRevised="2001/05/08" Supported="Yes" Summary="This update resolves the "Malformed Domain Controller Service Request" security vulnerability in Windows 2000, and is discussed in Microsoft Security Bulletin MS01-024. Download now to prevent a malicious user from temporarily disrupting service on your domain controller." Issue="A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-025" BulletinLocationID="1364" FAQLocationID="73" FAQPageName="FQ01-025" Title="Index Server Search Function Contains Unchecked Buffer" DatePosted="2001/05/10" DateRevised="2001/05/22" Supported="Yes" Summary="This update addresses the "Malformed Hit-Highlighting" security vulnerability in Windows 2000 computers running Indexing Service, and is discussed in Microsoft Security Bulletin MS01-025. Download now to prevent a malicious user from reading files on your Web server. " Issue="The patches discussed below address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker?s choice could be made to run on the server, in the Local System security context.
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the ?Malformed Hit-Highlighting? vulnerability discussed in Microsoft Security Bulletin MS00-006. The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read ?include? files residing on the web server. The new patch eliminates all known variants of the vulnerability.
<Bulletin BulletinID="MS01-026" BulletinLocationID="1365" FAQLocationID="73" FAQPageName="FQ01-026" Title="14 May 2001 Cumulative Patch for IIS" DatePosted="2001/05/14" DateRevised="2001/05/15" Supported="Yes" Summary="This cumulative update includes all the updates that have been released for Internet Information Service (IIS) 5.0, including three new updates, and is discussed in Microsoft Security Bulletin MS01-026. Download now to update IIS 5.0 with the latest security fixes. " Issue="This update eliminates three new vulnerabilities: A vulnerability that could enable a malicious user to run operating system commands on an affected server.
A vulnerability that could allow a malicious user to enter a File Transfer Protocol (FTP) command, which can cause IIS 5.0 to fail. FTP is the protocol used for copying files to and from remote computer systems on a network.
A vulnerability that can enable a malicious user to access a guest account using the FTP service. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-027" BulletinLocationID="1366" FAQLocationID="73" FAQPageName="FQ01-027" Title="Flaws in Web Server Certificate Validation Could Enable Spoofing" DatePosted="2001/05/16" DateRevised="2001/05/25" Supported="Yes" Summary="This update resolves several security vulnerabilities in Internet Explorer, and is discussed in Microsoft Security Bulletins MS01-027, MS01-020, and MS01-015. Download now to eliminate multiple certificate validation vulnerabilities and to prevent malicious Web site operators from making it appear that the content from his or her Web site actually originated from another site, even a trusted or secure Web site. " Issue="A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-028" BulletinLocationID="1367" FAQLocationID="73" FAQPageName="FQ01-028" Title="RTF Document Linked to Template Can Run Macros Without Warning" DatePosted="2001/05/21" DateRevised="2001/06/06" Supported="Yes" Summary="The Word 2000 Security Update: Macro Vulnerability prevents macros from opening without a security warning. After you have installed the update, you will be warned before you open an RTF document that contains a template or macro. After you have installed the update, you will still be able to use templates, macros in templates, or Rich Text Format (RTF) documents with macros." Issue="The Word 2000 Security Update: Macro Vulnerability addresses a vulnerability that could allow malicious code to run in a Rich Text Format (RTF) document without warning. Under normal circumstances, you will see a warning in Word 2000 when you open a document attached to a template containing macros. However, it is possible for an RTF document to be linked to a template containing macros in such a way that a macro can run with no warning issued. This could cause damage to data or allow unauthorized retrieval of data from your system when you visit a Web site or open an e-mail message. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-029" BulletinLocationID="1368" FAQLocationID="73" FAQPageName="FQ01-029" Title="Windows Media Player .ASX Processor Contains Unchecked Buffer" DatePosted="2001/05/23" DateRevised="2001/05/23" Supported="Yes" Summary="This update addresses two security vulnerabilities that are related to each other only by the fact that they both affect Windows Media Player. The two vulnerabilities are a buffer overrun in the functionality used to process Active Stream Redirector (.ASX) files, and a vulnerability affecting how Windows Media Player handles Internet shortcuts. In addition, this update addresses a potential privacy vulnerability that was recently identified. " Issue="This update addresses two security vulnerabilities that are related to each other only by the fact that they both affect Windows Media Player. The two vulnerabilities are a buffer overrun in the functionality used to process Active Stream Redirector (.ASX) files, and a vulnerability affecting how Windows Media Player handles Internet shortcuts. In addition, this update addresses a potential privacy vulnerability that was recently identified. " ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-030" BulletinLocationID="1369" FAQLocationID="73" FAQPageName="FQ01-030" Title="Incorrect Attachment Handling in Exchange OWA Can Execute Script" DatePosted="2001/06/06" DateRevised="2001/06/08" Supported="Yes" Summary="" Issue="OWA is a service of Exchange 5.5 and 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user?s Exchange mailbox.
An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user?s mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.
<Bulletin BulletinID="MS01-031" BulletinLocationID="1370" FAQLocationID="73" FAQPageName="FQ01-031" Title="Predictable Named Pipes Could Enable Privilege Elevation via Telnet" DatePosted="2001/06/07" DateRevised="2001/06/07" Supported="Yes" Summary="This update addresses the "Predicatable Named Pipes Could Enable Privilege Elevation via Telnet" security vulnerability in the Windows 2000 Telnet service that is discussed in Microsoft Security Bulletin MS01-031. Download now to prevent a malicious user from launching programs on your computer, gaining access to your network, or initiating a denial of service attack against your computer." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-032" BulletinLocationID="1371" FAQLocationID="73" FAQPageName="FQ01-032" Title="SQL Query Method Enables Cached Administrator Connection to be Reused" DatePosted="2001/06/12" DateRevised="2001/06/12" Supported="Yes" Summary="One SQL query method contains a flaw that has the effect of making it possible for one user?s query to reuse a cached connection that belonged to the sa account. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-033" BulletinLocationID="1372" FAQLocationID="73" FAQPageName="FQ01-033" Title="Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" DatePosted="2001/06/18" DateRevised="2001/06/18" Supported="Yes" Summary="This update resolves the "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" security vulnerability in Windows NT4.0 and Windows 2000 computers running Indexing Services 2.0 and IIS 5.0, and is discussed in Microsoft Security Bulletin MS01-033. Download now to prevent a malicious user from taking control of your Web server. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-034" BulletinLocationID="1373" FAQLocationID="73" FAQPageName="FQ01-034" Title="Malformed Word Document Could Enable Macro to Run Automatically" DatePosted="2001/06/21" DateRevised="2001/06/25" Supported="Yes" Summary="This update prevents Word from running macros without warning because the user has opened a document that has been maliciously modified. Once you have installed this update, you will still be able to use templates, macros in templates, or RTF documents with macros. This issue is addressed in the Microsoft Security Bulletin MS01-034: Malformed Word Document Could Enable Macro to Run Automatically." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-035" BulletinLocationID="1374" FAQLocationID="73" FAQPageName="FQ01-035" Title="FrontPage Server Extension Sub-Component Contains Unchecked Buffer" DatePosted="2001/06/21" DateRevised="2001/06/21" Supported="Yes" Summary="Microsoft has released a patch that eliminates a security vulnerability in Visual Studio RAD (Remote Application Deployment) Support, an optional sub-component of FrontPage Server Extensions. This sub-component contains an unchecked buffer in a section that processes input information. By establishing a web session on with the server and passing a specially malformed packet to the server component, an attacker could cause code of his choice to run on the server. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-036" BulletinLocationID="1375" FAQLocationID="73" FAQPageName="FQ01-036" Title="Function Exposed via LDAP over SSL Could Enable Passwords to be Changed" DatePosted="2001/06/25" DateRevised="2001/06/25" Supported="Yes" Summary="This patch eliminates a vulnerability affecting Windows 2000 servers that provide LDAP services over SSL. A function that allows user to change data attributes of directory principals doesn't correctly check the credentials of the requester, in the specific case where the directory principal is a user and the data attribute is the password. This could enable an attacker to change another user's logon password without proper authorization. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-037" BulletinLocationID="1376" FAQLocationID="73" FAQPageName="FQ01-037" Title="Authentication Error in SMTP Service Could Allow Mail Relaying" DatePosted="2001/07/05" DateRevised="2001/07/05" Supported="Yes" Summary="This update addresses the "Windows 2000 SMTP Mail Relaying" security vulnerability in the Windows 2000 Simple Mail Transfer Protocol (SMTP) service and is discussed in Microsoft Security Bulletin MS01-037. Download now to prevent malicious users from relaying e-mail messages from your computer." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-038" BulletinLocationID="1377" FAQLocationID="73" FAQPageName="FQ01-038" Title="Outlook View Control Exposes Unsafe Functionality" DatePosted="2001/07/12" DateRevised="2001/07/12" Supported="Yes" Summary="The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-039" BulletinLocationID="1378" FAQLocationID="73" FAQPageName="FQ01-039" Title="Services for Unix 2.0 Telnet and NFS Services Contain Memory Leaks" DatePosted="2001/07/24" DateRevised="2001/07/24" Supported="Yes" Summary="Among the components provided by Services for Unix (SFU) 2.0 are services that implement the NFS (Network File System) and Telnet protocols. Both services contain memory leaks that could be triggered by a user request. An attacker who repeatedly sent such a request could deplete the kernel memory on the server to the point where performance slowed and the system could potentially fail. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-040" BulletinLocationID="1379" FAQLocationID="73" FAQPageName="FQ01-040" Title="Invalid RDP Data Can Cause Memory Leak in Terminal Services" DatePosted="2001/07/25" DateRevised="2001/07/25" Supported="Yes" Summary="The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server Edition contains a memory leak in one of the functions that processes incoming Remote Data Protocol data via port 3389. Each time an RDP packet containing a specific type of malformation is processed, the memory leak depletes overall server memory by a small amount.
If an attacker sent a sufficiently large quantity of such data to an affected machine, he could deplete the machine's memory to the point where response time would be slowed or the machine's ability to respond would be stopped altogether. All system services would be affected, including but not limited to terminal services. Normal operation could be restored by rebooting the machine. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-041" BulletinLocationID="1380" FAQLocationID="73" FAQPageName="FQ01-041" Title="Malformed RPC Request Can Cause Service Failure" DatePosted="2001/07/26" DateRevised="2001/07/26" Supported="Yes" Summary="Several of the RPC servers associated with system services in Microsoft Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server.
An attacker who sent such inputs to an affected RPC server could disrupt its service. The precise type of disruption would depend on the specific service, but could range in effect from minor (e.g., the service temporarily hanging) to major (e.g., the service failing in a way that would require the entire system to be restarted). " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-042" BulletinLocationID="1381" FAQLocationID="73" FAQPageName="FQ01-042" Title="Windows Media Player .NSC Processor Contains Unchecked Buffer" DatePosted="2001/07/26" DateRevised="2001/07/26" Supported="Yes" Summary="Windows Media Player provides support for audio and video streaming. Streaming media channels can be configured by using Windows Media Station (.NSC) files. An unchecked buffer exists in the functionality used to process Windows Media Station files. This unchecked buffer could potentially allow an attacker to run code of his choice on the machine of another user. The attacker could either send a specially malformed file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-043" BulletinLocationID="1382" FAQLocationID="73" FAQPageName="FQ01-043" Title="NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak" DatePosted="2001/08/14" DateRevised="2001/08/14" Supported="Yes" Summary="The NNTP (Network News Transport Protocol) service in Windows NT 4.0 and Windows 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by rebooting. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-044" BulletinLocationID="1383" FAQLocationID="73" FAQPageName="FQ01-044" Title="15 August 2001 Cumulative Patch for IIS" DatePosted="2001/08/15" DateRevised="2001/08/15" Supported="Yes" Summary="Microsoft has released a cumulative patch for IIS 4.0 and 5.0. In addition to eliminating virtually all previously identified security vulnerabilities in IIS, it also eliminates several newly discovered ones. These include three denial of service vulnerabilities, one of which is exploited by the Code Red worm, and two vulnerabilities that could enable an attacker with the ability to load low-privilege code on the server to gain higher privileges. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-045" BulletinLocationID="1384" FAQLocationID="73" FAQPageName="FQ01-045" Title="ISA Server H.323 Gatekeeper Service Contains Memory Leak" DatePosted="2001/08/16" DateRevised="2001/08/16" Supported="Yes" Summary="There is a potential memory leak in the H323 ASN DLL, which is used by the Winsock Proxy service and the Gatekeeper service, which is fixed.
Also included is a fix to prevent scripting in the error return pages. The problem is caused because the ISA server returns the complete original URL to the browser in the error message along with the description of the reason why it could not be accessed. If the request URL contains a script, the browser executes the script on receipt. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-046" BulletinLocationID="1385" FAQLocationID="73" FAQPageName="FQ01-046" Title="Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart" DatePosted="2001/08/21" DateRevised="2001/08/21" Supported="Yes" Summary="Microsoft Windows 2000 provides support for infrared-based connectivity. This support is provided through protocols developed by the Infrared Data Association (IRDA). Because of this, they are often called IRDA devices. These devices can be used to share files and printers with other IRDA-device capable systems. The software which handles IRDA devices in Windows 2000 contains an unchecked buffer in the code which handles certain IRDA packets.
A security vulnerability results because it is possible for a malicious user to send a specially crafted IRDA packet to the victim's system. This could enable the attacker to conduct a buffer overflow attack and cause an access violation on the system, forcing a reboot. To be best of our knowledge, it cannot be used to run malicious code on the user's system " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-047" BulletinLocationID="1386" FAQLocationID="73" FAQPageName="FQ01-047" Title="OWA Function Allows Unauthenticated User to Enumerate Global Address List" DatePosted="2001/09/06" DateRevised="2001/09/06" Supported="Yes" Summary="Among the functions Outlook Web Access (OWA) in Exchange 5.5 offers is the ability to search the global address list (GAL). By design, this is an authenticated function, implemented as a two-tier architecture - a front tier that provides a user interface and a back-end tier that actually performs the search. However, only the front tier actually checks authentication. An attacker who sent a properly formatted request to the back-end function that actually performs the search could enumerate the GAL without authenticating. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-048" BulletinLocationID="1387" FAQLocationID="73" FAQPageName="FQ01-048" Title="Malformed Request to RPC Endpoint Mapper Can Cause RPC Service to Fail" DatePosted="2001/09/10" DateRevised="2001/09/10" Supported="Yes" Summary="The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. The Windows NT 4.0 endpoint mapper contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data.
Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-049" BulletinLocationID="1388" FAQLocationID="73" FAQPageName="FQ01-049" Title="Deeply-nested OWA Request Can Consume Server CPU Availability" DatePosted="2001/09/26" DateRevised="2001/09/26" Supported="Yes" Summary="A security vulnerability exists in Exchange 2000 Outlook Web Access, because it will accept and process a request for an item in an authenticated userΓÇÖs mailbox without verifying first that the folder structure is valid. An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-050" BulletinLocationID="1389" FAQLocationID="73" FAQPageName="FQ01-050" Title="Malformed Excel or PowerPoint Document Can Bypass Macro Security" DatePosted="2001/10/04" DateRevised="2001/10/04" Supported="Yes" Summary="Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking.
A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-051" BulletinLocationID="1390" FAQLocationID="73" FAQPageName="FQ01-051" Title="Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone" DatePosted="2001/10/10" DateRevised="2001/10/10" Supported="Yes" Summary="This patch eliminates three vulnerabilities affecting Internet Explorer. The first involves how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6.
The second involves how IE handles URLs that specify third-party sites. By encoding an URL in a particular way, it would be possible for an attacker to include HTTP requests that would be sent to the site as soon as a connection had been established. These requests would appear to have originated from the user. In most cases, this would only allow the attacker to send the user to a site and request a page on it. However, if exploited against a web-based service (e.g., a web-based mail service), it could be possible for the attacker to take action on the userΓÇÖs behalf, including sending a request to delete data.
The third is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-015, affecting how Telnet sessions are invoked via IE. By design, telnet sessions can be launched via IE. However, a vulnerability exists because when doing so, IE will start Telnet using any command-line options the web site specifies. This only becomes a concern when using the version of the Telnet client that installs as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 machines. The version of the Telnet client in SFU 2.0 provides an option for creating a verbatim transcript of a Telnet session. An attacker could start a session using the logging option, then stream an executable file onto the userΓÇÖs system in a location that would cause it to be executed automatically the next time the user booted the machine. The flaw does not lie in the Telnet client, but in IE, which should not allow Telnet to be started remotely with command-line arguments. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-052" BulletinLocationID="1391" FAQLocationID="73" FAQPageName="FQ01-052" Title="Invalid RDP Data Can Cause Terminal Service Failure" DatePosted="2001/10/18" DateRevised="2001/10/18" Supported="Yes" Summary="The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability, the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-053" BulletinLocationID="1392" FAQLocationID="73" FAQPageName="FQ01-053" Title="Downloaded Applications Can Execute on Mac IE 5.1 for OS X" DatePosted="2001/10/23" DateRevised="2001/10/23" Supported="Yes" Summary="The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files.
A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-054" BulletinLocationID="1393" FAQLocationID="73" FAQPageName="FQ01-054" Title="Invalid Universal Plug and Play Request Can Disrupt System Operation" DatePosted="2001/11/01" DateRevised="2001/11/01" Supported="Yes" Summary="The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP.
A vulnerability results because the UPnP service does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak. Each time a Windows XP system received such a request, a small amount of system memory would become unavailable; if repeated many times, it could deplete system resources to the point where performance slowed or stopped altogether.
<Bulletin BulletinID="MS01-055" BulletinLocationID="1394" FAQLocationID="73" FAQPageName="FQ01-055" Title="13 November 2001 Cumulative Patch for IE" DatePosted="2001/11/08" DateRevised="2001/11/13" Supported="Yes" Summary="This update resolves the "Cookie Data in IE Can Be Exposed or Altered Through Script Injection" security vulnerability in Internet Explorer 6.0, and is discussed in Microsoft Security Bulletin MS01-055. Download now to prevent a malicious user from reading the contents of cookies on your machine, which might contain personal information, or even altering the contents of the cookies on your machine, by hosting a Web page with a maliciously crafted URL. This URL can be hosted on a Web page or contained in an HTML e-mai" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS01-056" BulletinLocationID="1395" FAQLocationID="73" FAQPageName="FQ01-056" Title="Windows Media Player .ASF Processor Contains Unchecked Buffer" DatePosted="2001/11/20" DateRevised="2001/11/20" Supported="Yes" Summary="One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer.
By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail; in the more complex case, code chosen by the attacker could be made to run on the userΓÇÖs computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page.
<Bulletin BulletinID="MS01-057" BulletinLocationID="1396" FAQLocationID="73" FAQPageName="FQ01-057" Title="Specially Formed Script in HTML Mail Can Execute in Exchange 5.5 OWA" DatePosted="2001/12/06" DateRevised="2001/12/06" Supported="Yes" Summary="Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser.
A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a a specially crafted message to the user. If the user opened the message in OWA, the script would then execute.
While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.
<Bulletin BulletinID="MS01-058" BulletinLocationID="1397" FAQLocationID="73" FAQPageName="FQ01-058" Title="13 December 2001 Cumulative Patch for IE" DatePosted="2001/12/13" DateRevised="2001/12/13" Supported="Yes" Summary="This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered vulnerabilities.
The first vulnerability involves a flaw in the handling of the Content-Disposition and Content-Type header fields in an HTML stream. These fields, the hosting URL, and the hosted file data determine how a file is handled upon download in Internet Explorer. A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was actually a different type of file -- one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a web page or HTML mail that, when opened, would automatically run an executable on the user's system. This vulnerability does not affect IE 5.5.
The second vulnerability is a newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletins MS00-033, MS00-055, MS00-093, and MS01-015. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web siteΓÇÖs domain and the other on the userΓÇÖs local file system, and to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the userΓÇÖs local computer that could be opened in a browser window. This vulnerabilty affects both IE 5.5 and 6.0.
The third vulnerability involves a flaw related to the display of file names in the File Download dialogue box. When a file download is initiated, a dialogue provides the name of the file. However, in some cases, it would be possible for an attacker to misrepresent the name of the file in the dialogue. This could be invoked from a web page or in an HTML email in an attempt to fool users into opening unsafe attachments from a trusted source. This vulnerabilty affects both IE 5.5 and 6.0.
<Bulletin BulletinID="MS01-059" BulletinLocationID="1398" FAQLocationID="73" FAQPageName="FQ01-059" Title="Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise" DatePosted="2001/12/19" DateRevised="2001/12/19" Supported="Yes" Summary="Technical description: The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives ΓÇô messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.
The second vulnerability results because the UPnP doesnΓÇÖt sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations donΓÇÖt adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the systemΓÇÖs availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within within earshot, consuming some or all of those systems' availability.
In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.
<Bulletin BulletinID="MS01-060" BulletinLocationID="1399" FAQLocationID="73" FAQPageName="FQ01-060" Title="SQL Server Text Formatting Functions Contain Unchecked Buffers" DatePosted="2001/12/20" DateRevised="2001/12/20" Supported="Yes" Summary="SQL Server 7.0 and 2000 provide a number of functions that enable database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-001" BulletinLocationID="1400" FAQLocationID="73" FAQPageName="FQ02-001" Title="Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data" DatePosted="2002/01/22" DateRevised="2002/01/22" Supported="Yes" Summary="Trust relationships are created between Windows NT or Windows 2000 domains to allow users in one domain to access resources in other domains without requiring them to authenticate separately to each domain. When a user in a trusted domain requests access to a resource in a trusting domain, the trusted domain supplies authorization data in the form of a list of Security Identifiers (SIDs) that indicate the user's identity and group memberships. The trusting domain uses this data to determine whether to grant the user's request.
A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identified a user or security group that is not in the trusted domain, the trusting domain would accept the information and use it for subsequent access control decisions. If an attacker inserted SIDs of his choice into the authorization data at the trusted domain, he could elevate his privileges to those associated with any desired user or group, including the Domain Administrators group for the trusting domain. This would enable the attacker to gain full Domain Administrator access on computers in the trusting domain." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-002" BulletinLocationID="1401" FAQLocationID="73" FAQPageName="FQ02-002" Title="Malformed Network Request Can Cause Office v. X for Mac to Fail" DatePosted="2002/02/06" DateRevised="2002/02/06" Supported="Yes" Summary="Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces OfficeΓÇÖs own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down.
A security vulnerability results because of a flaw in the Network PID Checker. Specifically, the Network PID Checker doesnΓÇÖt correctly handle a particular type of malformed announcement ΓÇô receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other usersΓÇÖ Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines
<Bulletin BulletinID="MS02-003" BulletinLocationID="1402" FAQLocationID="73" FAQPageName="FQ02-003" Title="Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions" DatePosted="2002/02/07" DateRevised="2002/02/07" Supported="Yes" Summary="The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. It performs a variety of functions related to the on-going maintenance of the Exchange system. To allow remote administration of an Exchange Server using the Exchange System Manager Microsoft Management Console (MMC) snap in, the System Attendant makes changes to the permissions on the Windows Registry to allow Exchange Administrators to remotely update configuration settings stored in the Registry. There is a flaw in how the System Attendant makes these Registry configuration changes. This flaw could allow an unprivileged user to remotely access configuration information on the server. Specifically, this flaw inappropriately gives the "Everyone" group privileges to the WinReg key. This key controls the ability of users and groups to remotely connect to the Registry. By default, only Administrators are given the ability to remotely connect to the Registry, by granting permissions on this key. The flaw does not grant any abilities beyond the ability to connect remotely. However, an attackerΓÇÖs ability to make changes to the Registry once they have successfully connected would be dictated by the permissions on the specific keys within the Registry itself. Thus, while this vulnerability does not itself give an attacker the ability to change Registry settings, it could be used in conjunction with inappropriately permissive registry settings to gain access to, and make changes to a systems Registry." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-004" BulletinLocationID="1403" FAQLocationID="73" FAQPageName="FQ02-004" Title="Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution" DatePosted="2002/02/07" DateRevised="2002/02/07" Supported="Yes" Summary="The Telnet protocol provides remote shell capabilities. Microsoft has implemented the Telnet protocol by providing a Telnet Server in several products. The implementations in two of these products ΓÇô Windows 2000 and Interix 2.2 ΓÇô contain unchecked buffers in the code that handles the processing of telnet protocol options.
An attacker could use this vulnerability to perform a buffer overflow attack. A successful attack could cause the Telnet Server to fail, or in some cases, could possibly allow an attacker to execute code of her choice on the system. Such code would execute using the security context of the Telnet service, but this context varies from product to product. In Windows 2000, the Telnet service always runs as System; in the Interix implementation, the administrator selects the security context in which to run as part of the installation process. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-005" BulletinLocationID="1404" FAQLocationID="73" FAQPageName="FQ02-005" Title="11 February 2002 Cumulative Patch for Internet Explorer" DatePosted="2002/02/11" DateRevised="2002/02/11" Supported="Yes" Summary="This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the six newly discovered vulnerabilities." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-006" BulletinLocationID="1405" FAQLocationID="73" FAQPageName="FQ02-006" Title="Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run" DatePosted="2002/02/12" DateRevised="2002/02/12" Supported="Yes" Summary="Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.
A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause code to run on the system in LocalSystem context. This could give the attacker the ability to take any desired action on the system." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-007" BulletinLocationID="1406" FAQLocationID="73" FAQPageName="FQ02-007" Title="SQL Server Remote Data Source Function Contain Unchecked Buffers" DatePosted="2002/02/20" DateRevised="2002/02/20" Supported="Yes" Summary="An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-008" BulletinLocationID="1407" FAQLocationID="73" FAQPageName="FQ02-008" Title="XMLHTTP Control Can Allow Access to Local Files" DatePosted="2002/02/21" DateRevised="2002/02/21" Supported="Yes" Summary="A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the userΓÇÖs local system. The attacker could then use this to return information from the local system to the attackerΓÇÖs web site. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-009" BulletinLocationID="1408" FAQLocationID="73" FAQPageName="FQ02-009" Title="Incorrect VBScript Handling in IE Can Allow Web Pages to Read Local Files" DatePosted="2002/02/21" DateRevised="2002/02/21" Supported="Yes" Summary="Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-010" BulletinLocationID="1409" FAQLocationID="73" FAQPageName="FQ02-010" Title="Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise" DatePosted="2002/02/21" DateRevised="2002/02/21" Supported="Yes" Summary="A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-011" BulletinLocationID="1410" FAQLocationID="73" FAQPageName="FQ02-011" Title="Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service" DatePosted="2002/02/27" DateRevised="2002/02/27" Supported="Yes" Summary="A vulnerability results because of a flaw in the NTLM authentication layer used by the SMTP service in Windows 2000 and Exchange Server 5.5. The SMTP service receives a successful acknowledgement that the NTLM credentials are valid and then allows a malicious user to relay mail through the SMTP service. An attacker who exploited the vulnerability could gain only user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-012" BulletinLocationID="1411" FAQLocationID="73" FAQPageName="FQ02-012" Title="Malformed Data Transfer Request Can Cause Windows SMTP Service to Fail" DatePosted="2002/02/27" DateRevised="2002/02/27" Supported="Yes" Summary="The flaw involves how the service handles a particular type of SMTP command used to transfer the data that constitutes an incoming mail. By sending a malformed version of this command, an attacker could cause the SMTP service to fail. This would have the effect of disrupting mail services on the affected system, but would not cause the operating system itself to fail." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-013" BulletinLocationID="1412" FAQLocationID="73" FAQPageName="FQ02-013" Title="04 March 2002 Cumulative VM Update" DatePosted="2002/03/04" DateRevised="2002/03/04" Supported="Yes" Summary="The Microsoft VM is a virtual machine for the Win32 operating environment. The Microsoft VM is available for Windows 95, Windows 98, ME, Windows NT® 4.0, Windows 2000, and Windows XP. It is also available as part of Internet Explorer 6 and earlier.
A new build of the VM (build 3805) is available, which eliminates two security vulnerabilities. The first vulnerability is the result of a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attackerΓÇÖs choice.
resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attackerΓÇÖs choice." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-014" BulletinLocationID="1413" FAQLocationID="73" FAQPageName="FQ02-014" Title="Unchecked Buffer in Windows Shell Could Lead to Code Execution" DatePosted="2002/03/07" DateRevised="2002/03/07" Supported="Yes" Summary="An unchecked buffer exists in one of the functions that helps to locate incompletely removed applications on the system. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-015" BulletinLocationID="1414" FAQLocationID="73" FAQPageName="FQ02-015" Title="28 March 2002 Cumulative Patch for Internet Explorer" DatePosted="2002/03/28" DateRevised="2002/03/28" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates the following two newly discovered vulnerabilities:
- A vulnerability in the zone determination function that could allow a script embedded in a cookie to be run in the Local Computer zone. While HTML scripts can be stored in cookies, they should be handled in the same zone as the hosting site associated with them, in most cases the Internet zone. An attacker could place script in a cookie that would be saved to the userΓÇÖs hard disk. When the cookie was opened by the site the script would then run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
- A vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on the userΓÇÖs machine. A malicious user could create HTML web page that includes this object tag and cause a local program to run on the victimΓÇÖs machine. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-016" BulletinLocationID="1415" FAQLocationID="73" FAQPageName="FQ02-016" Title="Opening Group Policy Files for Exclusive Read Blocks Policy Application (Q318593)" DatePosted="2002/04/04" DateRevised="2002/04/04" Supported="Yes" Summary="Group Policy in Windows 2000 is implemented by storing data in the Active Directory and the system volume on the domain controller. This storage location is called the Group Policy Object (GPO). When a machine or user logs onto the domain, it reads the GPO and applies the settings it contains. Most of these settings are also refreshed by default every 90 minutes. However, like most operating systems, Windows 2000 provides several types of read access, including exclusive-read, and this could enable an attacker to lock the Group Policy files, thereby allowing a user to prevent Group Policy from being applied for all users affected by the GPO. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-017" BulletinLocationID="1416" FAQLocationID="73" FAQPageName="FQ02-017" Title="Unchecked Buffer in the Multiple UNC Provider Could Enable Code Execution (Q311967)" DatePosted="2002/04/04" DateRevised="2002/04/04" Supported="Yes" Summary="When MUP requests a file using the uniform naming convention (UNC), it will allocate a buffer to store this request. There is proper input checking in this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-018" BulletinLocationID="1417" FAQLocationID="73" FAQPageName="FQ02-018" Title="Cumulative Patch for Internet Information Service (Q319733)" DatePosted="2002/04/10" DateRevised="2002/04/10" Supported="Yes" Summary="This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. Before applying the patch, system administrators should take note of the caveats discussed in the same section.
In addition to including all previously released security patches, this patch also includes fixes for ten newly discovered security vulnerabilities affecting IIS 4.0, 5.0 or 5.1." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-019" BulletinLocationID="1418" FAQLocationID="73" FAQPageName="FQ02-019" Title="Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)" DatePosted="2002/04/16" DateRevised="2002/04/16" Supported="Yes" Summary="This is a cumulative patch that, when applied, eliminates all previously discussed security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-020" BulletinLocationID="1419" FAQLocationID="73" FAQPageName="FQ02-020" Title="SQL Extended Procedure Functions Contain Unchecked Buffers (Q319507)" DatePosted="2002/04/17" DateRevised="2002/04/17" Supported="Yes" Summary="Several of the Microsoft provided extended stored procedures have an unchecked buffer flaw. Exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-021" BulletinLocationID="1420" FAQLocationID="73" FAQPageName="FQ02-021" Title="E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward (Q321804)" DatePosted="2002/04/25" DateRevised="2002/04/25" Supported="Yes" Summary="Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker.
The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.
An attacker could exploit this vulnerability by sending a specially malformed HTML e-mail containing a script to an Outlook user who has Word enabled as the e-mail editor. If the user replied to or forwarded the e-mail, the script would then run, and be capable of taking any action the user could take.
<Bulletin BulletinID="MS02-022" BulletinLocationID="1421" FAQLocationID="73" FAQPageName="FQ02-022" Title="Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)" DatePosted="2002/05/08" DateRevised="2002/05/08" Supported="Yes" Summary="An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-023" BulletinLocationID="1422" FAQLocationID="73" FAQPageName="FQ02-023" Title="15 May 2002 Cumulative Patch for Internet Explorer (Q321232)" DatePosted="2002/05/15" DateRevised="2002/05/15" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates six newly discovered vulnerabilities." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-024" BulletinLocationID="1423" FAQLocationID="73" FAQPageName="FQ02-024" Title="Authentication Flaw in Windows Debugger Can Lead to Elevated Privileges (Q320206)" DatePosted="2002/05/22" DateRevised="2002/05/22" Supported="Yes" Summary="There is a flaw in the authentication mechanism for the debugging facility such that an unauthorized program can gain access to the debugger. A vulnerability results because an attacker can use this to cause a running program to run a program of her choice. Because many programs run as the operating system, this means that an attacker can exploit this vulnerability to run code as the operating system itself. She could take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
A successful attack requires the ability to logon interactively to the system, either at the console or through a terminal session.
<Bulletin BulletinID="MS02-025" BulletinLocationID="1424" FAQLocationID="73" FAQPageName="FQ02-025" Title="Malformed Mail Attribute Can Cause Exchange 2000 to Exhaust CPU Resources (Q320436)" DatePosted="2002/05/28" DateRevised="2002/05/28" Supported="Yes" Summary="There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message. A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-026" BulletinLocationID="1425" FAQLocationID="73" FAQPageName="FQ02-026" Title="Unchecked Buffer in ASP.NET Worker Process (Q322289)" DatePosted="2002/06/06" DateRevised="2002/06/06" Supported="Yes" Summary="Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes.
One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost.
The StateServer mode is not the default mode for session state management in ASP.NET. ASP.NET applications using StateServer mode that do not use cookies are not vulnerable.
<Bulletin BulletinID="MS02-027" BulletinLocationID="1426" FAQLocationID="73" FAQPageName="FQ02-027" Title="Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889)" DatePosted="2002/06/11" DateRevised="2002/06/11" Supported="Yes" Summary="This is a work-around bulletin that details steps customers can take to protect themselves against a publicly disclosed vulnerability until patches are available.
There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out.
A successful attack requires that the attacker be able to send information to the intended target using the Gopher protocol. Anything which inhibited Gopher connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-028" BulletinLocationID="1427" FAQLocationID="73" FAQPageName="FQ02-028" Title="Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599)" DatePosted="2002/06/11" DateRevised="2002/07/01" Supported="Yes" Summary="The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR - an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-029" BulletinLocationID="1428" FAQLocationID="73" FAQPageName="FQ02-029" Title="Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)" DatePosted="2002/06/11" DateRevised="2002/07/02" Supported="Yes" Summary="A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-030" BulletinLocationID="1429" FAQLocationID="73" FAQPageName="FQ02-030" Title="Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)" DatePosted="2002/06/12" DateRevised="2002/06/12" Supported="Yes" Summary="SQLXML enables the transfer of XML data to and from SQL Server 2000. Database queries can be returned in the form of XML documents which can then be stored or transferred easily. Using SQLXML, you can access SQL Server 2000 using XML through your browser over HTTP.
Two vulnerabilities exist in SQLXML:
A unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server.
A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the userΓÇÖs computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone." Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-031" BulletinLocationID="1430" FAQLocationID="73" FAQPageName="FQ02-031" Title="Cumulative Patches for Excel and Word for Windows (Q324458)" DatePosted="2002/06/19" DateRevised="2002/06/19" Supported="Yes" Summary="These patches eliminate four newly discovered vulnerabilities all of which could enable an attacker to run Macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to.
- An Excel macro execution vulnerability that relates to how inline macros that are associated with objects are handled. This vulnerability could enable macros to execute and bypass the Macro Security Model when the user clicked on an object in a workbook.
- An Excel macro execution vulnerability that relates to how macros are handled in workbooks when those workbooks are opened via a hyperlink on a drawing shape. It is possible for macros in a workbook so invoked to run automatically.
- An HTML script execution vulnerability that can occur when an Excel workbook with an XSL Stylesheet that contains HTML scripting is opened. The script within the XSL stylesheet could be run in the local computer zone.
- A new variant of the "Word Mail Merge" vulnerability first addressed in MS00-071. This new variant could enable an attacker's macro code to run automatically if the user had Microsoft Access present on the system and chose to open a mail merge document that had been saved in HTML format. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-032" BulletinLocationID="1431" FAQLocationID="73" FAQPageName="FQ02-032" Title="Cumulative Patch for Windows Media Player (Q320920)" DatePosted="2002/06/26" DateRevised="2002/06/26" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity:
An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity.
A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system.
A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity.
It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher.
<Bulletin BulletinID="MS02-033" BulletinLocationID="1432" FAQLocationID="73" FAQPageName="FQ02-033" Title="Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273)" DatePosted="2002/06/26" DateRevised="2002/06/26" Supported="Yes" Summary="Four vulnerabilities exist in the Commerce Server products:
A vulnerability that results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provided specially malformed data to certain calls exposed by the Profile Service could cause the Commerce Server process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.
A buffer overrun vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who provided specially malformed data as input to the OWC package installer could cause the process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000.
A vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who invoked the OWC package installer in a particular manner could cause commands to be run on the Commerce Server according to the privileges associated with the attacker's log on credentials. This vulnerability only affects Commerce Server 2000.
A new variant of the ISAPI Filter vulnerability discussed in Microsoft Security Bulletin MS02-010. This variant affects both Commerce Server 2000 and Commerce Server 2002. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-034" BulletinLocationID="1433" FAQLocationID="73" FAQPageName="FQ02-034" Title="Cumulative Patch for SQL Server (Q316333)" DatePosted="2002/07/10" DateRevised="2002/07/10" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE):
A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL server runs as.
A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself.
A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-035" BulletinLocationID="1434" FAQLocationID="73" FAQPageName="FQ02-035" Title="SQL Server Installation Process May Leave Passwords on System (Q263968)" DatePosted="2002/07/10" DateRevised="2002/07/10" Supported="Yes" Summary="A security vulnerability results because of two factors:
The files remain on the server after the installation is complete. Except for the setup.iss file created by SQL Server 2000, the files are in directories that can be accessed by anyone who can interactively log on to the system.
The password information stored in the files is either in clear text (for SQL Server 7.0 prior to Service Pack 4) or encrypted using fairly weak protection. An attacker who recovered the files could subject them to a password cracking attack to learn the passwords, potentially compromising the sa password and/or a domain account password " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-036" BulletinLocationID="1435" FAQLocationID="73" FAQPageName="FQ02-036" Title="Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation (Q317138)" DatePosted="2002/07/24" DateRevised="2002/07/24" Supported="Yes" Summary="A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-037" BulletinLocationID="1436" FAQLocationID="73" FAQPageName="FQ02-037" Title="Server Response To SMTP Client EHLO Command Results In Buffer Overrun (Q326322)" DatePosted="2002/07/24" DateRevised="2002/07/24" Supported="Yes" Summary="A security vulnerability results because of an unchecked buffer in the IMC code that generates the response to the EHLO protocol command. If the total length of the message exceeds a particular value, the data would overrun the buffer. If the buffer were overrun with random data, it would result in the failure of the IMC. If, however, the buffer were overrun with carefully chosen data, it could be possible for the attacker to run code in the security context of the IMC, which runs as Exchange5.5 Service Account.
It is important to note that the attacker could not simply send data to the IMC in order to overrun the buffer. Instead, the attacker would need to create a set of conditions that would cause the IMC to overrun its own buffer when it generated the EHLO response. Specifically, the attacker would need to ensure that a reverse DNS lookup would not only succeed, but would provide an FQDN whose length was sufficient to result in the buffer overrun.
<Bulletin BulletinID="MS02-038" BulletinLocationID="1437" FAQLocationID="73" FAQPageName="FQ02-038" Title="Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution (Q316333)" DatePosted="2002/07/24" DateRevised="2002/07/24" Supported="Yes" Summary="This patch eliminates two newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000: A buffer overrun vulnerability that occurs in several Database Consistency Checkers (DBCCs) that ship as part of SQL Server 2000. DBCCs are command console utilities that allow maintenance and other operations to be performed on a SQL Server. While many of these are executable only by sysadmin, some are executable by members of the db_owner and db_ddladmin roles as well. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
A SQL injection vulnerability that occurs in two stored procedures used in database replication. One of these can only be run by users who have been assigned the db_owner role; the other, due to a permissions error, could be run by any user who could log onto the server interactively. Exploiting the vulnerability could enable an attacker to run operating system commands on the server, but is subject to significant mitigating factors as discussed below. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-039" BulletinLocationID="1438" FAQLocationID="73" FAQPageName="FQ02-039" Title="Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)" DatePosted="2002/07/24" DateRevised="2002/07/24" Supported="Yes" Summary="There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.
The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably.
<Bulletin BulletinID="MS02-040" BulletinLocationID="1439" FAQLocationID="73" FAQPageName="FQ02-040" Title="Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise (Q326573)" DatePosted="2002/07/30" DateRevised="2002/07/30" Supported="Yes" Summary="The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. A security vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer.
An attacker who submitted a database query containing a specially malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker.
<Bulletin BulletinID="MS02-041" BulletinLocationID="1440" FAQLocationID="73" FAQPageName="FQ02-041" Title="Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075)" DatePosted="2002/08/06" DateRevised="2002/08/06" Supported="Yes" Summary="Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise Server product that simplifies developing and managing e-business web sites. Microsoft has learned of three security vulnerabilities affecting it:
- A buffer overrun in a low-level function that performs user authentication. At least one web page included with MCMS 2001 passes inputs directly to the function, thereby potentially providing a way for an attacker to overrun the buffer. The result of exploiting the vulnerability would be to either cause MCMS to fail, or run code in the context of the MCMS service (which runs as Local System).
- A vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server. The first flaw lies in how the function authenticates requests, and would allow any user to submit an upload request. The second results because it is possible to override the upload location; where the function should upload files to a folder that only privileged users can access, it can be overridden to upload it to a temporary folder that does allow unprivileged users to call it. By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed.
- A SQL injection vulnerability affecting a function that services requests for image files and other resources. Exploiting the vulnerability could enable an attacker to run SQL commands on the server, which would not only allow data in the MCMS database to be added, changed or deleted, but also would enable the attacker to run operating system commands on the server.
<Bulletin BulletinID="MS02-042" BulletinLocationID="1441" FAQLocationID="73" FAQPageName="FQ02-042" Title="Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886)" DatePosted="2002/08/15" DateRevised="2002/08/15" Supported="Yes" Summary="The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established. By design, this handler routine should run in the security context of the user. However, a flaw could make it possible for an unprivileged user to cause the handler routine to run in the security context of LocalSystem, though a very complex process. An attacker who exploited this flaw could specify code of his or her choice as the handler, then establish a network connection in order to cause that code to be invoked by the NCM. The code would then run with full system privilege" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-043" BulletinLocationID="1442" FAQLocationID="73" FAQPageName="FQ02-043" Title="Cumulative Patch for SQL Server (Q316333)" DatePosted="2002/08/15" DateRevised="2002/08/15" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and SQL Server 2000. In addition, it eliminates a newly discovered vulnerability. SQL Server 7.0 and SQL Server 2000 provide for extended stored procedures, which are external routines written in programming languages such as C or C#. These procedures appear as normal stored procedures to users and can be invoked and executed just like normal stored procedures. By default, SQL Server 7.0 and SQL Server 2000 ship with a number of extended stored procedures which are used for various helper functions. Some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account have a flaw in common ΓÇô namely, they have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges. An attacker could exploit this vulnerability in one of two ways. The attacker could attempt to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed paramete" Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Bulletin BulletinID="MS02-044" BulletinLocationID="1443" FAQLocationID="73" FAQPageName="FQ02-044" Title="Unsafe Functions in Office Web Components (Q328130)" DatePosted="2002/08/21" DateRevised="2002/08/20" Supported="Yes" Summary="The Office Web Components (OWC) contain several ActiveX controls that gives users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable.
The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose:
Host(). This function, by design, provides the caller with access to applications' object models on the user's system. By using the Host() function, an attacker could, for instance, open an Office application on the user's system and invoke commands there that would execute operating system commands as the user.
LoadText(). This method allows a web page to load text into a browser window. The method does check that the source of the text is in the same domain as the window, and in theory should restrict the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located within the web page's domain, and then setting up a server-side redirect of that text to a file on the user's system. This would provide an attacker with a way to read any desired file on the user's system.
Copy()/Paste(). These methods allow text to be copied and pasted. A security vulnerability results because the method does not respect the "disallow paste via script" security setting in IE. Thus, even if this setting had been selected, a web page could continue to access the copy buffer, and read any text that the user had copied or cut from within other applications.
<Bulletin BulletinID="MS02-045" BulletinLocationID="1449" FAQLocationID="73" FAQPageName="FQ02-045" Title="Unchecked Buffer in Network Share Provider can lead to Denial of Service (Q326830)" DatePosted="2002/08/21" DateRevised="2002/08/21" Supported="Yes" Summary="SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol.
By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.
<Bulletin BulletinID="MS02-046" BulletinLocationID="1448" FAQLocationID="73" FAQPageName="FQ02-046" Title="Buffer Overrun in TSAC ActiveX Control Could Allow Code Execution (Q327521)" DatePosted="2002/08/21" DateRevised="2002/08/21" Supported="Yes" Summary="The Terminal Services Advanced Client (TSAC) web control is an ActiveX control that can be used to run Terminal Services sessions within Internet Explorer. The downloadable ActiveX control provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web.
The TSAC control does not come installed as part of any Windows client system. Instead, clients obtain the control from web servers that offer terminal services. The configuration process that enables an IIS server to provide terminal services involves installing on the server a cabinet file containing the control. The server then delivers the cabinet file to any client system that needs it, and the client installs the control via the cabinet file.
A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker could gain the ability to run code in the security context of the currently logged on user. This would enable the attacker to take any desired action on the user's system. The attacker could mount an attack by either hosting a web page that exploits the vulnerability against any user who visits it, or by sending an HTML mail to another user.
<Bulletin BulletinID="MS02-047" BulletinLocationID="1450" FAQLocationID="73" FAQPageName="FQ02-047" Title="Cumulative Patch for Internet Explorer (Q323759)" DatePosted="2002/08/21" DateRevised="2002/08/21" Supported="Yes" Summary="This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
A buffer overrun vulnerability affecting the Gopher protocol handler. This vulnerability was originally discussed in Microsoft Security Bulletin MS02-027, which provided workaround instructions while the patch provided here was being completed.
A buffer overrun vulnerability affecting an ActiveX control used to display specially formatted text. The control contains a buffer overrun vulnerability that could enable an attacker to run code on a userΓÇÖs system in the context of the user.
A vulnerability involving how Internet Explorer handles an HTML directive that displays XML data. By design, the directive should only allow XML data from the web site itself to be displayed. However, it does not correctly check for the case where a referenced XML data source is in fact redirected to a data source in a different domain. This flaw could enable an attackerΓÇÖs web page to open an XML-based files residing a remote system within a browser window that the site could read, thereby enabling the attacker to read contents from websites that users had access to but the attacker was not able to navigate to.
A vulnerability involving how Internet Explorer represents the origin of a file in the File Download Dialogue box. This flaw could enable an attacker to misrepresent the source of a file offered for download in an attempt to fool users into accepting a file download from an untrusted source believing it to be coming from a trusted source.
A Cross Domain verification vulnerability that occurs because of improper domain checking in conjunction with the Object tag. As a result, the vulnerability could enable a malicious web site operator to access data across different domains, for example one in a web siteΓÇÖs domain and the other on the userΓÇÖs local file system and then pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the userΓÇÖs local computer that could be viewed n a browser window. In addition, this can also enable an attacker to invoke, but not pass parameters to, an executable on the local system, much like the "Local Executable Invocation via Object tag" vulnerability discussed in MS02-015.
A newly reported variant of the "Cross-Site Scripting in Local HTML Resource" vulnerability originally discussed in Microsoft Security Bulletin MS02-023. Like the original vulnerability, this variant could enable an attacker to create a web page that, when opened, would run in the Local Computer zone, allowing it to run with fewer restrictions than it would in the Internet Zone.
In addition, the patch sets the Kill Bit on the MSN Chat ActiveX control discussed in Microsoft Security Bulletin MS02-022 as well as the TSAC ActiveX control discussed in Microsoft Security Bulletin MS02-046. This has been done to ensure that vulnerable controls cannot be introduced onto usersΓÇÖ systems. Customers who use the MSN Chat control should ensure that they have applied the updated version of the control discussed in MS02-022 and customers who use the TSAC control should ensure that they have applied the updated version of the control discussed in MS02-046 .
<Bulletin BulletinID="MS02-048" BulletinLocationID="73" FAQLocationID="73" FAQPageName="FQ02-048" Title="Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)" DatePosted="2002/08/28" DateRevised="2002/08/28" Supported="Yes" Summary="All versions of Windows ship with an ActiveX control known as the Certificate Enrollment Control, the purpose of which is to allow web-based certificate enrollments. The control is used to submit PKCS #10 compliant certificate requests, and upon receiving the requested certificate, stores it in the userΓÇÖs local certificate store.
The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a userΓÇÖs system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features.
An attack could be carried out through either of two scenarios. The attacker could create a web page the that exploits the vulnerability, and host it on a web site in order to attack users who visited the site. The attacker also could send the page as an HTML mail in order to attack the recipient.
A new version of the control is available that corrects the vulnerability, and can be installed via the patch or Windows XP Service Pack 1 A patch is available for all other Windows systems, as discussed in the Patch Availability section below. Internet Explorer 5 or later is a prerequisite to installing the patch. As discussed in the Caveats section, customers who operate web sites that use the Certificate Enrollment Control will need to make minor revisions to their web applications in order to use the new control. Microsoft Knowledge Base article Q323172 details how to do this.
In addition, the patch addresses a similar, but less serious vulnerability discovered in the SmartCard Enrollment control. This control ships with Windows 2000 and Windows XP. A new version of this control is also provided.
<Bulletin BulletinID="MS02-049" BulletinLocationID="73" FAQLocationID="73" FAQPageName="FQ02-049" Title="Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568)" DatePosted="2002/09/04" DateRevised="2002/09/04" Supported="Yes" Summary="In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened.
Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute.
The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context.
<Bulletin BulletinID="MS02-050" BulletinLocationID="73" FAQLocationID="73" FAQPageName="FQ02-050" Title="Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)" DatePosted="2002/09/04" DateRevised="2002/09/04" Supported="Yes" Summary="The IETF Profile of the X.509 certificate standard defines several optional fields that can be included in a digital certificate. One of these is the Basic Constraints field, which indicates the maximum allowable length of the certificateΓÇÖs chain and whether the certificate is a Certificate Authority or an end-entity certificate. However, the APIs within CryptoAPI that construct and validate certificate chains (CertGetCertificateChain(), CertVerifyCertificateChainPolicy()) and WinVerityTrust) do not check the Basic Constraints field. The same flaw, unrelated to CryptoAPI, is also present in several Microsoft products for Macintosh.
The vulnerability could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks. These are discussed in detail in the FAQ, but could include:
Setting up a web site that poses as a different web site, and "proving" its identity by establishing an SSL session as the legitimate web site.
Sending emails signed using a digital certificate that purportedly belongs to a different user.
Spoofing certificate-based authentication systems to gain entry as a highly privileged user.
Digitally signing malware using an Authenticode certificate that claims to have been issued to a company users might trust. " Issue="" ImpactSeverityID="0" PreReqSeverityID="0" MitigationSeverityID="0" PopularitySeverityID="0">
<Product ProductID="1" Name="Windows NT Workstation 4.0" MinimumSupportedServicePackID="4" CurrentServicePackID="7" CurrentVersion="4.00.1381">
<ProductFamilies>
<ProductFamily ProductFamilyID="1"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="69"/>
<AvailableSP ServicePackID="4"/>
<AvailableSP ServicePackID="5"/>
<AvailableSP ServicePackID="7"/>
</AvailableSPs>
</Product>
<Product ProductID="2" Name="Windows NT Server 4.0" MinimumSupportedServicePackID="4" CurrentServicePackID="7" CurrentVersion="4.00.1381">
<ProductFamilies>
<ProductFamily ProductFamilyID="1"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="69"/>
<AvailableSP ServicePackID="4"/>
<AvailableSP ServicePackID="5"/>
<AvailableSP ServicePackID="7"/>
</AvailableSPs>
</Product>
<Product ProductID="3" Name="Windows NT Server 4.0, Enterprise Edition" MinimumSupportedServicePackID="4" CurrentServicePackID="7" CurrentVersion="4.00.1381">
<ProductFamilies>
<ProductFamily ProductFamilyID="1"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="69"/>
<AvailableSP ServicePackID="4"/>
<AvailableSP ServicePackID="5"/>
<AvailableSP ServicePackID="7"/>
</AvailableSPs>
</Product>
<Product ProductID="4" Name="Windows NT Server 4.0, Terminal Server Edition" MinimumSupportedServicePackID="82" CurrentServicePackID="8" CurrentVersion="na">
<Product ProductID="19" Name="Windows Me" MinimumSupportedServicePackID="89" CurrentServicePackID="89" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="71" Name="Internet Information Server 3.0" MinimumSupportedServicePackID="4" CurrentServicePackID="7" CurrentVersion="3.0">
<ProductFamilies>
<ProductFamily ProductFamilyID="1"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="69"/>
<AvailableSP ServicePackID="4"/>
<AvailableSP ServicePackID="5"/>
<AvailableSP ServicePackID="7"/>
</AvailableSPs>
</Product>
<Product ProductID="16" Name="Internet Information Server 4.0" MinimumSupportedServicePackID="4" CurrentServicePackID="7" CurrentVersion="4.0">
<ProductFamilies>
<ProductFamily ProductFamilyID="1"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="69"/>
<AvailableSP ServicePackID="4"/>
<AvailableSP ServicePackID="5"/>
<AvailableSP ServicePackID="7"/>
</AvailableSPs>
</Product>
<Product ProductID="17" Name="Internet Information Services 5.0" MinimumSupportedServicePackID="74" CurrentServicePackID="3" CurrentVersion="5.0">
<ProductFamilies>
<ProductFamily ProductFamilyID="2"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="74"/>
<AvailableSP ServicePackID="1"/>
<AvailableSP ServicePackID="2"/>
<AvailableSP ServicePackID="3"/>
</AvailableSPs>
</Product>
<Product ProductID="18" Name="Indexing Services for Windows 2000" MinimumSupportedServicePackID="74" CurrentServicePackID="2" CurrentVersion="5.00.2195">
<ProductFamilies>
<ProductFamily ProductFamilyID="2"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="74"/>
<AvailableSP ServicePackID="1"/>
<AvailableSP ServicePackID="2"/>
</AvailableSPs>
</Product>
<Product ProductID="14" Name="Windows Media Services 4.0" MinimumSupportedServicePackID="90" CurrentServicePackID="90" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="15" Name="Windows Media Services 4.1" MinimumSupportedServicePackID="91" CurrentServicePackID="91" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="48" Name="Windows Media Encoder 4.0" MinimumSupportedServicePackID="92" CurrentServicePackID="92" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="49" Name="Windows Media Encoder 4.1" MinimumSupportedServicePackID="93" CurrentServicePackID="93" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="20" Name="Windows Media Player 7.0" MinimumSupportedServicePackID="94" CurrentServicePackID="94" CurrentVersion="na">
<Product ProductID="81" Name="Systems Management Server 1.2" MinimumSupportedServicePackID="44" CurrentServicePackID="44" CurrentVersion="na">
<AvailableSPs>
<AvailableSP ServicePackID="44"/>
</AvailableSPs>
<ProductFamilies/>
</Product>
<Product ProductID="62" Name="Systems Management Server 2.0" MinimumSupportedServicePackID="45" CurrentServicePackID="49" CurrentVersion="na">
<AvailableSPs>
<AvailableSP ServicePackID="45"/>
<AvailableSP ServicePackID="46"/>
<AvailableSP ServicePackID="47"/>
<AvailableSP ServicePackID="49"/>
</AvailableSPs>
<ProductFamilies/>
</Product>
<Product ProductID="67" Name="Site Server 3.0" MinimumSupportedServicePackID="63" CurrentServicePackID="67" CurrentVersion="na">
<AvailableSPs>
<AvailableSP ServicePackID="63"/>
<AvailableSP ServicePackID="64"/>
<AvailableSP ServicePackID="65"/>
<AvailableSP ServicePackID="66"/>
<AvailableSP ServicePackID="67"/>
</AvailableSPs>
<ProductFamilies/>
</Product>
<Product ProductID="63" Name="Site Server 3.0, Commerce Edition" MinimumSupportedServicePackID="63" CurrentServicePackID="67" CurrentVersion="na">
<AvailableSPs>
<AvailableSP ServicePackID="63"/>
<AvailableSP ServicePackID="64"/>
<AvailableSP ServicePackID="65"/>
<AvailableSP ServicePackID="66"/>
<AvailableSP ServicePackID="67"/>
</AvailableSPs>
<ProductFamilies/>
</Product>
<Product ProductID="68" Name="Microsoft Commercial Internet System 2.5" MinimumSupportedServicePackID="113" CurrentServicePackID="113" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="66" Name="Microsoft Commercial Internet System 2.0" MinimumSupportedServicePackID="114" CurrentServicePackID="114" CurrentVersion="na">
<Product ProductID="89" Name="Internet Explorer 4.5 for Macintosh" MinimumSupportedServicePackID="125" CurrentServicePackID="125" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="90" Name="Outlook Express 5 for Macintosh" MinimumSupportedServicePackID="126" CurrentServicePackID="126" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="96" Name="FrontPage 97 Server Extensions" MinimumSupportedServicePackID="127" CurrentServicePackID="127" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="97" Name="FrontPage 98 Server Extensions" MinimumSupportedServicePackID="128" CurrentServicePackID="128" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="98" Name="Personal Web Server 4.0" MinimumSupportedServicePackID="129" CurrentServicePackID="129" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="99" Name="FrontPage 97 Personal Web Server 1.0 " MinimumSupportedServicePackID="130" CurrentServicePackID="130" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="100" Name="FrontPage 98 Personal Web Server 1.0 " MinimumSupportedServicePackID="131" CurrentServicePackID="131" CurrentVersion="na">
<ProductFamilies/>
<AvailableSPs/>
</Product>
<Product ProductID="101" Name="Office 98 for Macintosh " MinimumSupportedServicePackID="132" CurrentServicePackID="132" CurrentVersion="na">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="102" Name="BackOffice Server 4.0" MinimumSupportedServicePackID="69" CurrentServicePackID="7" CurrentVersion="na">
<Product ProductID="119" Name="Internet Explorer 6" MinimumSupportedServicePackID="155" CurrentServicePackID="215" CurrentVersion="6.00.2600.0000">
<ProductFamilies>
<ProductFamily ProductFamilyID="99"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="155"/>
<AvailableSP ServicePackID="215"/>
</AvailableSPs>
</Product>
<Product ProductID="120" Name="Windows XP Home Edition" MinimumSupportedServicePackID="158" CurrentServicePackID="216" CurrentVersion="">
<ProductFamilies/>
<AvailableSPs>
<AvailableSP ServicePackID="158"/>
<AvailableSP ServicePackID="216"/>
</AvailableSPs>
</Product>
<Product ProductID="121" Name="Windows XP Professional" MinimumSupportedServicePackID="158" CurrentServicePackID="216" CurrentVersion="">
<ProductFamilies/>
<AvailableSPs>
<AvailableSP ServicePackID="158"/>
<AvailableSP ServicePackID="216"/>
</AvailableSPs>
</Product>
<Product ProductID="122" Name="IE 5.1 for Macintosh" MinimumSupportedServicePackID="159" CurrentServicePackID="159" CurrentVersion="">
<ProductFamilies>
<ProductFamily ProductFamilyID="99"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="159"/>
</AvailableSPs>
</Product>
<Product ProductID="123" Name="Windows Media Player for Windows XP" MinimumSupportedServicePackID="158" CurrentServicePackID="216" CurrentVersion="8.00.00.4477">
<Product ProductID="127" Name="Commerce Server 2000" MinimumSupportedServicePackID="167" CurrentServicePackID="168" CurrentVersion="">
<ProductFamilies/>
<AvailableSPs>
<AvailableSP ServicePackID="167"/>
<AvailableSP ServicePackID="168"/>
</AvailableSPs>
</Product>
<Product ProductID="128" Name="Internet Explorer 5.1 for Macintosh OS X" MinimumSupportedServicePackID="170" CurrentServicePackID="170" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="129" Name="Internet Explorer 5.1 for Machintosh OS 8 and 9" MinimumSupportedServicePackID="171" CurrentServicePackID="171" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="130" Name="Entourage v. X for Macintosh" MinimumSupportedServicePackID="172" CurrentServicePackID="172" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="131" Name="Entourage 2001 for Macintosh" MinimumSupportedServicePackID="173" CurrentServicePackID="173" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="132" Name="PowerPoint 2001 for Macintosh" MinimumSupportedServicePackID="174" CurrentServicePackID="174" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="133" Name="PowerPoint v. X for Macintosh" MinimumSupportedServicePackID="175" CurrentServicePackID="175" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="134" Name="PowerPoint 98 for Macintosh" MinimumSupportedServicePackID="176" CurrentServicePackID="176" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="135" Name="Excel v. X for Macintosh" MinimumSupportedServicePackID="177" CurrentServicePackID="177" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="136" Name="Excel 2001 for Macintosh" MinimumSupportedServicePackID="178" CurrentServicePackID="178" CurrentVersion="">
<Product ProductID="140" Name="Proxy Server 2.0" MinimumSupportedServicePackID="184" CurrentServicePackID="184" CurrentVersion="">
<ProductFamilies>
<ProductFamily ProductFamilyID="2"/>
</ProductFamilies>
<AvailableSPs>
<AvailableSP ServicePackID="184"/>
</AvailableSPs>
</Product>
<Product ProductID="141" Name="Windows NT Server 4.0, Terminal Server Edition RRAS" MinimumSupportedServicePackID="186" CurrentServicePackID="186" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="142" Name="Windows NT Server 4.0, RRAS" MinimumSupportedServicePackID="187" CurrentServicePackID="187" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="143" Name="Windows NT Workstation 4.0, RRAS" MinimumSupportedServicePackID="188" CurrentServicePackID="188" CurrentVersion="">
<AvailableSPs/>
<ProductFamilies/>
</Product>
<Product ProductID="144" Name="Windows NT Server 4.0, Enterprise Edition, RRAS" MinimumSupportedServicePackID="189" CurrentServicePackID="189" CurrentVersion="">
<Product ProductID="147" Name="Commerce Server 2002" MinimumSupportedServicePackID="192" CurrentServicePackID="192" CurrentVersion="">
<ProductFamilies/>
<AvailableSPs>
<AvailableSP ServicePackID="192"/>
</AvailableSPs>
</Product>
<Product ProductID="148" Name="Windows Media Player 6.4 for Windows NT 4.0" MinimumSupportedServicePackID="193" CurrentServicePackID="193" CurrentVersion="">
<ProductFamilies/>
<AvailableSPs>
<AvailableSP ServicePackID="193"/>
</AvailableSPs>
</Product>
<Product ProductID="149" Name="Windows Media Player 6.4 for Windows 2000" MinimumSupportedServicePackID="194" CurrentServicePackID="194" CurrentVersion="">
<ServicePack ServicePackID="1" Name="Windows 2000 Service Pack 1" URL="http://support.microsoft.com/support/servicepacks/Windows/2000/SP1.asp" ReleaseDate="2000/07/31"/>
<ServicePack ServicePackID="2" Name="Windows 2000 Service Pack 2" URL="http://support.microsoft.com/support/servicepacks/Windows/2000/SP2.asp" ReleaseDate="2001/05/16"/>
<ServicePack ServicePackID="3" Name="Windows 2000 Service Pack 3" URL="http://www.microsoft.com/technet/security/news/w2ksp3.asp" ReleaseDate="2002/08/01"/>
<ServicePack ServicePackID="69" Name="Windows NT4 Service Pack 3" URL="http://support.microsoft.com/support/ntserver/content/servicepacks/SP3.asp" ReleaseDate="1997/01/01"/>
<ServicePack ServicePackID="4" Name="Windows NT4 Service Pack 4" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/SP4.asp" ReleaseDate="1998/10/01"/>
<ServicePack ServicePackID="5" Name="Windows NT4 Service Pack 5" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/SP5.asp" ReleaseDate="1999/05/04"/>
<ServicePack ServicePackID="6" Name="Windows NT4 Service Pack 6" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/SP6a.asp" ReleaseDate="1999/11/30"/>
<ServicePack ServicePackID="7" Name="Windows NT4 Service Pack 6a" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/SP6a.asp" ReleaseDate="1999/11/30"/>
<ServicePack ServicePackID="81" Name="Windows NT 4 Terminal Server Gold" URL="http://support.microsoft.com/support/ntserver/tse/servicepacks/Default.asp" ReleaseDate="1997/01/01"/>
<ServicePack ServicePackID="82" Name="Windows NT4 Terminal Server Service Pack 4" URL="http://support.microsoft.com/support/ntserver/tse/servicepacks/Default.asp" ReleaseDate="1999/04/26"/>
<ServicePack ServicePackID="83" Name="Windows NT4 Terminal Server Service Pack 5" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/TSESP5.asp" ReleaseDate="1999/11/19"/>
<ServicePack ServicePackID="8" Name="Windows NT4 Terminal Server Service Pack 6" URL="http://support.microsoft.com/support/servicepacks/WinNT/4.0/TSESP6.asp" ReleaseDate="2000/05/02"/>
<ServicePack ServicePackID="192" Name="Commerce Server 2002 Gold" URL="" ReleaseDate=""/>
<ServicePack ServicePackID="193" Name="Windows Media Player 6.4 for Windows NT 4.0 Gold" URL="http://www.microsoft.com/windows/windowsmedia/download/win32otherx86.asp" ReleaseDate="2001/01/01"/>
<ServicePack ServicePackID="194" Name="Windows Media Player 6.4 for Windows 2000 Gold" URL="" ReleaseDate="2001/01/01"/>
