The Active Network

Replica watches for men Swiss replica rolex Replica watches Replica Rolex Fake Watches Replica Watch Replica watches Replica watch Replica rolex Replica watches Replica watches Replica watches Replica watches

Amazon.com

Microsoft Security Bulletins

 

Microsoft Security Bulletin (MS00-005)

Patch Available for "Malformed RTF Control Word" Vulnerability

Date: January 17, 2000

Summary
Microsoft has released a patch that eliminates a security vulnerability in the Rich Text Format (RTF) reader that ships as part of Microsoft(r) Windows(r) 95 and 98, and Windows NT(r) 4.0. Under certain conditions, the vulnerability could be used to cause email programs to crash.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS00-005faq.asp.

Issue
RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash.

Microsoft believes that this is a denial of service vulnerability only, and that there is no capability to use this vulnerability to run arbitrary code. The most serious risk from this vulnerability would result if a user had preview mode enabled on a mail program like Outlook, and received an email that exploited the vulnerability. Because preview mode causes the mail to be parsed without user assent, the mail program would continue to crash until a subsequent mail was received or the mail program was started with preview mode disabled.

Affected Software Versions

  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Server, Enterprise Edition
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition

NOTE: Windows 2000 is not affected by this vulnerability.

Patch Availability

Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0 Server, Enterprise Edition:

Microsoft Windows NT 4.0 Server, Terminal Server Edition: To be released shortly.

NOTE: The Windows 95 and 98 versions of the patch will also be available via WindowsUpdate shortly. When this happens, we will modify the bulletin to note this fact.

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


Microsoft Security Bulletin (MS00-003)

Patch Available for "Spoofed LPC Port Request" Vulnerability

Date: January 13, 2000

Summary
Microsoft has released a patch that eliminates a security vulnerability in Microsoft(r) Windows NT(r) 4.0. The vulnerability could allow a user logged onto a Windows NT 4.0 machine from the keyboard to become an administrator on the machine.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS00-003faq.asp.

Issue
LPC Ports is a facility that allows LPC calls on a machine. One of the functions in the LPC Ports API set enables, by design, a server thread to impersonate a client thread on the same machine. However, a flaw in the validation portion of the function would allow a malicious user to create both the client and server threads, and manipulate the impersonation request to allow it to run in the context of any desired user on the local machine, including the System itself.

The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. However, it also could be used to cause audit logs to indicate that certain actions were taken by another user. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk.

Affected Software Versions

  • Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Server, Enterprise Edition
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition

Patch Availability
Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise Edition:

Microsoft Windows NT 4.0 Server, Terminal Server Edition: To be released shortly. NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


Microsoft Security Bulletin (MS00-001)

Patch Available for "Malformed IMAP

Date: January 04, 2000

Summary
Microsoft has released a patch that eliminates a vulnerability in the Microsoft(r) Commercial Internet System (MCIS) Mail server. The vulnerability could allow a malicious user to remotely cause services on the server to fail, or cause arbitrary code to run on the server.

Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/Security/Bulletins/00/ms00-001.asp.

Issue
The IMAP service included in MCIS Mail has an unchecked buffer. If a malformed request containing random data were passed to the service, it could cause the web publishing, IMAP, SMTP, LDAP and other services to crash. If the malformed request contained specially crafted data, it could also be used to run arbitrary code on the server via a classic buffer overrun attack.

Affected Software Versions

  • Microsoft Commercial Internet System 2.0 and 2.5.

Patch Availability

NOTE: Additional security patches are available at the Microsoft Download Center (www.microsoft.com/downloads)

More Information
Please see the following references for more information related to this issue.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at: http://support.microsoft.com/support/contact/default.asp


This site is not related to the Microsoft Corporation in any way. Windows and the Windows logo are trademarks of the Microsoft Corporation. ActiveWindows is an independent site. The information and sources here are obtained from series of hard work & research.