Ten MS Security Bulletins issued today. The first three (MS04-029, MS04-030 and MS04-031) are rated important while the rest are critical.
Please note that Multiple Windows Vulnerabilities (MS04-032) is actually four vulnerabilities listed in one bulletin, Shell Vulnerabilities (MS04-037) is actually two vulnerabilities listed in one bulletin while the Cumulative Internet Explorer Vulnerabilities (MS04-038) is actually eight vulnerabilities listed in one bulletin. If you count all the individual vulnerabilities, then there are at least twenty of them spanning ten bulletins
An information disclosure and denial of service vulnerability exists when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploited this vulnerability could potentially read portions of active memory or cause the affected system to stop responding.
Remote Procedure Call (RPC) is a protocol that the Windows operating system uses. RPC provides an interprocess communication mechanism that allows a program that is running on one system to access services seamlessly on another system. The protocol is derived from the Open Software Foundation (OSF) RPC protocol, with the addition of some Microsoft-specific extensions.
The vulnerability is caused due to an unchecked buffer in the RPC Runtime Library.
The RPC Runtime Library provides services such as communication services, directory services, and security services to application developers.
A denial of service vulnerability exists that could allow an attacker to send a specially crafted WebDAV request to a server that is running IIS and WebDAV. An attacker could cause WebDAV to consume all available memory and CPU time on an affected server. The IIS service would have to be restarted to restore functionality.
WebDAV is an industry standard extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning." WebDAV adds a capability for authorized users to remotely add and manage content on a Web server. By default, WebDAV is enabled when IIS is enabled on Windows 2000. By default, WebDAV is not installed on IIS 5.1 or on IIS 6.0.
The vulnerability is caused because WebDAV does not limit the number of attributes that can be specified per XML-element in WebDAV requests.
A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, the NetDDE services are not started by default and would have to be manually started for an attacker to attempt to remotely exploit this vulnerability. This vulnerability could also be used to attempt to perform a local elevation of privilege or remote denial of service.
Network Dynamic Data Exchange (NetDDE) allows two applications to communicate with each other over a network. This is considered an older communication method that typically has been replaced by newer technologies such as DCOM
The vulnerability is caused because of an unchecked buffer in the NetDDE services.
A privilege elevation vulnerability exists in the Window Management application programming interfaces (APIs). This vulnerability could allow a logged on user to take complete control of the system.
The Windows graphical user interface (GUI) allows programs to change various properties that define that program such as the size of the window or the name of the program. The Window Management API functions are the components of the operating system that programs use to change these properties.
Several Window Management API functions allow programs to change the properties of other programs that are running at a higher level of privilege. Programs should be limited to changing the properties of other programs that are running at the same level of privilege. The properties of the program that is running at a higher level of privilege could be changed in such a way that the change could cause an elevation of privilege for the locally logged on user.
A local privilege elevation vulnerability exists in the operating system component that handles the Virtual DOS Machine (VDM) subsystem. This vulnerability could allow a logged on user to take complete control of the system.
A virtual DOS machine (VDM) subsystem is an environment that emulates the MS-DOS operating system and the MS-DOS-based Windows operating system on Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system.
The operating system component that handles the virtual DOS machine (VDM) subsystem could be used to gain access to protected kernel memory. In certain circumstances, some privileged operating system functions might not validate system structures and could allow an attacker to execute a specially-designed program with system privileges.
A remote code execution vulnerability in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system. An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile format and contains extended features.
The vulnerability is caused because of an unchecked buffer in the way that the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
A local denial of service vulnerability exists in the Windows kernel. An attacker could locally run a program that could cause the affected system to stop responding.
The denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected system to stop accepting requests.
The Windows kernel is the core of the operating system. It provides system level services such as device management and memory management, it allocates processor time to processes, and it manages error handling.
The vulnerability is caused because the Windows kernel does not properly reset some values within some CPU data structures.
A remote code execution vulnerability exists in Excel. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system.
An attacker could host a malicious Excel file on a web site and persuade a user to click a link to the file. The file could then be executed allowing the attacker to execute code of their choice. An attacker could also attempt to exploit the vulnerability by sending a specially crafted file in email.
A remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way that it handles specially crafted compressed files. An attacker could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
The Compressed (zipped) Folders feature enables users to store data files and folders in a compressed (or zipped) format. Files and folders that are compressed require less space to store them. The feature lets users create, add files to, and extract files from zipped folders.
A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4.
Simple Mail Transfer Protocol (SMTP) is an industry standard for delivering e-mail messages over the Internet, as defined in RFC 2821 and in RFC 2822. The protocol defines the format of e-mail messages, the fields that are in e-mail messages, the contents of e-mail messages, and the handling procedures for e-mail messages.
The Exchange Routing Engine component is part of the Exchange Routing Engine Service. The Exchange Routing Engine Service implements the Routing Engine API and determines how e-mail messages are routed through an Exchange system.
The vulnerability is caused because of an unchecked buffer in the Windows SMTP component and in the Exchange Routing Engine component.
A remote code execution vulnerability exists within the Network News Transfer Protocol (NNTP) component of the affected operating systems. This vulnerability could potentially affect systems that do not use NNTP. This is because some programs that are listed in the affected software section require that the NNTP component be enabled before you can install them. An attacker could exploit the vulnerability by constructing a malicious request that could potentially allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
The NNTP component provides a service that enables the distribution, retrieval, and posting of news articles among the Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items that they want to read.
The vulnerability is caused because of an unchecked buffer in the Network News Transfer Protocol (NNTP) component.
A remote code execution vulnerability exists in the way that the Windows Shell starts applications. An attacker could exploit the vulnerability if a user visited a malicious Web site. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
The Microsoft Windows user interface (UI) provides users with access to a wide variety of objects that are necessary for running applications and managing the operating system. The most numerous and familiar of these objects are the folders and files that reside on computer disk drives. There are also a number of virtual objects that allow the user to do tasks such as sending files to remote printers or accessing the Recycle Bin. The Shell organizes these objects into a hierarchical namespace and provides users and applications with a consistent and efficient way to access and manage objects.
The vulnerability is caused because of unchecked buffers in Windows Shell functions
A remote code execution vulnerability exists in Program Group Converter because of the way that it handles specially crafted requests. An attacker could exploit the vulnerability by constructing a malicious request that could potentially allow remote code execution if a user performed an action such as opening a file attachment or clicking a HTML link. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
The Program Group Converter was used to convert Program Manager Group files that were created in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they could be used by later operating systems. This application is also used during Windows Setup and by third-party applications during the installation of applications or devices.
The vulnerability is caused because of an unchecked buffer in the Program Group Converter application.
A remote code execution vulnerability exists in Internet Explorer that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.
The vulnerability is caused because of an unchecked buffer in Internet Explorer processing of CSS
Cascading Style Sheets (CSS) is a technology that allows Web authors to have increased control of the design and interaction of their Web pages.
A vulnerability in the cross domain security model exists in Internet Explorer because of the way that Internet Explorer handles navigation methods by functions that have similar names. An attacker could exploit this vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could run malicious script code in the Local Machine security zone in Internet Explorer or access information in a different domain. In the worst case, if a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
One of the principal security functions of a browser is to make sure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other.
A remote code execution vulnerability exists in Inseng.dll that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system.
The Install Engine is part of the Internet Explorer Active Setup technology. Active Setup allows an installation program to receive additional files from the Internet that are needed for program initialization.
A privilege elevation vulnerability exists in Internet Explorer because of the way that Internet Explorer handles Drag and Drop events. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the user's system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. User interaction is required to exploit this vulnerability.
This vulnerability is caused by Drag and Drop technology improperly validating some Dynamic HTML (DHTML) events. This vulnerability permits a file to be downloaded to the user's system after the user clicks a link.
DHTML events are special actions that are provided by the DHTML Object Model.
A spoofing vulnerability exists in Internet Explorer's processing of URLs on Double Byte Character Set systems. This vulnerability could result in an incorrect URL being listed in the Address bar that is not the actual Web page that is displayed by Internet Explorer.
This vulnerability is caused by a canonicalization error that occurs when Internet Explorer parses special characters in a HTTP URL on Double Byte Character Set systems.
Double Byte Character Sets (DBCS) are an expanded 8-bit character set where the smallest unit is a byte. Some characters in a DBCS have a single byte code value and some have a double byte code value. A DBCS can be thought of as the ANSI character set for some Asian versions of Microsoft Windows.
A spoofing vulnerability exists in Internet Explorer's processing of Plug-in navigations. This vulnerability could result in an incorrect URL being listed in the Address bar that is not the actual Web page that is appearing in Internet Explorer.
This vulnerability is caused because of the way that Internet Explorer handles navigations from plug-ins
Plug-ins are third-party components that extend the features of Internet Explorer. Examples of plug-ins include ActiveX controls.
A privilege elevation vulnerability exists in the way that Internet Explorer process script in image tags. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow an attacker to save a file on the user’s system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. User interaction is required to exploit this vulnerability.
This vulnerability is caused by the way that Internet Explorer validates script in Image Tags.
A spoofing vulnerability exists in the way that Internet Explorer validates cached content from SSL protected Web sites. This vulnerability could allow an attacker to run script of their choice on security-enhanced Web sites.
when you visit a Web site and a yellow lock icon appears in the lower right corner of the browser window, the current session is protected by SSL.
This vulnerability is caused because of Internet Explorer's handling of cached SSL contents.