The Active Network

Layout and usability present themselves in good manners the only think I’d have to point out here is that a watches page will open in a new tab and that’s not what I like to see. best replica handbags You will not like the outcome for sure.rolex replica uses us I would not go for “huge” but definitely a place where you will find most of the variations you’d be looking for. leaderwatches.5-carat opal ring.” fake watches he deserved the opulence he maintained in his lifetime. replica watches The signature “Francesco” ablaze in white over the black paint of the bike’s tank was the main attraction or the mere fact that the bike is owned by the Pope in the first place.fake watches This Rolex GMT Master II is one of the good looking replica watches I’ve reviewed lately As you know I’m not one of the biggest Rolex replica watches lover as I prefer bigger cases on my watches and some slightly different looks. Tags: Knock off tag heuer Breguet replica watches,cn because of the.

Amazon.com

Microsoft Security Bulletins

Microsoft Security Bulletin (MS99-060) - Patch Available for "HTML Mail Attachment" Vulnerability

Date: December 22, 1999

Summary
Microsoft has released a patch that addresses two issues:
- It eliminates a security vulnerability in the Microsoft(r) Outlook Express mail client for Macintosh systems. The vulnerability could allow attachments to HTML mails to be automatically downloaded onto the user's computer.
- It provides replacements for several digital certificates that are included in Internet Explorer for Macintosh, and will expire on December 31, 1999.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-060faq.asp.

Issue
There are two issues here. The first is a security vulnerability found in Outlook Express 5 for Macintosh. By design, when an HTML mail is received, the mail content is downloaded onto the user's machine and processed. However, attachments to the mail should not be downloaded unless the user requests it. A flaw in Outlook Express 5 for Macintosh causes it to download all content, including attachments. The vulnerability does not provide a way for a malicious user to launch the downloaded attachments.

The second issue involves several digital certificates that are included in Internet Explorer 4.5 for Macintosh. These certificates are due to expire on December 31, 1999. The patch provides updated certificates, and also adds support for X509 V3 certificates. There is no security vulnerability associated with this issue; Microsoft is simply providing the replacement certificates and X.509 V3 support as a community service.

It is important to note that both the security vulnerability and the certificate expiration issue affect only Outlook Express and Internet Explorer on the Macintosh; the Windows versions of these products are not affected.

Affected Software Versions
- Microsoft Internet Explorer 4.5 for Macintosh
- Microsoft Outlook Express 5.0 for Macintosh (available as a stand-alone product or bundled with Internet Explorer 5.0 for Macintosh)

Patch Availability
- http://www.microsoft.com/mac/download

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-060: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-060faq.asp.

- Internet Explorer 4.5 Security Issue, http://www.microsoft.com/mac/IESecIssue/default.asp.

- Microsoft Knowledge Base (KB) article Q249082, Outlook Express 5 for Macintosh Automatically downloads HTML Mail Attachments, http://support.microsoft.com/support/kb/articles/q249/0/82.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


Microsoft Security Bulletin (MS99-061) - Patch Available for "Escape Character Parsing" Vulnerability

Date: December 21, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Internet Information Server and products that run atop it. The vulnerability could allow files on a web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-061faq.asp.

Issue
RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.

The vulnerability does not affect IIS; even specifying a file name via this alternate method does not bypass IIS' access controls. However, third-party software that runs atop IIS but does not perform canonicalization is affected by it.

Affected Software Versions
- Microsoft Internet Information Server 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0

Patch Availability
- Intel:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16357

- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16358

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-061: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-061faq.asp.

- Microsoft Knowledge Base (KB) article Q246401, IIS may improperly parses specific escape characters, http://support.microsoft.com/support/kb/articles/q246/4/01.asp.

- RFC 1738, Uniform Resource Locators, http://www.ietf.org/rfc/rfc1738.txt.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


Microsoft Security Bulletin (MS99-058) - Patch Available for "Virtual Directory Naming" Vulnerability

Date: December 21, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Internet Information Server and other products that run atop it. Under certain conditions, the vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-058faq.asp.

Issue
If a file on one of the affected web server products resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worse case, the source code of .ASP or other files could be sent to the browser.

This vulnerability would be most likely to occur due to administrator error, or if a product generated an affected virtual directory name by default. (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. In any event, an affected virtual directory could be identified during routine testing of the server.

Affected Software Versions
- Microsoft Internet Information Server 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0

Patch Availability
- Intel:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16378

- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16379

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-058: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-058faq.asp.

- Microsoft Knowledge Base (KB) article Q238606, Page Contents Visible For Certain Virtual Directory Names, http://support.microsoft.com/support/kb/articles/q238/6/06.asp.

- Microsoft Knowledge Base (KB) article Q186803, Browsing Folders with Script-Mapped Extensions Returns Errors, http://support.microsoft.com/support/kb/articles/q186/8/03.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


Microsoft Security Bulletin (MS99-059) - Patch Available for "Malformed TDS Packet Header" Vulnerability

Date: December 20, 1999

Summary
Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) SQL Server(r) 7.0. The vulnerability could cause a SQL server to crash.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-059faq.asp.

Issue
If a specially-malformed TDS packet is sent to a SQL server, it can cause the SQL service to crash. This vulnerability would not allow any inappropriate access to the data on the server, nor would it allow a malicious user to usurp any administrative control on the machine. An affected machine could be put back into service by restarting the SQL service. This vulnerability could only be remotely exploited if port 1433 were open at the firewall.

Affected Software Versions
- Microsoft SQL Server 7.0

Patch Availability
- Intel:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16923

- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16924

NOTE: This patch does not locate the SQL folder and install the patched files into it; instead, you must copy the three files contained in it to the MSSQL7/BINN folder.

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-059: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-059faq.asp.

- Microsoft Knowledge Base (KB) article Q248749, FIX: Possible Denial of Service Attack with Appropriate NULL Bytes in TDS Header, http://support.microsoft.com/support/kb/articles/q248/7/49.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.


Microsoft Security Bulletin (MS99-057) - Patch Available for "Malformed Security Identifier Request" Vulnerability

Date: December 16, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in Microsoft(r) Windows NT(r) 4.0. The vulnerability could allow a malicious user to cause a Windows NT machine to stop responding to requests for service. The patch for this vulnerability is included in the previously-released patch for the "Syskey Keystream Reuse" vulnerability; customers who have already applied it do not need to take any further action.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-057faq.asp.

Issue
The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful work.
An affected machine could be put back into service by rebooting, with the loss of any work that was in progress at the time. Remote attacks via this vulnerability would not be possible if NetBios is filtered at the firewall.

Affected Software Versions
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition

Patch Availability
- This fix for this vulnerability is included in the patch for the "Syskey Keystream Reuse" vulnerability. (See http://www.microsoft.com/Security/Bulletins/ms99-056.asp for more information on this vulnerability). Customers who have already applied it do not need to take any additional action.

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-057: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-057faq.asp.

- Microsoft Knowledge Base (KB) article Q248185, SID Enumeration Function in LSA may not Handle Argument Properly, http://support.microsoft.com/support/kb/articles/q248/1/85.asp.

- Microsoft Knowledge Base (KB) article Q143475, Windows NT System Key Permits Strong Encryption of the SAM, http://www.microsoft.com/Security/Bulletins/ms99-056.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.


Microsoft Security Bulletin (MS99-056) - "Syskey Keystream Reuse" Vulnerability

Date: December 16, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in Syskey, a utility that provides additional protection for Microsoft(r) Windows NT(r) password databases. The vulnerability allows a particular cryptanalytic attack to be effective against Syskey, significantly reducing the strength of the protection it offers. The patch eliminates the vulnerability and restores strong protection to the password database.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-056faq.asp.

Issue
Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.
A patch is available that eliminates the key reuse vulnerability and again makes it computationally infeasible to mount a brute-force attack against the SAM database when Syskey has been applied.

Affected Software Versions
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
- Microsoft Windows NT Server 4.0, Terminal Server Edition

Patch Availability
- X86
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16798

- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16799

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-056: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-056faq.asp.

- Microsoft Knowledge Base (KB) article Q248183, Syskey Utility Reuses Keystream, http://support.microsoft.com/support/kb/articles/q248/1/83.asp.

- Microsoft Knowledge Base (KB) article Q143475, Windows NT System Key Permits Strong Encryption of the SAM, http://support.microsoft.com/support/kb/articles/q143/4/75.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.


Microsoft Security Bulletin (MS99-054) - Patch Available for "WPAD Spoofing" Vulnerability

Date: December 2, 1999

Summary
Microsoft has released a version upgrade that eliminates a vulnerability in Microsoft(r) Internet Explorer 5. Under very specific conditions, the vulnerability could allow a malicious user to provide proxy settings to web clients in another network.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-054faq.asp.

Issue
The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Affected Software Versions
- Microsoft Internet Explorer 5

Patch Availability
The vulnerability is eliminated by IE 5.01, which is available at:
- http://www.microsoft.com/windows/ie/download/all.htm?bShowPage

- http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-054: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-054faq.asp.

- Microsoft Knowledge Base (KB) article Q247333, Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings, http://support.microsoft.com/support/kb/articles/q247/7/33.asp.

- Web Proxy Auto-Discovery Protocol Internet Draft, http://ietf.org/internet-drafts/draft-ietf-wrec-wpad-01.txt.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.


Microsoft Security Bulletin (MS99-053) - Patch Available for Windows "Multithreaded SSL ISAPI Filter" Vulnerability

Date: December 2, 1999

Summary
Microsoft has released a patch that eliminates a vulnerability in the SSL ISAPI filter that ships with Microsoft(r) Internet Information Server and is used by other Microsoft products. If called by a multi-threaded application under very specific, and fairly rare, circumstances, a synchronization error in the filter could allow a single buffer of plaintext to be transmitted back to the data's owner.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-053faq.asp.

Issue
The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user's session was multi-threaded and traffic volumes were extremely high.

The scope of this vulnerability is very limited. The leaked plaintext would always be sent to its owner, never another user. Also, because the leaked data would fail its integrity check, the effect of the leak would be to cause the SSL session to immediately collapse. The condition could not be induced by a hostile user, and would offer at best a target of opportunity. Finally, it is worth noting that this vulnerability only affects the SSL ISAPI filter, not the secure communications capability provided by Windows NT via Schannel.

Affected Software Versions
- Microsoft IIS 4.0
- Microsoft Site Server 3.0
- Microsoft Site Server Commerce Edition 3.0

Patch Availability
- X86
http://www.microsoft.com/downloads/release.asp?ReleaseID=16186

- Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=16187

More Information
Please see the following references for more information related to this issue.

Microsoft Security Bulletin MS99-053: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-053faq.asp.

- Microsoft Knowledge Base (KB) article Q244613, IIS 4.0 SSL ISAPI Filter Can Leak Single Buffer of Plaintext, http://support.microsoft.com/support/kb/articles/q244/6/13.asp.

Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp.


This site is not related to the Microsoft Corporation in any way. Windows and the Windows logo are trademarks of the Microsoft Corporation. ActiveWindows is an independent site. The information and sources here are obtained from series of hard work & research.