Mssecure - 2001-11-09
Source: mssecure.cab
Data Updated: 11/9/2001
Data Version: 1.0.1.163
MSBA/Tool Version: 3.2
MS98-001 - Disabling Creation of Local Groups on a Domain by Non-Administrative Users
Posted: 1998/06/01
The ability for non-administrative users to create aliases on the domain could be abused if they create a large number of local groups in the domain and cause the size of the account database to grow without restrictions. Unlimited local group creation could crash the domain controller and lead to excessive network traffic due to the replication of local group information to backup domain controllers.
Q169556
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: CREATALS_x86.exe
MS98-002 - Error Message Vulnerability Against Secured Internet Servers
Posted: 1998/06/26
Due to the large number of messages needed, a Web site operator could detect an attack through observations such as abnormal network or CPU utilization.
Q148427
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
- Exchange Server 5.5
- Exchange Server 5.5 Gold
- Exchange Server 5.5 SP1
Patch: ssl-fixi.exe
MS98-003 - File Access Issue with Windows NT Internet Information Server
Posted: 1998/07/02
The issue is a result of the way IIS parses file names. The fix involves IIS supporting NTFS alternate data streams by asking Windows NT to make the file name canonical.
Q188806
Affected Products:
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
Patch: iis3fixi.exe
Q188806
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Personal Web Server 4.0
Patch: iis4fixi.exe
MS98-004 - Unauthorized ODBC Data Access with RDS and IIS
Posted: 1998/07/14
The risk of security vulnerability caused by the DataFactory is even greater if newer OLE DB Providers are installed on the server. "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual Studio? 98) allow shell commands to be executed. If the DataFactory is enabled on such a server, Internet clients can use these providers to execute shell commands, which can potentially bring down the server or otherwise severely affect its performance.
Q184375
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q184375
MS98-005 - Unwanted Data Issue with Office 98 for the Macintosh
Posted: 1998/07/17
The Mac OS, like many other Operating System (OS) file systems does not erase files when you delete them, it simply removes a reference to them in the disk's catalog, and marks the space they occupied as free. Office 98 does not clear the disk space when the Mac OS allocates it during a File Save operation. Instead, Office 98 simply writes the file contents to the allocated disk space, overwriting any random data that physically existed on the disk. Since the Mac OS allocates the disk space in set chucks, called clusters, the small amount of unused space at the end of the file's last cluster may contain random data from previously deleted files. The data cannot be viewed when opened as a native Office file. However, an ASCII text editor can be used to view the extraneous data. The chance that sensitive data will be transferred through this bug is unlikely, since multiple unusual scenarios must occur.
Affected Products:
- Office 98 for Macintosh
- Office 98 for Macintosh Gold
Patch: 98-005
MS98-006 - Potential Denial-of-Service in IIS FTP Server due to Passive Connections
Posted: 1998/07/23
When multiple passive connections are made to a single FTP server through the PASV FTP command, it is possible to use up all available system threads for servicing clients. Once this happens, requests for additional connections will fail as discussed above, and will continue to fail until a client thread is again available. Further, the FTP and WWW services on a computer share a common thread pool, and exhausting the FTP thread pool will also cause a failure in connection requests for the WWW service.
Q189262
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
Patch: ftpfix4i.exe
Q189262
Affected Products:
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
Patch: ftpfix3i.exe
MS98-007 - Potential SMTP and NNTP Denial-of-Service Vulnerabilities
Posted: 1998/07/24
This issue involves a denial of service vulnerability that can potentially be used by someone with malicious intent to unexpectedly cause multiple components of the Microsoft Exchange Server to stop.
Q188341
Affected Products:
- Exchange Server 5.0
- Exchange Server 5.0 SP1
- Exchange Server 5.0 SP2
Patch: psp2stri.exe
Q188341
Affected Products:
- Exchange Server 5.0
- Exchange Server 5.0 SP1
- Exchange Server 5.0 SP2
Patch: psp2imsi.exe
Q188341
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 Gold
Patch: MS98-007
MS98-008 - Long file name Security Issue affecting Microsoft Outlook 98 and Microsoft Outlook Express 4.x
Posted: 1998/07/27
When the email client receives a malicious mail or news message that contains an attachment with a very long filename, it could cause the email client to shut down unexpectedly. These very long filenames do not normally occur in mail or news messages, and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious email message to run arbitrary computer code contained in the long string.
Affected Products:
- Outlook 98
- Outlook 98 Gold
Patch: outptch2.exe
Affected Products:
- Outlook Express 4.01
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 Gold
Patch: oelong
MS98-009 - Windows NT Privilege Elevation Attack
Posted: 1998/07/27
In this attack, a non-administrative user obtains administrative access to the system by virtue of being able to gain debug-level access on a system process.
Q190288
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
Patch: privfixi.exe
MS98-010 - Information on the Back Orifice Program
Posted: 1998/08/04
It is unclear from the author's statements what "Back Orifice" is intended to do. In the press release that accompanied its release, "Back Orifice" is alternately described as an administrative tool or as something that demonstrates some security vulnerability in the Windows platform. Potential threads: Remotely controlling and monitoring a computer running Windows Reading everything that the user types at the keyboard Capturing images that are displayed on the monitor Uploading and downloading files remotely Redirecting information to a remote Internet site
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: MS98-010
MS98-011 - Window.External JScript Vulnerability in Microsoft Internet Explorer 4.0
Posted: 1998/08/17
Microsoft Internet Explorer 4.0, 4.01, and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a Web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate. Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string.
Q191200
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
Patch: jscript.asp
Posted: 1998/09/04
The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer.
Q168485
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
Patch: xframe.asp
MS98-015 - Untrusted Scripted Paste Issue in Microsoft Internet Explorer 4.01
Posted: 1998/10/16
The "Untrusted Scripted Paste" issue involves a vulnerability in Internet Explorer that could allow a malicious web site operator to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for the operator to read the contents of a file on the user's computer if he knows the exact name and path of the targeted file. This could also be used to view the contents of a file on the user's network, if the user has access to it and the malicious operator knows its direct path name
Q169245
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
Patch: paste.asp
MS98-016 - Dotless IP Address Issue in Microsoft Internet Explorer 4
Posted: 1998/10/23
The "Dotless IP Address" issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious web site operator to misrepresent the URL of an Internet web site and make it appear as if the machine is on the user's "Local Intranet Zone". Internet Explorer has the ability to set security settings differently between different zones. By this means, a malicious site could potentially perform actions that had been disabled in the Internet Zone or Restricted Sites Zone, but is permitted in the Local Intranet Zone
Q168617
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP1
Patch: dotless.asp
MS98-019 - IIS GET Vulnerability
Posted: 1998/12/21
This vulnerability involves the HTTP GET method, which is used to obtain information from an IIS web server. Specially-malformed GET requests can create a denial of service situation that consumes all server resources, causing a server to "hang." In some cases, the server can be put back into service by stopping and restarting IIS; in others, the server may need to be rebooted.
Q192296
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
Patch: infget4i.exe
Q192296
Affected Products:
- Internet Information Server 3.0
- Windows NT4 Service Pack 4
Patch: infget3i.exe
MS98-018 - Excel CALL Vulnerability
Posted: 1998/12/10
Excel generates a warning to the user before running macros, including those containing the CALL function, and allows the user to decide whether or not to run them. However, Excel does not generate a warning before executing worksheet functions, and if used in this manner, CALL could be used to call an external DLL without a warning to the user. An attacker could exploit this functionality by embedding a CALL function within an Excel spreadsheet and sending it to an unwary user. The attacker would be able to control whether the CALL function fired when the victim opened the spreadsheet or when another event occurred.
Q196791
Affected Products:
- Office 97
- Office 97 SR-2/SR-2b
- Excel 97
- Office 97 SR-2/SR-2b
Patch: Xl8p9pkg
MS98-020 - Frame Spoof Vulnerability
Posted: 1998/12/23
This vulnerability exists because Internet Explorer's cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site's window. If done properly, the user might not be able to tell that the frame contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability.
Q167614
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP1
Patch: spoof.asp
MS98-017 - Named Pipes Over RPC Vulnerability
Posted: 1998/11/19
The underlying problem is the way that Windows NT 4.0 attempts to shut down invalid named pipe RPC connections. An attacker could exploit this problem to create a denial of service condition by opening multiple named pipe connections and sending random data. When the RPC service attempts to close the invalid connections, the service consumes all CPU resources and memory use grows considerably, which may result in the system hanging. This is a denial of service vulnerability only; there is no risk of compromise or loss of data from the attacked system.
Q195733
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
Patch: nprpcfxi.exe
- ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/archive/nprpc-fix/
MS98-012 - Updates available for Security Vulnerabilities in Microsoft PPTP
Posted: 1998/08/18
The Microsoft implementation of PPTP uses MS-CHAP for user authentication and Microsoft Point-to-Point Encryption (MPPE) to protect the confidentiality of user data. Potential vulnerabilities addressed by these updates include: Dictionary attack against the LAN Manager authentication information Password theft PPTP server spoofing Reuse of MPPE session keys
Q154091
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
Patch: dun40.exe
Q154091
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
Patch: pptpfixi.exe
Q154091
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
Patch: rrasfixi.exe
Q154091
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: msdun13.exe
MS98-014 - RPC Spoofing Denial of Service on Windows NT
Posted: 1998/09/29
It is possible for a malicious attacker to send spoofed RPC datagrams to UDP destination port 135 so that it appears as if one RPC server sent bad data to another RPC server. The second server returns a REJECT packet and the first server (the spoofed server) replies with another REJECT packet creating a loop that is not broken until a packet is dropped, which could take a few minutes. If this spoofed UDP packet is sent to multiple computers, a loop could possibly be created, consuming processor resources and network bandwidth
Q193233
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
Patch: snk-fixi.exe
Q193233
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT 4 Terminal Server Gold
Patch: Snk-fixi.exe
MS99-001 - Exposure in Forms 2.0 TextBox Control that allows data to be read from user's Clipboard
Posted: 1999/01/21
A malicious hacker could use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a web site set up by the malicious hacker or opens a HTML email created by the malicious hacker.
Q214757
Affected Products:
- Office 97
- Office 97 SR-2/SR-2b
- Outlook 98
- Office 97 SR-2/SR-2b
- Project 98
- Office 97 SR-2/SR-2b
- Visual Basic 5.0
- Visual Basic 5.0 Gold
- Word 97
- Office 97 SR-2/SR-2b
- Excel 97
- Office 97 SR-2/SR-2b
- PowerPoint 97
- Office 97 SR-2/SR-2b
Patch: fm2paste.exe
MS99-002 - Word 97 Template Vulnerability
Posted: 1999/01/21
A standard safety feature of Word 97 is that it warns users when a document containing macros is opened; however, if that document does not itself contain macros, but rather is linked to a template that does contains macros, no warning is issued. A malicious hacker could exploit this vulnerability to cause malicious macro code to run without warning if a user opens a Word document attached to an email sent by the malicious hacker, or if the user opens a Word document on a web site controlled by the malicious hacker. This malicious macro could possibly be used to damage or retrieve data on a user's system.
Q214652
Affected Products:
- Word 97
- Office 97 SR-2/SR-2b
Patch: Wd97SP.EXE
MS99-003 - IIS Malformed FTP List Request Vulnerability
Posted: 1999/02/03
It is noteworthy that the "list" command is only available to users after they have authenticated to the server. As a result, only users who are authorized to use the server would be able to mount such an attack, and their presence on the server could be logged if the owner of the site chose to do so. However, many sites provide guest accounts, and this could allow a malicious user to attack the server anonymously.
Q188348
Affected Products:
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
Patch: ftpls3i.exe
Q188348
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
Patch: ftpls4i.exe
MS99-007 - Taskpads Scripting Vulnerability
Posted: 1999/02/22
A vulnerability exists because certain methods provided by Taskpads are incorrectly marked as "safe for scripting" and can be misused by a web site operator to invoke executables on a visiting user's workstation without their knowledge or permission.
Q218619
Affected Products:
- Windows 98 Resource Kit
- Windows 98 Resource Kit Gold
- Windows 98 Resource Kit Sampler
- Windows 98 Resource Kit Sampler Gold
Patch: tmcpatch.exe
Q218619
Affected Products:
- BackOffice Resource Kit SE
- BackOffice Resource Kit SE Gold
Patch: itmcpatch.exe
MS99-010 - File Access Vulnerability in Personal Web Server
Posted: 1999/03/26
This vulnerability allows a file request that uses a non-standard URL to bypass the server's normal file access controls. The file must be specifically requested by name, so the requester would need to know the name of the file or correctly guess it. The vulnerability would allow files on the server to be read, but not changed or deleted, and would not allow new files to be written to the server.
Q216453 (FP98)
Affected Products:
- Personal Web Server 4.0
- Personal Web Server 4.0 Gold
Patch: Pwssecup.exe
Q216453 (FP98)
Affected Products:
- FrontPage 98 Personal Web Server 1.0
Patch: fppws98.exe
Q216453 (FP98)
Affected Products:
- FrontPage 97 Personal Web Server 1.0
- FrontPage 97 Personal Web Server 1.0 Gold
Patch: Q217765
MS99-005 - BackOffice Server 4.0 Does Not Delete Installation Setup File
Posted: 1999/02/12
When a user chooses to install SQL Server, Exchange Server or Microsoft Transaction Server as part of a BackOffice 4.0 installation, the BackOffice installer program requests the name and password for the accounts associated with these services. Specifically, it asks for the account name and password for the SQL Executive Logon account, the Exchange Services Account, and the MTS Remote Administration Account. These values are stored in %systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini, and used to install the associated services. BackOffice Server does not erase this file when the installation process is completed. This is true regardless of whether the installation process completes successfully or unsuccessful
Q217004
Affected Products:
- BackOffice Server 4.0
Patch: Q217004
MS99-004 - Authentication Processing Error in Windows NT 4.0 Service Pack 4
Posted: 1999/02/08
The logic error in Service Pack 4 incorrectly allows a null "NT hash" value to be used for authentication from Windows NT systems. The result is that if a user account's password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can logon into that account from a Windows NT system using a blank password.By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this problem.
Q214840
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
Patch: msv-fixi.exe
MS99-006 - Windows NT Known DLLs List Vulnerability
Posted: 1999/02/19
In Windows NT, core operating system DLLs are kept in virtual memory and shared between the programs running on the system. This is done to avoid having redundant copies of the DLLs in memory, and improves memory usage and system performance. When a program calls a function provided by one of these DLLs, the operating system references a data structure called the KnownDLLs list to determine the location of the DLL in virtual memory. The Windows NT security architecture protects in-memory DLLs against modification, but by default it allows all users to read from and write to the KnownDLLs list. This is the root problem underlying the vulnerability.A user can programmatically load into memory a malicious DLL that has the same name as a system DLL, then change the entry in the KnownDLLs list to point to the malicious copy. From that point forward, programs that request the system DLL will instead be directed to the malicious copy. When called by a program with sufficiently high privileges, it could take any desired action, such as adding the malicious user to the Administrators group.It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privileges. There are two types of machines at risk:Machines that allow non-administrative users to interactively log on. Workstation and terminal servers typically do allow this, but, per standard security practices, most other servers only allow administrators to interactively log on.
Q218473
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
Patch: Smss-fixi
MS99-008 - Windows NT Screen Saver Vulnerability
Posted: 1999/03/12
Windows NT provides a screen saver feature, in which a user-selected screen saver program is run when the machine has been idle for a specified length of time. Windows NT initially launches a screen saver in the local system context, then immediately changes its security context to match that of the user. However, Windows NT does not check whether this context change was successfully made. This is the underlying problem in this vulnerability. If the context change can be made to fail, the screen saver will remain running in a highly-privileged state. The risk is that a malicious user could develop a screen saver program that, for example, uses the elevated privileges to add the author to the Administrators group.It is important to understand that the user must able to run exploitation code on a machine in order to elevate their privileges.
Q221991
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
Patch: ScrnSav-fix
MS99-009 - Malformed Bind Request Vulnerability
Posted: 1999/03/16
The Bind function in the Exchange 5.5 Directory Service has an unchecked buffer that poses two threats to safe operation. The first is a denial of service threat. A malformed Bind request could overflow the buffer, causing the Exchange Directory service to crash. The server would not need to be rebooted, but the Exchange Directory service, and possibly dependent services as well, would need to be restarted in order to resume messaging service. The second threat is more esoteric and would be far more difficult to exploit. A carefully-constructed Bind request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither attack could occur accidentally.
Q221989
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP2
Patch: PSP2DIRI.EXE
MS99-013 - File Viewers Vulnerability
Posted: 1999/05/07
Microsoft Site Server and Internet Information Server include tools that allow web site visitors to view selected files on the server. These are installed by default under Site Server, but must be explicitly installed under IIS. These tools are provided to allow users to view the source code of sample files as a learning exercise, and are not intended to be deployed on production web servers. The underlying problem in this vulnerability is that the tools do not restrict which files a web site visitor can view.
Q232449
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
Patch: fix2450i.exe
Q231368
Affected Products:
- Site Server 3.0, Commerce Edition
- Site Server 3.0 Gold
- Site Server 3.0 SP1
- Site Server 3.0 SP2
Patch: viewfixi.exe
MS99-015 - Malformed Help File Vulnerability
Posted: 1999/05/17
The Windows Help utility parses and displays help information for applications. The help information is contained in files of several types that are generated by the Help Compiler (part of the AppWizard utility), and is stored by default in the WINNT\help folder. By default, users can write to this folder. An unchecked buffer exists in the Help utility, and a help file that has been carefully modified could be used to execute arbitrary code on the local machine via a classic buffer overrun technique. Because the Help Compiler's output files do not generate the specific malformation at issue here, this vulnerability could not be accidentally exploited.
Q231605
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: winhlp-i.exe
MS99-016 - Malformed Phonebook Entry Vulnerability
Posted: 1999/05/20
The component of the RAS client that processes phonebook entries has an unchecked buffer. This results in a vulnerability that poses two threats to safe operation. The first is a denial of service threat; a malformed phonebook entry could overflow the buffer, causing the RAS client service to crash. The second is more esoteric and would be far more difficult to exploit. A carefully-constructed phonebook entry could cause arbitrary code to execute on the client via a classic buffer overrun technique. Neither variant could be exploited accidentally.It is important to stress that the vulnerability affects RAS client machines, not RAS servers, and that the user must have permission to add or modify phonebook entries in order to mount the attack. (Permissions can be set via the phonebook's ACL). The machines primarily at risk from this vulnerability are workstations that are configured to dial out to other systems, because servers, including terminal servers, are not typically configured to act as RAS clients. It also is important to note that this vulnerability would affect only the local machine; there is no capability to directly attack a remote machine via this vulnerability.
Q230677
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
Patch: rasffixi.exe
MS99-017 - RAS and RRAS Password Vulnerability
Posted: 1999/05/27
When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads ";Save password"; and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected.Cached security credentials, which include the password, are stored and encrypted in the registry and protected by ACLs whose default values authorize only local administrators and the owner of the credentials to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY feature
Q230681
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: raspassword-fix
Q233303
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: rpwdfixi.exe
MS99-020 - Malformed LSA Request Vulnerability
Posted: 1999/06/23
Windows NT provides the ability to manage user privileges programmatically via the Local Security Authority (LSA) API. The API allows a program to query user names, modify privileges, and change other elements of the security policy, subject to the program's authorizations. Calls to the LSA API can be made from either the local machine or remotely via RPC.Certain API methods do not correctly handle certain types of invalid arguments. The vulnerability is a denial of service threat only, and service can be restored by restarting the machine. There is no capability to use this vulnerability to obtain unauthorized services from LSA.
Q231457
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
Patch: lsareqi.exe
MS99-021 - CSRSS Worker Thread Exhaustion Vulnerability
Posted: 1999/06/23
If all worker threads in CSRSS.EXE are occupied awaiting user input, no other requests can be serviced, effectively causing the server to hang. When user input is provided, processing returns to normal.
Q233323
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: csrssfxi.exe
MS99-023 - Malformed Image Header Vulnerability
Posted: 1999/06/30
If an executable file with a specially-malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost.
Q234557
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
Patch: krnlifxi.exe
MS99-024 - Unprotected IOCTLs Vulnerability
Posted: 1999/07/06
On a terminal server, such a program could disable the keyboard and mouse on the console.
Q236359
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: ioctlfxi.exe
MS99-025 - Unauthorized Access to IIS Servers through ODBC Data Access with RDS
Posted: 1999/07/17
The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including: Allowing unauthorized users to execute shell commands on the IIS system as a privileged user. On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. Allowing unauthorized accessing to secured, non-published files on the IIS system.
Q184375
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Internet Information Server 3.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q184375
MS99-026 - Malformed Dialer Entry Vulnerability
Posted: 1999/07/29
Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique.The circumstances of this vulnerability require a fairly complicated attack scenario that limits its scope. Dialer.exe runs in the security context of the user, so it would not benefit an attacker to simply modify a dialer.ini file and run it, as he or she would not gain additional privileges. Instead, the attacker would need to modify the dialer.ini file of another user who had higher privileges, then wait for that user to run Dialer.Although the unchecked buffer is present in all versions of Windows NT 4.0, the attack scenario would result in workstations that have dial-out capability being chiefly at risk. The FAQ discusses this in greater det
Q237185
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: dialrfxi.exe
MS99-027 - Encapsulated SMTP Address Vulnerability
Posted: 1999/08/06
Exchange Server implements features designed to defeat "mail relaying", a practice in which an attacker causes an e-mail server to forward mail from the attacker, as though the server were the sender of the mail. However, a vulnerability exists in this feature, and could allow an attacker to circumvent the anti-relaying features in an Internet-connected Exchange Server. The vulnerability lies in the way that site-to-site relaying is performed via SMTP. Encapsulated SMTP addresses could be used to send mail to any desired e-mail address.
Q237927
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP2
Patch: psp2imci.zip
MS99-028 - Terminal Server Connection Request Flooding Vulnerability
Posted: 1999/08/09
When a request to open a new terminal connection is received by a Terminal Server, the server undertakes a resource-intensive series of operations to prepare for the connection. It does this before authenticating the request. This would allow an attacker to mount a denial of service attack by levying a large number of bogus connection requests and consuming all memory on the Terminal Server. This vulnerability could be exploited remotely if connection requests are not filtered. In extreme cases, the server could crash in the face of such an attack; in other cases, normal processing would return when the attack ceased. The patch works by causing the server to require authentication before processing the connection request.
Q228724
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 4
- Windows NT4 Terminal Server Service Pack 5
Patch: tsmemfxi.exe
MS99-029 - Malformed HTTP Request Header Vulnerability
Posted: 1999/08/11
If multiple HTTP requests containing specially-malformed headers are sent to an affected server, IIS may consume all memory on the server. If this happens, IIS would be unable to service requests until either the clients that issued the requests were closed, or the IIS service were stopped and restarted. Once either of these actions have occurred, normal service would be restored.
Q238606
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
Patch: vdext4i.exe
MS99-031 - Virtual Machine Sandbox Vulnerability
Posted: 1999/08/25
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox and take any desired action on the user's computer. If such an applet were hosted on a web site, it could act against the computer of any user who visited the site.
Q240346
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 SP2
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: msjavx86.exe
MS99-034 - Fragmented IGMP Packet Vulnerability
Posted: 1999/09/03
By sending fragmented IGMP packets to a Windows 95, 98 or Windows NT 4.0 machine, it is possible to disrupt the normal operation of the machine. This vulnerability primarily affects Windows 95 and 98 machines. Depending on a variety of factors, sending such packets to a Windows 95 or 98 machine may elicit behavior ranging from slow performance to crashing.Windows NT contains the same vulnerability, but other system mechanisms compensate and make it much more difficult to mount a successful attack.
Q238329
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: igmpfixi.exe
Q238329
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 4
- Windows NT4 Terminal Server Service Pack 5
Patch: Igmpfixi.exe
Q238329
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 238453US5.exe
Q238329
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 238453US8.EXE
MS99-036 - Windows NT 4.0 Does Not Delete Unattended Installation File
Posted: 1999/09/10
When an unattended installation of Windows NT 4.0 is performed, the installation parameters are included in a file named Unattend.txt. A vulnerability exists because the installation process copies the parameter file to a file in %windir%\system32 ($winnt$.inf for a normal unattended installation, or $nt4pre$.inf if Sysprep was used) but does not delete it when the installation completes. By default, this file can be read by any user who can perform an interactive logon. If sensitive information such as account passwords were provided in the installation parameters file, the information could be compromised
Q155197
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
- Windows NT4 Terminal Server Service Pack 4
- Windows NT4 Terminal Server Service Pack 5
Patch: MS99-036
MS99-038 - Spoofed Route Pointer Vulnerability
Posted: 1999/09/20
Windows NT 4.0 Service Pack 5 introduced the ability to disable source routing on a multi-homed Windows NT machine that acts as a router. However, even if source routing is disabled, it is possible to bypass it by including a specific type of incorrect information within the route pointer in the data packet. Windows 95 and 98 also provide this capability, and are affected by the same vulnerability. The patch restores correct operation to the anti-source routing feature. In addition, it provides additional functionality that enables source routing to be disabled on single-homed machines and on multi-homed machines that are not used as routers.
Q238453
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
Patch: ipsrfixi.exe
MS99-039 - Domain Resolution and FTP Download Vulnerabilities
Posted: 1999/09/23
IIS 4.0 provides the ability to restrict access to a web site based on the user's domain. However, if IIS cannot resolve a user's IP address to a domain, it will grant the user's first request for a session. It will correctly deny them thereafter. This vulnerability affects IIS 4.0 only; it does not any other Microsoft product, including MCIS. A user who accesses an FTP site via a browser will be able to download files even if they are marked No Access. This vulnerability is due to a regression error that was introduced in hotfixes released after Windows NT 4.0 Service Pack 5; it does not exist in SP5 or in previous versions. This vulnerability affects both IIS 4.0 and MCIS 2.5, but no other Microsoft products.
Q241805
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: iprftp4i.exe
Q241805
Affected Products:
- Microsoft Commercial Internet System 2.5
- Microsoft Commercial Internet System 2.5 Gold
Patch: q242559.exe
MS99-041 - RASMAN Security Descriptor Vulnerability
Posted: 1999/09/30
A malicious user could substitute arbitrary code for the legitimate service, which then would run in a System Context.
Q242294
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
- Windows NT4 Terminal Server Service Pack 5
Patch: fixrasi.exe
MS99-045 - Virtual Machine Verifier Vulnerability
Posted: 1999/10/21
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.0 and Internet Explorer 5.0 contains a security vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive.
Q244283
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 SP2
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: msjavx86.exe
MS99-046 - Improve TCP Initial Sequence Number Randomness
Posted: 1999/10/22
The ISNs used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. This patch improves the randomness of the Windows NT 4.0 TCP/IP ISN generation, providing 15 bits of entropy.
Q243835
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
Patch: q243835sp5i.exe
Q243835
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: q243835i.exe
Q243835
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 4
- Windows NT4 Terminal Server Service Pack 5
Patch: Q243835i.EXE
MS99-047 - Malformed Spooler Request Vulnerability
Posted: 1999/11/04
Certain APIs in the Windows NT 4.0 print spooler subsystem have unchecked buffers. If an affected API were provided with random data as input, it could crash the print spooler service. If it were provided with a specially-malformed argument, it could be used to run arbitrary code on the server via a classic buffer overrun attack. The majority of the affected APIs require the caller to be a member of the Power Users or Administrators group; however, at least one is callable by normal users. None of the calls could be made by anonymous users, but the calls could be made remotely.A second vulnerability exists because incorrect permissions would allow a normal user to specify his or her own code as a print provider. Because print providers run in a local System context, this would allow the user to gain additional privileges on the local machine.
Q243649
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q243649.exe
MS99-050 - Server-side Page Reference Redirect Vulnerability
Posted: 1999/12/08
Under favorable timing conditions, it is possible for a web server to create a reference to a client window that the server is permitted to view, then use a server-side redirect to a client-local file, and bypass the security restrictions. The result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user.
Q246094
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q246094.exe
Q256094
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: Q246094.exe
MS99-055 - Malformed Resource Enumeration Argument Vulnerability
Posted: 1999/12/09
The primary effect of the failure is to cause named pipes to fail, which prevents many other system services from operating.
Q246045
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q246045.EXE
MS99-056 - Syskey Keystream Reuse Vulnerability
Posted: 1999/12/16
Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it.
Q248183
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q248183.EXE
MS99-057 - Malformed Security Identifier Request Vulnerability
Posted: 1999/12/16
The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful work.
Q248183
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q248183.EXE
MS00-001 - Malformed IMAP Request Vulnerability
Posted: 2000/01/04
The IMAP service included in MCIS Mail has an unchecked buffer. If a malformed request containing random data were passed to the service, it could cause the web publishing, IMAP, SMTP, LDAP and other services to crash. If the malformed request contained specially crafted data, it could also be used to run arbitrary code on the server via a classic buffer overrun attack.
Q246731
Affected Products:
- Microsoft Commercial Internet System 2.0
- Microsoft Commercial Internet System 2.0 Gold
- Microsoft Commercial Internet System 2.5
- Microsoft Commercial Internet System 2.5 Gold
Patch: q246731engi.EXE
MS00-002 - Malformed Conversion Data Vulnerability
Posted: 2000/01/20
Microsoft Office includes a conversion utility that converts older Word documents to more recent formats. The conversion utility for Word 5 documents in East Asian languages (Japanese, Korean, Simplified Chinese and Traditional Chinese) has an unchecked buffer. By using a hexadecimal editor to insert specially malformed information into a document, a malicious user could cause Word to run code of his or her choice when the document was opened using an affected version of the converter.
Q249881
Affected Products:
- Word 98
- Word 98 Gold
- PowerPoint 98
- PowerPoint 98 Gold
- Word 97
- Word 97 Gold
Patch: WW5Pkg.exe
Q249881
Affected Products:
- Word 2000
- Word 2000 Gold
- PowerPoint 2000
- PowerPoint 2000 Gold
Patch: WW5pkg.exe
MS00-003 - Spoofed LPC Port Request Vulnerability
Posted: 2000/01/12
The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. However, it also could be used to cause audit logs to indicate that certain actions were taken by another user. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk.
Q247869
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q247869i.EXE
MS00-004 - RDISK Registry Enumeration File Vulnerability
Posted: 2000/01/21
The RDISK utility is used to create an Emergency Repair Disk (ERD) in order to record machine state information as a contingency against system failure. During execution, RDISK creates a temporary file containing an enumeration of the registry. The ACLs on the file allow global read permission, and as a result, a malicious user who knew that the administrator was running RDISK could open the file and read the registry enumeration information as it was being created. RDISK erases the file upon successful completion, so under normal conditions there would be no lasting vulnerability.By default, the file is not shared and therefore could not be read by other network user
Q249108
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Terminal Server Service Pack 4
Patch: Q249108i.exe
Q249108
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: q249108i.EXE
MS00-005 - Malformed RTF Control Word Vulnerability
Posted: 2000/01/17
The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash.
Q249973
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q249973i.EXE
Q249973
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.5
- Windows 95 SR 2.1
Patch: 249973USA5.exe
Q249973
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 249973USA8.exe
MS00-006 - Malformed Hit-Highlighting Argument Vulnerability
Posted: 2000/01/26
The first vulnerability is the "Malformed Hit-Highlighting Argument" vulnerability. The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. By providing a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual directory. This would allow any file residing on the server itself, and on the same logical drive as the web root directory, to be retrieved regardless of permissions. This variant could allow the source of server-side files such as .ASP files to be read. The new variant affects only Index Server 2.0, and Windows 2000 customers who applied the original patch were never at risk from it. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file. The error message provides the physical path to the web directory that was contained in the request. Although this vulnerability would not allow a malicious user to alter or view any data, it could be a valuable reconnaissance tool for mapping the file structure of a web server. This variant could allow a malicious user to read files. The variant was eliminated by the original patch, and customers who applied the original version of the patch were never at risk from it. Indexing Services in Windows 2000 is affected only by the "Malformed Hit-Highlighting" vulnerability - it is not affected by the second vulnerability.
Q251170
Affected Products:
- Indexing Services for Windows 2000
- Windows 2000 Gold
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: Q251170_W2K_SP1_X86_en.EXE
Q252463
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Index Server 2.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q252463i.EXE
MS00-007 - Recycle Bin Creation Vulnerability
Posted: 2000/02/01
The Windows NT Recycle Bin for a given user maps to a folder, whose name is based on the owner's SID. The folder is created the first time the user deletes a file, and the owner is given sole permissions to it. However, if a malicious user could create the folder before the bona fide one were created, he or she could assign any desired permissions to it. This would allow him or her to create, modify or delete files in the Recycle Bin
Q248399
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: q248399i.exe
MS00-008 - Registry Permissions Vulnerability
Posted: 2000/03/09
This vulnerability involves three sets of registry keys whose default permissions are too permissive. These permissions could allow a malicious user who could interactively log onto a target machine (or,in one case, access an affected machine from the network) to: . Cause code to run in a local system context. . Cause code to run the next time another user logged onto the same machine. . Disable the security protection for a previously-reported vulnerability.
Q259496
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q259496i.exe
MS00-011 - VM File Reading Vulnerability
Posted: 2000/02/18
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read - but not change, delete or add - files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
Q253562
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: msjavx86.exe
Q287030
Affected Products:
- Microsoft Virtual Machine (VM)
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
Patch: Q287030_W2K_SP2_x86_en.EXE
MS00-021 - Malformed TCP/IP Print Request Vulnerability
Posted: 2000/03/30
A specially-malformed print request could cause TCPSVC.EXE to crash, which would not only prevent the server from providing printing services, but also would stop several other services, most importantly DHCP.
Q257870
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q257870i.EXE
Q257870
Affected Products:
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: Q257870_W2K_SP1_x86_en.EXE
MS00-020 - Desktop Separation Vulnerability
Posted: 2000/06/15
By design, processes are constrained to run within a windows station, and the threads in the process run in one or more desktops. A process in one windows station should not be able to access desktops belonging to another windows station. However, due to an implementation error, this could happen under very specific circumstances. This could allow a process belonging to a low-privilege user to view inputs or output that belong to another desktop within the same session, and potentially obtain information such as passwords
Q260197
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: q260197_w2k_sp1_x86_en.exe
MS00-026 - Mixed Object Access Vulnerability
Posted: 2000/04/20
Active Directory allows for access control of directory objects on a per-attribute basis. However, the vulnerability at issue here could allow a malicious user to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify.The vulnerability does not afford the malicious user an opportunity to modify all objects in a class ? only the specific class objects for which he has permission to modify at least one attribute. Further, the vulnerability provides no capability to bypass normal authentication or Windows 2000 auditing, so administrators could determine if this vulnerability were being exploited, and by wh
Q259401
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: q259401_w2k_sp1_x86_en.exe
MS00-027 - Malformed Environment Variable Vulnerability
Posted: 2000/04/20
CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings. It could be used to mount denial of service attacks in certain cases. If a server provides batch or other script files, a malicious user could potentially provide arguments that would create an extremely large environment string and overflow the buffer. This would cause the process to fail, and the memory allocated to the process would not be made available again until a dialogue had been cleared on the operator's console. By repeatedly running the batch file, the malicious user could potentially make some or all of the memory on the server temporarily unavailabl
Q259622
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: q259622i.exe
Q296441
Affected Products:
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: q259622_w2k_sp1_x86_en.exe
MS00-029 - IP Fragment Reassembly Vulnerability
Posted: 2000/05/19
The affected systems contain a flaw in the code that performs IP fragment reassembly. If a continuous stream of fragmented IP datagrams with a particular malformation were sent to an affected machine, it could be made to devote most or all of its CPU availability to processing them. The data rate needed to completely deny service varies depending on the machine and network conditions, but in most cases even relatively moderate rates would suffice.The vulnerability would not allow a malicious user to compromise data on the machine or usurp administrative control over it. Although it has been reported that the attack in some cases will cause an affected machine to crash, affected machines in all Microsoft testing returned to normal service shortly after the fragments stopped arriving. Machines protected by a proxy server or a firewall that drops fragmented packets would not be affected by this vulnerability. The machines most likely to be affected by this vulnerability would be machines located on the edge of a network such as web servers or proxy servers
Q259728
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q259728i.EXE
Q259728
Affected Products:
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
Patch: Q259728_W2K_SP1_x86_en.EXE
Q259728
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: q259728i.EXE
Q259728
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 259728USA5.EXE
Q259728
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 259728USA8.EXE
MS00-032 - Protected Store Key Length Vulnerability
Posted: 2000/06/01
By design, the Protected Store should always encrypt the information using the strongest cryptography available on the machine. An attacker would need to gain complete administrative control over the machine that houses the Protected Store in order to gain access to it, and even then would still need to mount a brute-force cryptographic attack against it.
Q260219
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: q260219_w2k_sp1_x86_en.exe
MS00-036 - ResetBrowser Frame and Host Announcement Frame Vulnerabilities
Posted: 2000/05/25
The two vulnerabilities are:The "ResetBrowser Frame" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. However, there is no capability to configure a browser to ignore ResetBrowser frames. This could allow a malicious user to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser.The "HostAnnouncement Flooding" vulnerability, which does not affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, a malicious user could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume The "ResetBrowser Frame" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. However, there is no capability to configure a browser to ignore ResetBrowser frames. This could allow a malicious user to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser. The "HostAnnouncement Flooding" vulnerability, which does not affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, a malicious user could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume most or all of the network bandwidth and cause other problems in processing the table as well.
Q262694
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q262694i.EXE
Q262694
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q262694_W2K_SP2_x86_en.EXE
MS00-040 - Remote Registry Access Authentication Vulnerability
Posted: 2000/06/08
Before a request to access the registry from a remote machine can be processed, it must first be authenticated by the Remote Registry server. If the request is malformed in a specific fashion, it could be misinterpreted by the remote registry server, causing it to fail. Because the Remote Registry server is contained within the winlogon.exe system process on Windows NT 4.0, a failure in that process would cause the entire system to fail.Only an authenticated user could levy such a request.
Q264684
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q264684i.EXE
MS00-047 - NetBIOS Name Server Protocol Spoofing Vulnerability
Posted: 2000/07/27
By design, NBNS allows network peers to assist in managing name conflicts. Also by design, it is an unauthenticated protocol and therefore subject to spoofing. A malicious user could misuse the Name Conflict and Name Release mechanisms to cause another machine to conclude that its name was in conflict. Depending on the scenario, the machine would as a result either be unable to register a name on the network, or would relinquish a name it already had registered. The result in either case would be the same - the machine would not respond requests sent to the conflicted name anymore. This will reduce but not eliminate the threat of spoofing. Customers needing additional protection may wish to consider using IPSec in Windows 2000 to authenticate all sessions on ports 137-139
Q269239
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: q269239i.exe
Q269239
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q269239_W2K_SP2_x86_en.EXE
Q269239
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q269239i.exe
MS00-052 - Relative Shell Path Vulnerability
Posted: 2000/07/28
Because of the circumstances in place at system startup time, the normal search order would cause any file named Explorer.exe in the %Systemdrive%\ directory to be loaded in place of the bona fide version. This could provide an opportunity for a malicious user to cause code of his choice to run when another user subsequently logged onto the same machine.
Q269049
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
Patch: Q269049i.EXE
Q269049
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: q269049i.exe
Q269049
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q269049_w2k_sp2_x86_en.exe
MS00-053 - Service Control Manager Named Pipe Impersonation Vulnerability
Posted: 2000/08/02
The Service Control Manager (services.exe) is an administrative tool provided in Windows 2000 that allows system services (Server, Workstation, Alerter, ClipBook, etc.) to be created or modified. The SCM creates a named pipe for each service as it starts, however, should a malicious program predict and create the named pipe for a specific service before the service starts, the program could impersonate the privileges of the service. This could allow the malicious program to run in the context of the given service, with either specific user or LocalSystem privileges. The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk.
Q269523
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q269523_W2K_SP2_x86_en.EXE
MS00-057 - File Permission Canonicalization Vulnerability
Posted: 2000/08/10
A canonicalization error can, under certain conditions, cause IIS 4.0 or 5.0 to apply incorrect permissions to certain types of files. If an affected file residing in a folder with restrictive permissions were requested via a particular type of malformed URL, the permissions actually used would be those of a folder in the file's parentage chain, but not those of the folder the file actually resides in. If the ancestor folder's permissions were more permissive than those of the correct folder, the malicious user would gain additional privileges to the affected file.
Q269862
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: prmcan4i.exe
Q269862
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q269862_W2K_SP2_x86_en.EXE
MS00-059 - Java VM Applet Vulnerability
Posted: 2000/08/21
This vulnerability would allow an applet to bypass this restriction. If a user visited a web site operated by a malicious user, the site could start an applet that would be able to establish a connection with another web site and forward any information from the web session to the malicious user?s site.
Q271752
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: msjavx86.exe
Q287030
Affected Products:
- Microsoft Virtual Machine (VM)
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Professional
- Windows 2000 Service Pack 1
Patch: Q287030_W2K_SP2_x86_en.EXE
MS00-060 - IIS Cross-Site Scripting Vulnerabilities
Posted: 2000/08/25
If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to "inject" script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site. The vulnerability can affect any software that runs on a web server, accepts user input, and blindly uses it to generate web pages.
Q260347
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: crsscri.exe
Q275657
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q275657_W2K_SP2_x86_en.EXE
MS00-062 - Local Security Policy Corruption Vulnerability
Posted: 2000/08/28
This vulnerability could allow a malicious user to corrupt parts of a Windows 2000 system's local security policy, with the effect of disrupting domain membership and trust relationship information. If a workstation or member server were attacked via this vulnerability, it would effectively remove the machine from the domain; if a domain controller were attacked, it could no longer process domain logon requests.
Q269609
Affected Products:
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Gold
Patch: Q269609_W2K_SP1_x86_en.EXE
MS00-063 - Invalid URL Vulnerability
Posted: 2000/09/05
If an affected web server received a particular type of invalid URL, it could, under certain conditions, start a chain of events that would culminate in an invalid memory request that would cause the IIS service to fail. This would prevent the server from providing web services.
Q271652
Affected Products:
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q271652i.EXE
Q271652
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q271652I.EXE
MS00-065 - Still Image Service Privilege Escalation Vulnerability
Posted: 2000/09/06
An unchecked buffer exists in the 'Still Image Service' on Windows 2000 hosts. A locally logged-on user can execute malicious code that will use the still image service to escalate their permissions equal to that of the Still Image Service, namely, LocalSystem.
Q272736
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q272736_w2k_sp2_x86_en.exe
MS00-066 - Malformed RPC Packet Vulnerability
Posted: 2000/09/11
A denial of service can occur when a malicious client sends a particular malformed RPC (Remote Procedure Call) packet to the server, causing the RPC service to fail. A server behind a firewall that blocks ports 135-139 and 445 will not be affected by this vulnerability from the Internet.
Q272303
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q272303_w2k_sp2_x86_en.exe
MS00-067 - Windows 2000 Telnet Client NTLM Authentication Vulnerability
Posted: 2000/09/14
A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to the remote telnet server. This could allow a malicious user to obtain another user's NTLM authentication credentials without the user's knowledge. A malicious user could exploit this behavior by creating a carefully-crafted HTML document that, when opened, could attempt to initiate a Telnet session to a rogue telnet server - automatically passing NTLM authentication credentials to the malicious server's owner. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.
Q272743
Affected Products:
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q272743_w2k_sp2_x86_en.exe
MS00-068 - OCX Attachment Vulnerability
Posted: 2000/09/26
OCX controls are containers that can hold multiple ActiveX controls. A particular OCX control, associated with Windows Media Player, could be used in a denial of service attack against RTF-enabled e-mail clients such as Microsoft® Outlook and Outlook Express. If the affected control were programmatically embedded into an RTF mail and then sent to another user, the user?s mail client would fail when he closed the mail.
Q274303
Affected Products:
- Windows Media Player 7.0
- Windows Media Player 7.0 Gold
Patch: WMSU28412.EXE
MS00-069 - Simplified Chinese IME State Recognition Vulnerability
Posted: 2000/09/29
Input Method Editors (IMEs) enable character-based languages such as Chinese to be entered via a standard 101-key keyboard. When an IME is installed as part of the system setup, it is available by default as part of the logon screen. In such a case, the IME should recognize that it is running in the context of the LocalSystem and not in the context of a user, and restrict certain functions. This vulnerability only affects the Simplified Chinese version of Windows 2000 by default - customers using any other version of Windows 2000 are not affected. Even if the Simplified Chinese IMEs were installed after setup as part of a language pack, it would not be present as part of the logon screen and therefore would not pose a security threat. The vulnerability allows only the local machine to be compromised, but does not grant any domain privileges (unless, of course, the local machine happens to be a domain controller). Because the vulnerability is exposed as part of the logon screen, it could only be exploited by a user who had physical access to a keyboard, or who could start a terminal server session on an affected machine.
Q270676
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q270676_w2k_sp2_x86_en.exe
MS00-070 - Multiple LPC and LPC Ports Vulnerabilities
Posted: 2000/10/03
The "Invalid LPC Request" vulnerability, which affects only Windows NT 4.0. By levying an invalid LPC request, it would be possible to make the affected system fail. The "LPC Memory Exhaustion" vulnerability, which affects both Windows NT 4.0 and Windows 2000. By levying spurious LPC requests, it could be possible to increase the number of queued LPC messages to the point where kernel memory was depleted. The "Predictable LPC Message Identifier" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Any process that knows the identifier of an LPC message can access it; however, the identifiers can be predicted. In the simplest case, a malicious user could access other process' LPC ports and feed them random data as a denial of service attack. In the worst case, it could be possible under certain conditions to send bogus requests to a privileged process in order to gain additional local privileges. A new variant of the previously-reported "Spoofed LPC Port Request" vulnerability. This vulnerability affects Windows NT 4.0 and Windows 2000, and could, under a very restricted set of conditions, allow a malicious user to create a process that would run under the security context of an already-running process, potentially including System processes. Because LPC can only be used on the local machine, none of these vulnerabilities could be exploited remotely. Instead, a malicious user could only exploit them on machines that he could log onto interactively. Typically, workstations and terminal servers would be chiefly at risk, because, if normal security practices have been followed, normal users will not be allowed to log onto critical servers interactively. This also means that, even in the worst case, the vulnerability would only confer additional local - not domain - privileges on the malicious user
Q266433
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: q266433i.exe
Q266433
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: q266433_w2k_sp2_x86_en.exe
Posted: 2000/10/10
Due to the way the password feature is currently implemented, a file share could be compromised, by a malicious user who used a special client utility, without that user knowing the entire password required to access that share.
Q273991
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 273991usam.exe
Q273991
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SE
- Windows 98se Gold
Patch: 273991USA8.EXE
Q273991
Affected Products:
- Windows 95
Patch: 273991USA5.EXE
MS00-073 - Malformed IPX NMPI Packet Vulnerability
Posted: 2000/10/11
The Microsoft IPX/SPX protocol implementation (NWLink) includes an NMPI (Name Management Protocol on IPX) listener that will reply to any requesting network address. The NMPI listener software does not filter the requesting computer's network address correctly, and will therefore reply to a network broadcast address. Such a reply would in turn cause other IPX NMPI listener programs to also reply. This sequence of broadcast replies could generate a large amount of unnecessary network traffic.
Q273727
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 273727USAM.EXE
Q273727
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 273727USA8.EXE
Q273727
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 273727USA5.EXE
MS00-074 - WebTV for Windows Denial of Service Vulnerability
Posted: 2000/10/11
There is a denial of service vulnerability in WebTV for Windows that may allow a malicious user to remotely crash either the WebTV for Windows application and/or the computer system running WebTV for Windows.
Q274113
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 274113usam.exe
Q274113
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 274113USA8.EXE
MS00-076 - Cached Web Credentials Vulnerability
Posted: 2000/10/12
When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. If a malicious user had complete control of another user?s network communications, he could wait until another user logged onto a secured site, then spoof a request for a non-secured page in order to collect the credentials.
Q273868
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q273868.exe
MS00-077 - NetMeeting Desktop Sharing Vulnerability
Posted: 2000/10/13
The denial of service can occur when a malicious client sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled.
Q273854
Affected Products:
- NetMeeting
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: NM30.EXE
Q299796
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q299796_W2k_SP3_x86_en.exe
MS00-078 - Web Server Folder Traversal Vulnerability
Posted: 2000/10/17
Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine ? specifically, it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.
Q269862
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: prmcan4i.exe
Q269862
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q269862_W2K_SP2_x86_en.EXE
MS00-079 - HyperTerminal Buffer Overflow Vulnerability
Posted: 2000/10/18
The HyperTerminal application contains an unchecked buffer in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particularly malformed Telnet URL, it would result in a buffer overrun that could enable the creator of the mail to cause arbitrary code to run on the user?s system.
Q274548
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 274548usam.exe
Q274548
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 274548USA8.EXE
Q276471
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
Patch: Q276471_W2K_SP3_x86_en.EXE
MS00-080 - Session ID Cookie Marking Vulnerability
Posted: 2000/10/23
If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. If a malicious user had complete control over the communications channel, he could read the plaintext Session ID cookie and use it to connect to the user?s session with the secure page. At that point, he could take any action on the secure page that the user could take.
Q274149
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
Patch: secsesi.exe
Q274149
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q274149_W2K_SP2_x86_en.EXE
MS00-081 - New Variant of VM File Reading Vulnerability
Posted: 2000/10/25
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious user could write a Java applet that could read ? but not change, delete or add ? files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
Q287030
Affected Products:
- Microsoft Virtual Machine (VM)
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
Patch: Q287030_W2K_SP2_x86_en.EXE
Q277014
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: msjavx86.exe
MS00-082 - Malformed MIME Header Vulnerability
Posted: 2000/10/31
Q275714
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP3
Patch: Q248838engI.EXE
MS00-083 - Netmon Protocol Parsing Vulnerability
Posted: 2000/11/01
Several parsers of Netmon have unchecked buffers. If a malicious user delivered a specially-malformed frame to a server that was monitoring network traffic, and the administrator parsed it using an affected parser, it would have the effect of either causing Netmon to fail or causing code of the malicious user's choice to run on the machine.
Q274835
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q274835i.EXE
Q274835
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q274835_W2K_SP2_x86_en.EXE
Q273476
Affected Products:
- Systems Management Server 1.2
- Systems Management Server 1.2 SP4
Patch: Q273476c.EXE
Q273476
Affected Products:
- Systems Management Server 2.0
- Systems Management Server 2.0 Gold
- Systems Management Server 2.0 SP1
- Systems Management Server 2.0 SP2
Patch: Q273476c.exe
MS00-084 - Indexing Services Cross Site Scripting Vulnerability
Posted: 2000/11/02
The Cross-Site Scripting (CSS) vulnerability results when web applications don?t properly validate inputs before using them in dynamic web pages. If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to ?inject? script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user?s script to run on the user?s machine using the trust afforded the other site. The vulnerability can affect any software that runs on a web server, accepts user input, and uses it to generate web pages without sufficient validation. Microsoft has identified an Indexing Service component (CiWebHitsFile) that, when called from a specially crafted URL, is vulnerable to this scenario.
Q278499
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Indexing Services for Windows 2000
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q278499_W2K_SP2_x86_en.EXE
MS00-085 - ActiveX Parameter Validation Vulnerability
Posted: 2000/11/02
An ActiveX control that ships as part of Windows 2000 contains an unchecked buffer. If the control was called from a web page or HTML mail using a specially-malformed parameter, it would be possible to cause code to execute on the machine via a buffer overrun. This could potentially enable a malicious user to take any desired action on the user's machine, limited only by the permissions of the user.
Q278511
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q278511_W2K_SP2_x86_en.EXE
MS00-086 - Web Server File Request Parsing Vulnerability
Posted: 2000/11/06
The ability to execute operating system commands on the web server would enable a malicious user to take virtually any action that an interactively-logged on user could take. He could, for instance, add, delete or change files on the server, run code that was already on the server, or upload code of his choice and run it.
Q277873
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: arbexei.exe
Q277873
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q277873_W2K_SP2_x86_en.EXE
MS00-087 - Terminal Server Login Buffer Overflow Vulnerability
Posted: 2000/11/08
An unchecked buffer in the Terminal Server login prompt could allow a malicious user to cause the Terminal Server to execute arbitrary code. The ability to execute arbitrary code would enable the malicious user to add, change, or delete data, run code already on the server, or upload new code to the server and run it. The malicious user would not need to successfully login to the Terminal Server in order to initiate this attack. This vulnerability could be exploited remotely if connection requests are not filtered. By default, Terminal Server listens on tcp port 3389. This port should be blocked at the firewall and/or router if Terminal Server access from the Internet is not required
Q277910
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: q277910i.exe
MS00-088 - Exchange User Account Vulnerability
Posted: 2000/11/16
If Exchange 2000 were installed on a Domain Controller, the account would also have Domain user privileges, and could thus gain access to other resources in the affected Domain.
Q278523
Affected Products:
- Exchange 2000 Server
- Exchange 2000 Gold
- Exchange 2000 Enterprise Server
- Exchange 2000 Gold
Patch: Q278523ENGI.EXE
MS00-089 - Domain Account Lockout Vulnerability
Posted: 2000/11/21
A flaw in the way that NTLM authentication operates in Windows 2000 could allow a domain account lockout policy to be bypassed on a local Windows 2000 machine, even if the domain administrator had set such a policy. The ability of a malicious user to avoid the domain account lockout policy could increase the threat from a brute force password-guessing attack. This vulnerability only affects Windows 2000 machines that are members of non-Windows 2000 domains. In addition, the vulnerability only affects domain user accounts that have previously logged into the target machine and already have cached credentials established on that machine. If a domain account lockout policy is in place and an attacker attempts a brute force password-guessing attack, the domain user account will be locked out as expected at the domain controller. However, if the attacker is able find the correct password, the local Windows 2000 machine will log the attacker on using cached credentials in violation of the account lockout policy.
Q274372
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
Patch: q274372_w2k_sp2_x86_en.exe
MS00-090 - .ASX Buffer Overrun and .WMS Script Execution Vulnerabilities
Posted: 2000/11/22
Q280419
Affected Products:
- Windows Media Player 7.0
- Windows Media Player 7.0 Gold
Patch: wmsu34419.EXE
Q280419
Affected Products:
- Windows Media Player 6.4
- Windows Media Player 6.4 Gold
Patch: wmsu33995.exe
MS00-091 - Incomplete TCP/IP Packet Vulnerability
Posted: 2000/11/30
There is a denial of service vulnerability that affects Windows NT 4.0 Windows 95, 98, 98 Second Edition and Windows Me. By sending a flood of specially malformed TCP/IP packets to a victim?s machine a malicious user could cause either of two effects. In the most likely case, the flood would temporarily prevent any networking resources on an affected computer from responding to client requests; as soon as the packets stopped arriving, the machine would resume normal operation. In a less likely case, the system could hang, and remain unresponsive until it was rebooted. This vulnerability could only be exploited if TCP port 139 was open on the target machine. If the server service or File/Print sharing were disabled on a computer it would not be susceptible to this vulnerability
Q275567
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: q275567i.exe
MS00-092 - Extended Stored Procedure Parameter Parsing Vulnerability
Posted: 2000/12/01
This vulnerability would be most useful to a malicious user who had already compromised a web server and become a valid SQL Server user on the back-end server.
Q280380
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP2
Patch: s70918i.exe
Q280380
Affected Products:
- SQL Server 2000
- SQL Server 2000 Gold
- SQL Server Desktop Engine (MSDE) 2000
- SQL Server Desktop Engine (MSDE) 2000 Gold
Patch: s80233i.exe
MS00-093 - Browser Print Template and File Upload via Form Vulnerabilities
Posted: 2000/12/01
Q279328
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q279328.exe
Q279328
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 Gold
Patch: Q279328.exe
Q279328
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
Patch: q279328.Exe
MS00-094 - Phone Book Service Buffer Overflow Vulnerability
Posted: 2000/12/04
Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.
Q276575
Affected Products:
- Connection Manager
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q276575_W2K_SP2_x86_en.EXE
Q276575
Affected Products:
- Connection Manager
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: q276575i.exe
MS00-095 - Registry Permissions Vulnerability
Posted: 2000/12/06
Three registry keys have default permissions that are inappropriately loose. The keys, and the risk they pose, are as follows: The SNMP Parameters key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. SNMP community strings may allow either read or read-write access to the SNMP service. If no read-write access strings exist, the user could only use this vulnerability to read information through SNMP that is normally available to local users. If read-write access strings do exist, a malicious user could use this vulnerability to make changes to any system using the same community string for read-write access. It is important to remember that SNMP v1.0 has no security by design, and any user who could monitor network traffic could also obtain the SNMP community strings. SNMP is not installed on Windows NT 4.0 machines by default. The RAS Administration key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS, provides a way to install third-party RAS products that work with the Windows NT native RAS service. By changing one of the values in this key, it would be possible for a malicious user to specify code of her choice as a third-party management tool. The code would then run in the LocalSystem security context. Although it might be possible to make the needed registry changes remotely, the malicious user?s code would need to reside on the affected machine itself. RAS is not installed on Windows NT 4.0 machines by default. The MTS Package Administration key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server\Packages, includes information about which users are allowed to install and change MTS packages. By adding herself as an MTS manager, a malicious user could gain the ability to add, delete or change MTS packages. Although it might be possible in some cases to make the needed registry changes remotely, the malicious user would still need the ability to log onto the affected machine interactively in order to exercise her new privileges
Q265714
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q265714i.EXE
Q265714
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q265714i.exe
MS00-096 - SNMP Parameters Vulnerability
Posted: 2000/12/06
This vulnerability is virtually identical to the SNMP Parameters vulnerability affecting Windows NT 4.0 systems and discussed in Microsoft Security Bulletin MS00-095. The SNMP Parameters key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. SNMP community strings may allow either read or read-write access to the SNMP service. If no read-write access strings exist, the user could only use this vulnerability to read information through SNMP that is normally available to local users. If read-write access strings do exist, a malicious user could use this vulnerability to make changes to any system using the same community string for read-write access. It is important to remember that SNMP v1.0 has no security by design, and any user who could monitor network traffic could also obtain the SNMP community strings. SNMP is not installed on Windows NT 4.0 machines by default. It should be noted that the information revealed by this vulnerability is normally transmitted in plaintext across SNMP-managed networks. As a result, even in the absence of incorrect registry permissions, a malicious user could carry out the same attack if she could monitor network communication
Q266794
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q266794_W2K_SP2_x86_en.EXE
MS00-097 - Severed Windows Media Server Connection Vulnerability
Posted: 2000/12/15
By repeatedly making and then severing connections in this manner, a malicious user could exhaust the resources on a server, thereby preventing it from providing streaming media services.
Q281256
Affected Products:
- Windows Media Services 4.1
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows Media Services 4.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: WMSU35924.EXE
MS00-098 - Indexing Service File Enumeration Vulnerability
Posted: 2000/12/19
An ActiveX control that ships as part of Indexing Service is incorrectly marked as safe for scripting, thereby enabling it to be executed by web site applications. The control at issue here could be used to enumerate files and folders, and to view their properties. It would not be necessary for Indexing Service to be running in order for the vulnerability to be exploited; however, if it were running, the control also could be used to search for files containing specific words. The vulnerability could not be used to read files, except via a fairly unlikely scenario discussed in detail in the FAQ. It could not be used under any conditions to change, add or delete information on the user?s computer.
Q280838
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q280838_W2K_SP2_x86_en.EXE
MS00-099 - Directory Service Restore Mode Password Vulnerability
Posted: 2000/12/20
If the Configure Your Server tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.
Q271641
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q271641_W2K_SP2_x86_en.EXE
MS00-100 - Malformed Web Form Submission Vulnerability
Posted: 2000/12/22
The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions. Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied a specially-malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions.
Q280322
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q280322_W2K_SP2_x86_en.EXE
Q280322
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: Q280322i.EXE
MS01-001 - Web Client Will Perform NTLM Authentication Regardless of Security Settings
Posted: 2001/01/11
The Web Extender Client (WEC) is a component that ships as part of Office 2000, Windows 2000, and Windows Me. WEC allows IE to view and publish files via web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication will be performed instead, WEC will perform NTLM authentication with any server that requests it. If a user established a session with a malicious user?s web site ? either by browsing to the site or by opening an HTML mail that initiated a session with it an application on the site could capture the user?s NTLM credentials. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources. The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user.
Q282132
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 282132usam.exe
Q282132
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q282132_W2K_SP2_x86_en
Q282132
Affected Products:
- Office 2000
- Office 2000 SR-1a
- Office 2000 SR-1
- Office 2000 Service Pack 2
Patch: fpwec
MS01-002 - PowerPoint 2000 File Parser Contains Unchecked Buffer
Posted: 2001/01/22
If an attacker inserted specially chosen data into a PowerPoint file and could entice another user into opening the file on his machine, the data would overrun the buffer, causing either of two effects.
Q285978
Affected Products:
- PowerPoint 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Office 2000 Service Pack 2
Patch: ppt2ksec.exe
MS01-003 - Weak Permissions on Winsock Mutex Can Allow Service Failure
Posted: 2001/01/24
This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network.
Q279336
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q279336i.EXE
Q279336
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q279336i.exe
MS01-004 - Malformed .HTR Request Allows Reading of File Fragments
Posted: 2001/01/29
This one could enable an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result of doing this is that fragments of server-side files like .ASP files could potentially be sent to the attacker.
Q285985
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: frgvuli.exe
Q285985
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q285985_W2K_SP3_x86_en.EXE
MS01-005 - Packaging Anomaly Could Cause Hotfixes to be Removed
Posted: 2001/01/30
Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that lists all of the valid hotfixes that have been issued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid. An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer?s system to revert to a version of a Windows 2000 module that contained a security vulnerability. Windows File Protection will only remove valid hotfixes from a Windows 2000 system under a very restrictive set of circumstances
Q281767
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
Patch: Q281767_W2K_SP2_x86_en.EXE
Q285083
Affected Products:
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
Patch: Q285083_W2K_SP2_x86_en.EXE
MS01-006 - Invalid RDP Data Can Cause Terminal Server Failure
Posted: 2001/01/31
Q286132
Affected Products:
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q286132_W2K_SP2_x86_en.EXE
MS01-007 - Network DDE Agent Requests Can Enable Code to Run in System Context
Posted: 2001/02/05
A vulnerability exists because, in Windows 2000, the Network DDE Agent runs using the Local System security context and processes all requests using this context, rather than that of the user. This would give an attacker an opportunity to cause the Network DDE Agent to run code of her choice in Local System context, as a means of gaining complete control over the local machine.
Q285851
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q285851_W2K_SP3_x86_en.EXE
MS01-008 - Malformed NTLMSSP Request Can Enable Code to Run with System Privileges
Posted: 2001/02/07
A flaw in the NTLM Security Support Provider (NTLMSSP) service could potentially allow a non-administrative user to gain administrative control over the system. In order to perform this attack the user would need a valid login account and the ability to execute arbitrary code on the system. This vulnerability could only be exploited by an attacker who could log onto the affected machine interactively. However, best practices strongly suggest that unprivileged users not be allowed to interactively log onto business-critical servers like domain controllers, ERP servers, print and file servers, database servers, and others. If this recommendation has been followed, machines such as these would not be at risk from this vulnerability and, as a result, the machines most likely to be affected would be workstations and terminal servers.
Q280119
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q280119i.EXE
Q280119
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q280119i.exe
MS00-009 - Image Source Redirect Vulnerability
Posted: 2000/02/16
When a web server navigates a window from one domain into another one, the IE security model checks the server's permissions on the new page. However, it is possible for a web server to open a browser window to a client-local file, then navigate the window to a page that is in the web site's domain in such a way that the data in the client-local file is accessible to the new window. The data would only be accessible to the new window for a very brief period, but the result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user.
Q251109
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: Q251109.exe
Q251109
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: q251109.exe
MS01-009 - Malformed PPTP Packet Stream Can Cause Kernel Exhaustion
Posted: 2001/02/13
The PPTP service in Windows NT 4.0 has a flaw in a part of the code that handles a particular type of data packet, which results in a leak of kernel memory resulting in a denial of service vulnerability.
Q283001
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q283001i.exe
MS01-010 - Windows Media Player Skins Files Can Enable Java Code to Execute
Posted: 2001/02/14
If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site, it could potentially cause the deployment of zipped Java code to a known location on the visiting user?s machine. Since the Java code would reside in a known location on the machine, script hosted on a hostile web site or embedded in a hostile HTML mail message could potentially invoke the script in the local computer security zone to take arbitrary action on the user?s machine.
Q287045
Affected Products:
- Windows Media Player 7.0
- Windows Media Player 7.0 Gold
Patch: wmsu38041
- %windir%\system
MS01-011 - Malformed Request to Domain Controller Can Cause CPU Exhaustion
Posted: 2001/02/20
A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a flaw affecting how it processes a certain type of invalid service request. Specifically, the service should handle the request at issue here by determining that it is invalid and simply dropping it; in fact, the service performs some resource-intensive processing and then sends a response. If an attacker sent a continuous stream of such requests to an affected machine, it could consume most or all of the machine?s CPU availability. This could cause the domain controller to process requests for service slowly or not at all, and could limit the number of new logons the machine could process and the number of Kerberos tickets that could be issued.
Q299687
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
Patch: Q299687_W2K_SP3_x86_en.EXE
MS00-075 - Microsoft VM ActiveX Component Vulnerability
Posted: 2000/10/12
If a user visited a malicious web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable the malicious web site operator to take any desired action on the user?s machine.
Q275609
Affected Products:
- Microsoft Virtual Machine (VM)
- Microsoft Virtual Machine (VM) Gold
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: msjavx86.exe
Q287030
Affected Products:
- Microsoft Virtual Machine (VM)
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Professional
- Windows 2000 Service Pack 1
Patch: Q287030_W2K_SP2_x86_en.EXE
MS00-071 - Word Mail Merge Vulnerability
Posted: 2000/10/05
If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document. If a user could be enticed into opening a specially constructed mail merge Word document, which was provided either as an e-mail attachment or as a link hosted on a hostile web site, it would be possible to cause arbitrary code to run on the user's machine.
Q274226 (Word 2000)
Affected Products:
- Word 2000
- Office 2000 SR-1a
Patch: wrdacc.exe
Q274226 (Word 2000)
Affected Products:
- Word 97
- Office 97 SR-2/SR-2b
Patch: wdac97.exe
MS00-044 - Absent Directory Browser Argument Vulnerability
Posted: 2000/07/14
The vulnerabilities could allow a malicious user to stop the web server from providing useful service, or to extract certain types of information from it.
Q267559
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: htrdos4i.exe
Q267559
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q267559_W2K_SP2_x86_en.EXE
MS00-045 - Persistent Mail-Browser Link Vulnerability
Posted: 2000/07/20
This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user.
Q261255
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
- Outlook Express 5.01
- Internet Explorer 5.01 Gold
Patch: q261255.exe
Q261255
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
- Outlook Express 4.01
- Internet Explorer 4.01 SP2
Patch: Q261255.exe
MS00-046 - Cache Bypass Vulnerability
Posted: 2000/07/20
If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means.
Q261255
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
- Outlook Express 5.01
- Internet Explorer 5.01 Gold
Patch: q261255.exe
Q261255
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
- Outlook Express 4.01
- Internet Explorer 4.01 SP2
Patch: Q261255.exe
MS00-048 - Stored Procedure Permissions Vulnerability
Posted: 2000/07/07
Execute permission checks on stored procedures may be bypassed when a stored procedure is referenced from a temporary stored procedure. This omission would allow a malicious user to run a stored procedure that, by design, he should not be able to access.
Q266766
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP1
- SQL Server 7.0 SP2
- SQL Server Desktop Engine (MSDE) 1.0
- SQL Server 7.0 SP1
- SQL Server 7.0 SP2
Patch: s70918i.exe
MS00-051 - Excel REGISTER.ID Function Vulnerability
Posted: 2000/07/26
A vulnerability has been discovered in REGISTER.ID, a worksheet function. When REGISTER.ID is invoked from an Excel worksheet, it can reference any DLL on the system. If the referenced DLL contains malicious code, harmful effects can occur. By design, there is no warning given to the user when REGISTER.ID calls a DLL from a worksheet.
Q269252 (Excel 2000)
Affected Products:
- Excel 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Office 2000
- Office 2000 SR-1
- Office 2000 SR-1a
Patch: xl9p3pkg.exe
Q269252 (Excel 2000)
Affected Products:
- Excel 97
- Office 97 SR-2/SR-2b
- Office 97
- Office 97 SR-2/SR-2b
Patch: xl8p10pkg.exe
MS00-054 - Malformed IPX Ping Packet Vulnerability
Posted: 2000/08/03
A malicious user could launch an attack by broadcasting a single ping request - each affected machine that received the ping would respond to it, potentially resulting in a broadcast storm. In a large network, this could temporarily swamp the network's bandwidth. In addition, upon seeing its own response, each affected machine would attempt to process it, triggering a scenario that would culminate in the machine's failure.
Q265334
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 265334US5.EXE
Q265334
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 265334USA8.EXE
MS00-056 - Microsoft Office HTML Object Tag Vulnerability
Posted: 2000/08/09
Microsoft Office 2000 applications are capable of reading HTML files saved as Office documents. A malformed data object tag embedded in one of these documents could cause the Office application to crash and allow arbitrary code to be executed.
Q269880
Affected Products:
- Office 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- PowerPoint 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Word 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Excel 2000
- Office 2000 SR-1
- Office 2000 SR-1a
Patch: Of9data.exe
MS00-058 - Specialized Header Vulnerability
Posted: 2000/08/14
If an IIS server receives a file request that contains a specialized header as well as one of several particular characters at the end, the expected ISAPI extension processing may not occur. The result is that the source code of the file would be sent to the browser.
Q256888
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
Patch: Q256888_W2K_SP1_x86_en.EXE
MS00-061 - Money Password Vulnerability
Posted: 2000/08/25
Microsoft Money provides a password protection feature that prevents unauthorized access to your Money file. However, due to the way the password is currently handled, the password may be written in plaintext under certain conditions. The vulnerability only affects Money data stored on the user's local computer - it does not affect the security of Money's online services in any way.
Q272232
Affected Products:
- Money 2000
- Money 2000 Gold
- Money 2001
- Money 2001 Gold
Patch: Update Internet Information
- On the Tools menu, click Update Internet Information.
MS00-042 - Active Setup Download Vulnerability
Posted: 2000/06/29
The flaws in downloading .cab file would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable.
Q269368
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 Gold
Patch: Q269368.Exe
Q265258
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q265258.exe
Q265258
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q265258.exe
Q265258
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q265258.Exe
MS00-043 - Malformed E-mail Header Vulnerability
Posted: 2000/07/18
Under certain conditions, the vulnerability could allow a malicious user to cause code of his choice to execute on another user's computer.
Q261255
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
- Outlook Express 5.01
- Internet Explorer 5.01 Gold
Patch: q261255.exe
Q267884
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
- Outlook Express 4.01
- Internet Explorer 4.01 SP2
Patch: Q261255.exe
MS00-064 - Unicast Service Race Condition Vulnerability
Posted: 2000/09/06
If a client sends a particular type of malformed request to a Windows Media server, it could induce a race condition. Once the server has been put into such a state, subsequent requests - even ones that would normally be legitimate - could cause the Windows Media Unicast Service to fail. If this happened, any ongoing sessions would be lost, and the server would stop providing unicast streaming media services.
Q273014
Affected Products:
- Windows Media Services 4.0
- Windows Media Services 4.0 Gold
- Windows Media Services 4.1
- Windows Media Services 4.1 Gold
Patch: WMSU27678.EXE
MS00-033 - Frame Domain Verification and Unauthorized Cookie Access and Malformed Component Attribute Vulnerabilities
Posted: 2000/05/17
The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user. The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user. The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user.
Q269368
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q269368.exe
MS00-039 - SSL Certificate Validation Vulnerabilities
Posted: 2000/06/05
The vulnerabilities involve how IE handles digital certificates; under a very daunting set of circumstances, they could allow a malicious web site operator to pose as a trusted web site.
Q269368
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q269368.exe
MS00-041 - DTS Password Vulnerability
Posted: 2000/06/13
Data Transformation Service (DTS) packages in SQL Server 7.0 allow database administrators to create a package that will perform a particular database action at regular intervals. As part of the creation of a DTS package, the administrator provides the account name and password under which the action should be taken. However, the password can be retrieved by programmatically interrogating the package's Properties dialogue.
Q264880
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP1
- SQL Server 7.0 SP2
Patch: s70918i.exe
MS00-049 - Office HTML Script and IE Script Vulnerabilities
Posted: 2000/07/13
A malicious web site operator to cause code of his choice to run on the computer of a visiting user.
Q268365
Affected Products:
- Excel 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- PowerPoint 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Office 2000
- Office 2000 SR-1
- Office 2000 SR-1a
Patch: Addinsec.exe
Q268365 (Excel 2000)
Affected Products:
- PowerPoint 97
- PowerPoint 97 Gold
- Office 97
- Office 97 Gold
Patch: ppt97sec.EXE
Q269368
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q269368.Exe
Q269368
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 Gold
Patch: Q269368.Exe
MS00-050 - Telnet Server Flooding Vulnerability
Posted: 2000/07/24
The denial of service can occur when a malicious client sends a particular malformed string to the server through the Telnet service provided as part of Windows 2000 products.
Q267843
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Gold
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: q267843_w2k_sp2_x86_en.exe
MS00-055 - Scriptlet Rendering Vulnerability
Posted: 2000/08/09
The Scriptlet Rendering vulnerability: the ActiveX control that is used to invoked scriptlets is essentially a rendering engine for HTML. This opens the door to a scenario in which a malicious web site operator could provide bogus information consisting of script, solely for the purpose of introducing it into an IE system file with a known name, then use the Scriptlet control to render the file. The net effect would be to make the script run in the Local Computer Zone, at which point it could access files on the user?s local file system. A new variant of the Frame Domain Verification vulnerability: two functions do not enforce proper separation of frames in the same window that reside in different domains. The new variant involves an additional function with the same flaw. The net effect of the vulnerability would be to enable a malicious web site operator to open two frames, one in his domain and another on the user?s local file system, and enable the latter to pass information to the former.
Q269368
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q269368.exe
Q269368
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q269368.Exe
Q269368
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 Gold
Patch: Q269368.Exe
MS00-034 - Office 2000 UA Control Vulnerability
Posted: 2000/05/12
An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site.
Q262767
Affected Products:
- Office 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- PowerPoint 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Outlook 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Word 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Excel 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Photo Draw 2000 Version 2
- Photo Draw 2000 Version 2 Gold
- Photo Draw 2000 Version 1
- PictureIt 2000 Gold
- Photo Draw 2000 Version 1 Gold
- Publisher 2000
- Publisher 2000 Gold
- Project 2000
- Project 2000 Gold
- FrontPage 2000
- Front Page 2000 Gold
- Works 2000
- Works 2000 Gold
- Access 2000
- Office 2000 SR-1
- Office 2000 SR-1a
Patch: Uactlsec.exe
MS00-035 - SQL Server 7.0 Service Pack Password Vulnerability
Posted: 2000/05/30
When SQL Server 7.0 Service Packs 1 or 2 are installed on a machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%\sqlsp.log and %WINNT%\setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.
Q263968
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP1
- SQL Server 7.0 SP2
Patch: sqlsp.exe
MS00-037 - HTML Help File Code Execution Vulnerability
Posted: 2000/06/02
The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site.
Q259166
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: hhupd.exe
Q259166
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 Gold
Patch: Q259166_W2K_SP1_x86_en.EXE
MS00-038 - Malformed Windows Media Encoder Request Vulnerability
Posted: 2000/05/30
This vulnerability would primarily affect streaming media providers that supply real-time broadcasts of streaming media - it would not prevent a Windows Media Server from distributing already-encoded data. The vulnerability cannot be used to cause a machine to crash, nor can it be used to usurp any administrative privileges. Simply locating the server could be a challenge, because the IP address of the Windows Media Encoder would typically not be advertised.
Q264133
Affected Products:
- Windows Media Encoder 4.0
- Windows Media Encoder 4.0 Gold
- Windows Media Encoder 4.1
- Windows Media Encoder 4.1 Gold
Patch: WMSU20935a.EXE
MS00-010 - Site Wizard Input Validation Vulnerability
Posted: 2000/02/18
Two sample web sites provided as part of Site Server 3.0, Commerce Edition do not follow security best practices; the code generated by one of the wizards is affected by the same problem. The code requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands. If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database.
Q252614
Affected Products:
- Site Server 3.0, Commerce Edition
- Site Server 3.0 Gold
- Site Server 3.0 SP1
- Site Server 3.0 SP2
- Site Server 3.0 SP3
- Site Server 3.0 SP4
Patch: Q252614.zip
MS00-012 - Remote Agent Permissions Vulnerability
Posted: 2000/02/22
If a malicious user replaced the client code with code of his or her choosing, it would run automatically in a system context the next time he or she rebooted the machine and logged on.
Q249847
Affected Products:
- Systems Management Server 2.0
- Systems Management Server 2.0 Gold
- Systems Management Server 2.0 SP1
Patch: Q249847i.EXE
MS00-013 - Misordered Windows Media Services Handshake Vulnerability
Posted: 2000/02/23
The handshake sequence between a Windows Media server and a Windows Media Player is asynchronous, because certain resource requests are dependent on the successful completion of previous ones. If the client-side handshake packets are sent in a particular misordered sequence, with certain timing constraints, the server will attempt to use a resource before it has been initialized and will fail catastrophically, causing the Windows Media Unicast Service to crash.
Q253943
Affected Products:
- Windows Media Services 4.0
- Windows Media Services 4.0 Gold
- Windows Media Services 4.1
- Windows Media Services 4.1 Gold
Patch: WMSU4954_NT4.EXE
Q253943
Affected Products:
- Windows Media Services 4.1
- Windows Media Services 4.1 Gold
- Windows Media Services 4.0
- Windows Media Services 4.0 Gold
Patch: WMSU4954_Win2000.EXE
MS00-014 - SQL Query Abuse Vulnerability
Posted: 2000/03/08
The vulnerability could allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server or MSDE database or on the underlying system that was hosting the SQL Server or MSDE database.
Q256052
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP1
- SQL Server 7.0 Gold
- SQL Server Desktop Engine (MSDE) 1.0
- SQL Server 7.0 Gold
- SQL Server 7.0 SP1
Patch: s70780i.exe
MS00-015 - Clip Art Buffer Overrun Vulnerability
Posted: 2000/03/06
One of the features of the Clip Art Gallery allows the user to download additional clips from the Microsoft Clip Gallery Live web site, and then install that clip art on their computer. To do this, Clip Art Gallery and Clip Gallery Live use a file format called the CIL format to contain the newly downloaded clips. Under certain circumstances, a very long field embedded in a clip art CIL file could cause a buffer overrun in the Clip Art Gallery software. The buffer overrun could cause the software to crash or, under certain circumstances, could cause the execution of hostile code on the computer where the Clip Art Gallery software was executing. The risk from this vulnerability results from the facts that any web site can host a CIL file and that clip art will normally be processed without prompting the user for confirmation as would be the case with an executable file format.
Q256167
Affected Products:
- Office 2000
- Office 2000 Gold
- Works 2000
- Works 2000 Gold
- PictureIt 2000
- PictureIt 2000 Gold
- Home Publishing 2000
- Home Publishing 2000 Gold
- Publisher 99
- Publisher 99 Gold
- Photo Draw 2000 Version 1
- Photo Draw 2000 Version 1 Gold
- Greetings 2000
- Greetings 2000 Gold
Patch: cilupdt.exe
MS00-016 - Malformed Media License Request Vulnerability
Posted: 2000/03/17
The vulnerability could allow a malicious user to temporarily prevent the license server from issuing further licenses to customers for protected digital content (music and video).
Q257200
Affected Products:
- Windows Media Rights Manager 1
- Windows Media Rights Manager 1 Gold
Patch: WMRMU8912_NT4.EXE
MS00-017 - DOS Device in Path Name Vulnerability
Posted: 2000/03/16
Because it is not possible to create files or folders that contain DOS device names, it would be unusual for a user to try to access one under normal circumstances. The chief threat posed by this vulnerability is that a malicious user could attempt to entice a user to attempt such an access. For instance, if a web site operator hosted a hyperlink that referenced such a path, clicking the link would result in the user?s machine crashing. Likewise, a web page or HTML mail that specified a local file as the source of rendering information could cause the user?s machine to crash when it was displayed.
Q256015
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 256015USA5.EXE
Q256015
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 256015USA8.EXE
MS00-018 - Chunked Encoding Post Vulnerability
Posted: 2000/03/20
IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work.
Q252693
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: chkenc4i.exe
Posted: 2000/03/30
Under certain fairly unusual conditions, the vulnerability could cause a web server to send the source code of .ASP and other files to a visiting user.
Q249599
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: uncsec4i.exe
Q249599
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
Patch: Q249599_W2K_SP1_X86_en.EXE
MS00-022 - XLM Text Macro Vulnerability
Posted: 2000/04/03
When an Excel user starts a macro that resides outside of the current spreadsheet (for example, in another spreadsheet), Excel by design will generate a warning dialogue. However, this dialogue is not generated if the macro consists of Excel 4.0 Macro Language (XLM) commands in an external text file.
Q255605
Affected Products:
- Excel 97
- Office 97 SR-2/SR-2b
- Office 97
- Office 97 SR-2/SR-2b
Patch: xl8p9pkg.exe
MS00-023 - Myriad Escaped Characters Vulnerability
Posted: 2000/04/12
Special characters can be embedded in URLs by use of so-called escaped character sequences. By providing a specially-malformed URL with an extremely large number of escaped characters, a malicious user could arbitrarily increase the work factor associated with parsing the escaped characters, thereby consuming much or all of the CPU availability on the server and preventing useful work from being done.
Q254142
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: escseq4i.exe
Q254142
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
Patch: Q254142_W2K_SP1_x86_en.EXE
MS00-024 - OffloadModExpo Registry Permissions Vulnerability
Posted: 2000/04/12
This vulnerability involves a registry key used by the CryptoAPI Base CSPs to specify the driver DLL for a hardware accelerator. By design, such a DLL would have access to users' public and private keys. Although only administrators should have permission to add such a DLL, the permissions on the key actually would allow any user who could interactively log onto the machine to do so. By writing a bogus DLL and installing it, a malicious user could compromise the keys of other users who subsequently used the machine.
Q259496
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 4
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q259496i.exe
MS00-025 - Link View Server-Side Component Vulnerability
Posted: 2000/04/14
Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context.
Q259799
Affected Products:
- FrontPage 98 Server Extensions
- FrontPage 98 Server Extensions Gold
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Personal Web Server 4.0
- Personal Web Server 4.0 Gold
Patch: Q259799
MS00-028 - Server-Side Image Map Components Vulnerability
Posted: 2000/04/21
The vulnerability could potentially allow a malicious web site visitor to perform actions that the system permissions authorize him to perform, but which he previously may have had no means of actually carrying out.
Q260267
Affected Products:
- FrontPage 97 Server Extensions
- FrontPage 97 Server Extensions Gold
- FrontPage 98 Server Extensions
- FrontPage 98 Server Extensions Gold
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Personal Web Server 4.0
- Personal Web Server 4.0 Gold
Patch: Q260267
MS00-030 - Malformed Extension Data in URL Vulnerability
Posted: 2000/05/11
In compliance with RFC 2396, the algorithm in IIS that processes URLs has flexibility built in to allow it to process any arbitrary sequence of file extensions or subresource identifiers (referred to in the RFC as path_segments). By providing an URL that contains specially-malformed file extension information, a malicious user could misuse this flexibility in order to arbitrarily increase the work factor associated with parsing the URL. This could consume much or all of the CPU availability on the server and prevent useful work from being done.
Q260205
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: myrdot4i.exe
Q260205
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
Patch: Q260205_W2K_SP1_x86_en.EXE
MS00-031 - Undelimited .HTR Request and File Fragment Reading via .HTR Vulnerabilities
Posted: 2000/05/10
The vulnerabilities could, respectively, be used to slow an affected web server's response or to obtain the source code of certain types of files under very restricted conditions.
Q267559
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
Patch: q267559_w2k_sp2_x86_en.exe
Q260838
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: ismpst4i.exe
MS99-053 - Windows Multithreaded SSL ISAPI Filter Vulnerability
Posted: 1999/12/02
The SSL ISAPI filter provided as part of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user's session was multi-threaded and traffic volumes were extremely high.
Q244613
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
Patch: sslune4i.exe
MS99-054 - WPAD Spoofing Vulnerability
Posted: 1999/12/01
The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.
Q247333
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: Q247333
MS99-058 - Virtual Directory Naming Vulnerability
Posted: 1999/12/21
This vulnerability would be most likely to occur due to administrator error, or if a product generated an affected virtual directory name by default. (Front Page Server Extensions is one such product). Recommended security practices militate against including sensitive information in .ASP and other files that require server-side processing, and if this recommendation is observed, there would be no sensitive information divulged even if this vulnerability occurred. In any event, an affected virtual directory could be identified during routine testing of the server.
Q238606
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 4
Patch: vrdcon4i.exe
MS99-059 - Malformed TDS Packet Header Vulnerability
Posted: 1999/12/20
If a specially-malformed TDS packet is sent to a SQL server, it can cause the server to crash. This vulnerability could only be remotely exploited if port 1433 were open at the firewall.
Q248749
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP1
Patch: S70761i.exe
MS99-060 - HTML Mail Attachment Vulnerability
Posted: 1999/12/22
It eliminates a security vulnerability in the Microsoft® Outlook Express mail client for Macintosh systems. The vulnerability could allow attachments to HTML mails to be automatically downloaded onto the user's computer. It provides replacements for several digital certificates that are included in Internet Explorer for Macintosh, and will expire on December 31, 1999.
Q249082
Affected Products:
- Outlook Express 5 for Macintosh
- Outlook Express 5 for Macintosh Gold
- Internet Explorer 4.5 for Macintosh
- Internet Explorer 4.5 for Macintosh Gold
Patch: MacFiles
MS99-061 - Escape Character Parsing Vulnerability
Posted: 1999/12/21
RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character, a percent sign. IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.
Q246401
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: unschx4i.exe
MS99-052 - Legacy Credential Caching Vulnerability
Posted: 1999/11/29
Windows for Workgroups provided a RAM-based caching mechanism that cached the user's plaintext network credentials for use by real-mode command-line networking utilities. Part of this mechanism was carried forward into the Windows 95 and 98 designs, even though it is not used by either. A malicious user could query this mechanism to obtain the network credentials of the last person to use the machine for network access, as long as they had physical access to the machine and it had not been rebooted since the last networking session.
Q168115
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 168115us5.exe
Q168115
Affected Products:
- Windows 98
- Windows 98 Gold
Patch: 168115us8.exe
MS99-051 - IE Task Scheduler Vulnerability
Posted: 1999/11/29
The IE 5 Task Scheduler controls who can create and submit "AT jobs." The utility that is used to create AT jobs can only be run by an administrator, and the Task Scheduler will only execute AT jobs that are owned by administrators. However, if a malicious user had change access to an existing file owned by an administrator (it would not need to be an AT job), he or she could modify it to be a valid AT job and place in the appropriate folder for execution. This would bypass the control mechanism and allow the job to be executed.
Q246972
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: q246972
MS99-049 - File Access URL Vulnerability
Posted: 1999/11/12
There is a buffer overflow in the Windows 95 and Windows 98 networking software that processes file name strings. If the networking software were provided with a very long random string as input, it could crash the machine. If provided with a specially-malformed argument, it could be used to run arbitrary code on the machine via a classic buffer overrun attack. The vulnerability could be exploited remotely in cases where a file:// URL or a Universal Naming Convention (UNC) string on a remote web site included a long file name or where a long file name was included in an e-mail message.
Q245729
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: 245729us5.exe
Q245729
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
Patch: 245729us8.exe
MS99-048 - Active Setup Control Vulnerability
Posted: 1999/11/11
A particular ActiveX control allows cabinet files to be launched and executed. This could allow an HTML mail to contain a malicious cabinet file, disguised as a file of an innocuous type. If a user attempted to open this file, the operation would fail but could, depending on the mail package, leave a copy of the file in a known location. The ActiveX control could then be used via a script embedded in the mail to launch the copy, thereby executing the malicious code.
Q244540
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q244540.exe
Q244540
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: Q244540.exe
MS99-044 - Excel SYLK Vulnerability
Posted: 1999/10/20
The primary vulnerability addressed by this patch is the "Excel SYLK" vulnerability. Symbolic Link (SYLK) files can contain macros; if such a file were opened in Excel 97 or 2000, the macro would run without asking for the user's permission. These macros could take any action on the computer that the user could take.
Q241900 (XL97)
Affected Products:
- Excel 97
- Office 97 SR-2/SR-2b
- Office 97
- Office 97 SR-2/SR-2b
Patch: xl8p9pkg.exe
Q241900 (XL97)
Affected Products:
- Excel 2000
- Office 2000 Gold
- Office 2000
- Office 2000 Gold
Patch: xl9p2pkg.exe
MS99-043 - Javascript Redirect Vulnerability
Posted: 1999/10/18
Client-local data that is displayed in the browser window can be made available to the server by using a redirect to a Javascript applet running in the same window. This in effect bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine.
Q244356 (IE 4.01)
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: q244356.exe
Q244356 (IE 4.01)
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: q244357.exe
MS99-042 - IFRAME ExecCommand Vulnerability
Posted: 1999/10/11
The Internet Explorer security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user's computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME. This could allow a malicious web site operator to read the contents of files on visiting users' computers, if he or she knew the name of the file and the folder in which it resided. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine.
Q243638
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: q243638.exe
MS99-040 - Download Behavior Vulnerability
Posted: 1999/09/28
IE 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain; this prevents client-side code from exposing files on the user's machine or local intranet to the web site. However, a server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet. This vulnerability would chiefly affect workstations that are connected to the Internet.
Q242542
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: q243638.exe
MS99-037 - ImportExportFavorites Vulnerability
Posted: 1999/09/10
IE 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taking.
Q241361
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: q241361.exe
Q241361
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
Patch: Q241361.exe
MS99-035 - Set Cookie Header Caching Vulnerability
Posted: 1999/09/10
When certain versions of Site Server or MCIS send a web page that contains a Set Cookie Header, they do not flag the page with an expiration header. As a result, such pages may be cached by a web proxy. Multiple customers accessing the same site via a web proxy might be served the same page, containing the same Set Cookie Header. If the cookie information includes a GUID that is used as an index for the server's database, one customer's personal data might be viewable by the others.
Q238647
Affected Products:
- Site Server 3.0
- Site Server 3.0 Gold
- Site Server 3.0 SP1
- Site Server 3.0 SP2
- Site Server 3.0, Commerce Edition
- Site Server 3.0 Gold
- Site Server 3.0 SP1
- Site Server 3.0 SP2
- Microsoft Commercial Internet System 2.0
- Microsoft Commercial Internet System 2.0 Gold
- Microsoft Commercial Internet System 2.5
- Microsoft Commercial Internet System 2.5 Gold
Patch: q238647x86eng.exe
MS99-033 - Malformed Telnet Argument Vulnerability
Posted: 1999/09/09
The Telnet client that ships as part of Windows 95 and 98 has an unchecked buffer. A specially-malformed argument could be passed to the client via a web page in order to cause arbitrary code to execute on the computer via a classic buffer overrun technique.
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
Patch: telnet95.exe
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: TelnetUp.EXE
MS99-032 - scriptlet.typelib/Eyedog Vulnerability
Posted: 1999/08/31
scriptlet.typelib is a control used by developers to generate Type Libraries for Windows Script Components. It is marked as "safe for scripting", but should not be because it allows local files to be created or modified. The patch removes the "safe for scripting" marking, thereby causing IE to request confirmation from the user before loading the control. Eyedog is a control used by diagnostic software in Windows. It is marked as "safe for scripting", but should not be because it allows registry information to be queried and machine characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack. The patch sets the so-called "kill bit", which prevents it from loading within IE.
Q240308
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP2
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 5
- Internet Explorer 5 Gold
- Outlook Express 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 SP2
Patch: q240308.exe
MS99-030 - Office ODBC Vulnerabilities
Posted: 1999/08/20
The "VBA Shell" vulnerability, which affects all versions of Jet except Jet 4.0. An operating system command embedded within a database query could be executed when the query is processed. This would allow a spreadsheet, database, or other application file that contained such a query to take virtually any action on the user's computer when the query was executed. The "Text I-ISAM" vulnerability, which affects all versions of Jet. Jet provides a way to modify the contents of text files, as a way of allowing data exchange between it and other systems. However, a malicious user could use this capability to modify system files via a database query. The original patch for this vulnerability allowed "drop table" operations to be used, which could allow files on the user's computer to be deleted; the new patch eliminates this variant.
Q239114
Affected Products:
- Office 95
- Office 95 Gold
Patch: Jet30Pkg.exe
Q239114
Affected Products:
- Office 97
- Office 97 Gold
- Office 97 SR-1
- Office 97 SR-2/SR-2b
Patch: jetCopkg.exe
Q239114
Affected Products:
- Office 2000
- Office 2000 Gold
- Office 2000 SR-1
- Office 2000 SR-1a
Patch: JetcoPkg.exe
MS99-022 - Double Byte Code Page Vulnerability
Posted: 1999/06/24
When IIS is run on a machine on which a double-byte character set code page is used (i.e., the default language on the server is set to Chinese, Japanese, or Korean), and a specific URL construction is used to request a file in a virtual directory, normal server-side processing is bypassed. As a result, the file is simply delivered as text to the browser, thereby allowing the source code to be viewed.
Q233335
Affected Products:
- Internet Information Server 3.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
Patch: fesrc3i.exe
Q233335
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 3
Patch: fesrc4i.exe
MS99-019 - Malformed HTR Request Vulnerability
Posted: 1999/06/15
The vulnerability involves an unchecked buffer in the filter DLLs for these file types. This poses two threats to safe operation. The first is a denial of service threat. A malformed request for an .HTR, .STM or .IDC file could overflow the buffer, causing IIS to crash. The server would not need to be rebooted, but IIS would need to be rebooted in order to resume service. The second threat is that a carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither attack could occur accidentally. The vulnerability is present regardless of whether .HTR, .STM or .IDC files are present on the server.
Q234905
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
Patch: extfixi.exe
MS99-018 - Malformed Favorites Icon Vulnerability
Posted: 1999/05/27
The "Malformed Favorites Icon" vulnerability. The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A specially-malformed icon could overrun the buffer and be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on Windows 95 or 98; it does not affect Windows NT systems. The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4.0 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive. The update eliminates the vulnerability by removing the control.
Q231450
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: Q241361.exe
Q231450
Affected Products:
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 4.01
- Internet Explorer 4.01 Gold
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 SP2
Patch: q241361.exe
MS99-014 - Excel 97 Virus Warning Vulnerabilities
Posted: 1999/05/07
Microsoft Excel 97 provides a feature that warns the user before launching an external file that could potentially contain a virus or other malicious software. However, certain scenarios have been identified that could be misused to bypass the warning mechanism. In general, they require the use of infrequently-combined features and commands, and are unlikely to be encountered in normal use.
Q231304
Affected Products:
- Office 97
- Office 97 SR-2/SR-2b
- Excel 97
- Office 97 SR-2/SR-2b
Patch: Xl8p9pkg.exe
MS99-012 - MSHTML Update Available for Internet Explorer
Posted: 1999/04/21
The first vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites. The second vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a script to paste a filename into the file upload intrinsic control. This should only be possible by explicit user action. Once the filename has been pasted into the control, a subsequent form submission could send the file to a remote web site. If the user has disabled the default warning that is displayed when submitting unencrypted forms, the file would be sent without any warning to the user. The third vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and MIME type of files on the computer of a visiting user.
Q226326
Affected Products:
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: mshtml5.exe
Q226326
Affected Products:
- Internet Explorer 4.01
- Internet Explorer 4.01 SP1
- Internet Explorer 4.01 SP2
Patch: mshtml4.exe
MS99-011 - DHTML Edit Vulnerability
Posted: 1999/04/21
The root cause of the vulnerability lies in the fact that a web site that hosts the "safe for scripting" version of the control is able to upload any data entered into the control. A malicious web site operator could trick a user into entering sensitive data into a DHTML Edit control hosted on a web page from the operator's site, and then upload the data. In addition, if the malicious web site operator knows the name of a file on the user's local drive, it is possible for the operator to programmatically load the file into the control and then upload it.
Q226326
Affected Products:
- Internet Explorer 4.0
- Internet Explorer 4.0 Gold
- Internet Explorer 5
- Internet Explorer 5 Gold
Patch: DHTMLED5.EXE
MS01-012 - Outlook - Outlook Express VCard Handler Contains Unchecked Buffer
Posted: 2001/02/22
Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer. By creating a vCard and editing it to contain specially chosen data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of her choice on the user?s machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine.
Q283908
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
- Outlook Express 5.5
- Internet Explorer 5.5 SP1
Patch: q283908.exe
Q283908
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
- Outlook Express 5.01
- Internet Explorer 5.01 SP1
Patch: Q283908.exe
MS01-013 - Windows 2000 Event Viewer Contains Unchecked Buffer
Posted: 2001/02/26
This is a buffer overrun vulnerability. By entering a specially malformed record into a machine?s event log, an attacker could cause either of two effects to occur when the record was subsequently opened. In the least serious case, he could cause the event viewer to fail. In the more serious case, he could cause the event viewer?s functionality to be modified while running, in order to perform a task of his choosing on the other user?s machine.
Q285156
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q285156_W2K_SP3_x86_en.EXE
MS01-014 - Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000
Posted: 2001/03/01
This is a denial of service vulnerability. It could enable an attacker to temporarily disrupt service on an affected web, or to temporarily disrupt web-based access to an affected mail server. Although the server in either case would automatically resume normal operation, any sessions in progress at the time of the attack would be lost. The vulnerability does not provide any opportunity for the attacker to usurp administrative control over the server, or to add, change or delete data on it.
Q286818
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Service Pack 1
- Windows 2000 Gold
Patch: Q286818_W2K_SP3_x86_en.EXE
Q287678
Affected Products:
- Exchange 2000 Enterprise Server
- Exchange 2000 Gold
- Exchange 2000 Server
- Exchange 2000 Gold
Patch: Q287678engi386.EXE
MS01-015 - IE Can Divulge Location of Cached Content
Posted: 2001/03/06
The IE security architecture provides a caching mechanism that is used to store content that needs to be downloaded and processed on the user's local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security architecture to access the information. This ensures that the uses of the information can be properly restricted. A vulnerability exists because it is possible for a web page or HTML e-mail to learn the physical location of cached content. Armed with this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.
Q279328
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q279328.exe
Q286045
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
Patch: q286045.exe
Q286043
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
Patch: q286043.exe
Q279328
Affected Products:
- Windows Script 5.1
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: scripten.exe
Q279328
Affected Products:
- Windows Script 5.1
- Windows 95 SR 2.5
- Windows 95 SR 2.1
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 98 Gold
- Windows 98 SP1
Patch: ste51en.exe
Q279328
Affected Products:
- Windows Script 5.5
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Scripten.exe
Q279328
Affected Products:
- Windows Script 5.5
- Windows 95 SR 2.1
- Windows 95 SR 2.5
- Windows 98 Gold
- Windows 98 SP1
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Scr55en.exe
MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources
Posted: 2001/03/08
WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server.
Q291845
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q291845_W2K_SP2_x86_en.EXE
MS01-017 - Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
Posted: 2001/03/22
VeriSign, Inc., recently advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is ?Microsoft Corporation?. The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run. The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool. However, even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name ?Microsoft Corporation?. The danger, of course, is that even a security-conscious user might agree to let the content execute, and might agree to always trust the bogus certificates. VeriSign has revoked the certificates, and they are listed in VeriSign?s current Certificate Revocation List (CRL). However, because VeriSign?s code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser?s CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.
Q293818
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: Crlupd.exe
Q293818
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 3
- Windows NT4 Service Pack 4
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 4
- Windows NT4 Terminal Server Service Pack 5
- Windows NT4 Terminal Server Service Pack 6
Patch: crlupd.exe
MS01-018 - Visual Studio VB-TSQL Object Contains Unchecked Buffer
Posted: 2001/03/27
The VB-TSQL debugger object that ships with Visual Studio 6.0 Enterprise Edition has an unchecked buffer in the code that processes parameters for one of the object?s methods. The object can, by design, be programmatically accessed remotely. If the object were to be referenced by a program that contained specially malformed data within the parameter, either of two outcomes would result. In the less serious case, the attacker could cause the object to fail on the hosting machine. In the more serious case, the attacker could exploit the buffer overrun to run code of the attacker's choice on the hosting machine. The debugger object (vbsdicli.exe) is installed by default with Visual Studio 6.0 Enterprise Edition and runs in the context of the interactively logged-on user. The attacker could only execute a successful attack if he knew that a user had the component installed and that the user was logged in at the time of the attack.
Q281297
Affected Products:
- Visual Studio 6.0
- Visual Studio 6.0 SP 5
- Visual Basic 6.0
- Visual Basic 6.0 Gold
Patch: Q281297.EXE
MS01-019 - Passwords for Compressed Folders are Recoverable
Posted: 2001/03/28
Plus! 98, an optional package that extends Windows 98 and Windows 98 Second Edition, introduced a data compression feature called Compressed Folders that was also included in Windows Me. For interoperability with leading third-party compression tools, it provides a password protection option for folders that have been compressed. However, due to a flaw in the package?s implementation, the passwords used to protect the folders are recorded in a file on the user?s system. If an attacker gained access to an affected machine on which password-protected folders were stored, she could learn the passwords and access the files. It is important to understand that, although this flaw does constitute a security vulnerability, the password protection feature is not intended to provide strong security. It was included in the products to enable interoperability with password-protection features in other third-party data compression products, and is only intended to provide protection against casual inspection. Customers who need strong protection for files should use Windows® 2000. The patch will prevent passwords from being written to the user?s system in the future. However, as discussed in the FAQ, after applying the patch, it is important to also delete c:\windows\dynazip.log, in order to ensure that all previously-recorded passwords are deleted.
Q252694
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 252694usa8.exe
Q252694
Affected Products:
- Windows Me
- Windows Me Gold
Patch: 252694usam.exe
MS01-020 - Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Posted: 2001/03/29
Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail. An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user?s permissions on the system.
Q290108
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
Patch: Q290108.exe
Q290108
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP1
Patch: q290108.exe
MS01-021 - Web Request Can Cause Access Violation in ISA Server Web Proxy Service
Posted: 2001/04/16
The ISA Server Web Proxy service does not correctly handle web requests that contain a particular type of malformed argument. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted.
Q295279
Affected Products:
- ISA Server 2000
- ISA Server 2000 Gold
Patch: isahf63.exe
MS01-022 - WebDAV Service Provider Can Allow Scripts to Levy Requests as User
Posted: 2001/04/18
The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by a script running in the user?s browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user. The specific actions an attacker could take via this vulnerability would depend on the Web-based resources available to the user, and the user?s privileges on them. However, it is likely that at a minimum, the attacker could browse the user?s intranet, and potentially access web-based e-mail as well.
Q296441
Affected Products:
- Windows 95
- Windows 95 Gold
- Windows 95 SR 2.1
- Windows 95 SR 2.5
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
- Windows Me
- Windows Me Gold
Patch: rbupdate.exe
Q296441
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Rbupdate.exe
MS01-023 - Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
Posted: 2001/05/01
Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0. A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose. The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Customers who cannot install the patch can protect their systems by removing the mapping for the Internet Printing ISAPI extension. However, it is important to understand that if Web Printing is enabled via Group Policy, this would override the settings made in the Internet Services Manager. As the FAQ discusses in more detail, customers who have enabled Web Printing via Group Policy should disable it first, then unmap the Internet Printing ISAPI extension.
Q296576
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
Patch: Q296576_W2K_SP2_x86_en.EXE
MS01-024 - Malformed Request to Domain Controller Can Cause Memory Exhaustion
Posted: 2001/05/08
A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.
Q299687
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
Patch: Q299687_W2K_SP3_x86_en.EXE
MS01-025 - Index Server Search Function Contains Unchecked Buffer
Posted: 2001/05/10
The patches discussed below address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker?s choice could be made to run on the server, in the Local System security context. The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the ?Malformed Hit-Highlighting? vulnerability discussed in Microsoft Security Bulletin MS00-006. The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read ?include? files residing on the web server. The new patch eliminates all known variants of the vulnerability.
Q294472
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Index Server 2.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q294472i.exe
Q296185
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
- Index Server 2.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q296185i.exe
Q296185
Affected Products:
- Indexing Services for Windows 2000
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q296185_W2K_SP3_x86_en.EXE
MS01-026 - 14 May 2001 Cumulative Patch for IIS
Posted: 2001/05/14
This update eliminates three new vulnerabilities: A vulnerability that could enable a malicious user to run operating system commands on an affected server. A vulnerability that could allow a malicious user to enter a File Transfer Protocol (FTP) command, which can cause IIS 5.0 to fail. FTP is the protocol used for copying files to and from remote computer systems on a network. A vulnerability that can enable a malicious user to access a guest account using the FTP service.
Q293826
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q293826_W2K_SP3_x86_en.EXE
Q295534
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q295534i.exe
MS01-027 - Flaws in Web Server Certificate Validation Could Enable Spoofing
Posted: 2001/05/16
A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites.
Q295106
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP2
Patch: q295106.exe
Q299618
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP1
Patch: q299618.exe
MS01-028 - RTF Document Linked to Template Can Run Macros Without Warning
Posted: 2001/05/21
The Word 2000 Security Update: Macro Vulnerability addresses a vulnerability that could allow malicious code to run in a Rich Text Format (RTF) document without warning. Under normal circumstances, you will see a warning in Word 2000 when you open a document attached to a template containing macros. However, it is possible for an RTF document to be linked to a template containing macros in such a way that a macro can run with no warning issued. This could cause damage to data or allow unauthorized retrieval of data from your system when you visit a Web site or open an e-mail message.
Q288266
Affected Products:
- Word 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Office 2000 Service Pack 2
Patch: wd2kmsec.exe
Q288266
Affected Products:
- Word 97
- Office 97 SR-2/SR-2b
Patch: wd97mcrs.exe
MS01-029 - Windows Media Player .ASX Processor Contains Unchecked Buffer
Posted: 2001/05/23
This update addresses two security vulnerabilities that are related to each other only by the fact that they both affect Windows Media Player. The two vulnerabilities are a buffer overrun in the functionality used to process Active Stream Redirector (.ASX) files, and a vulnerability affecting how Windows Media Player handles Internet shortcuts. In addition, this update addresses a potential privacy vulnerability that was recently identified.
Q298598
Affected Products:
- Windows Media Player 6.4
- Windows Media Player 6.4 Gold
Patch: WMSU47357.exe
Q298598
Affected Products:
- Windows Media Player 7.0
- Windows Media Player 7.0 Gold
Patch: mp71.exe
MS01-030 - Incorrect Attachment Handling in Exchange OWA Can Execute Script
Posted: 2001/06/06
OWA is a service of Exchange 5.5 and 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user?s Exchange mailbox. An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user. If the user opened the attachment in OWA, the script would execute and could take action against the user?s mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders.
Q299535
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP4
Patch: Q301361i386.EXE
Q299535
Affected Products:
- Exchange 2000 Enterprise Server
- Exchange 2000 Gold
- Exchange 2000 Server
- Exchange 2000 Gold
Patch: Q299535engi386.EXE
MS01-031 - Predictable Named Pipes Could Enable Privilege Elevation via Telnet
Posted: 2001/06/07
Q299553
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Professional
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q299553_W2K_SP3_x86_en.EXE
MS01-032 - SQL Query Method Enables Cached Administrator Connection to be Reused
Posted: 2001/06/12
Q299717
Affected Products:
- SQL Server 2000
- SQL Server 2000 Gold
- SQL Server Desktop Engine (MSDE) 2000
- SQL Server Desktop Engine (MSDE) 2000 Gold
Patch: s80296i.exe
Q299717
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP3
Patch: s70996i.exe
MS01-033 - Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
Posted: 2001/06/18
Q300972
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Indexing Services for Windows 2000
- Windows 2000 Gold
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q300972_W2K_SP3_x86_en.EXE
Q300972
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Index Server 2.0
- Windows NT4 Service Pack 6a
Patch: Q300972i.exe
MS01-034 - Malformed Word Document Could Enable Macro to Run Automatically
Posted: 2001/06/21
Q288266
Affected Products:
- Word 97
- Office 97 SR-2/SR-2b
Patch: wd97mcrs.exe
Q288266
Affected Products:
- Word 2000
- Office 2000 SR-1
- Office 2000 SR-1a
- Office 2000 Service Pack 2
Patch: wd2kmsec.exe
Q302294
Affected Products:
- Word 2002
- Word 2002 Gold
Patch: WRD1001.exe
MS01-035 - FrontPage Server Extension Sub-Component Contains Unchecked Buffer
Posted: 2001/06/21
Q300477
Affected Products:
- Front Page 2000 Server Extensions
- Windows 2000 Service Pack 2
Patch: Q300477_W2K_SP3_x86_en.EXE
Q300477
Affected Products:
- Front Page 2000 Server Extensions
- Windows NT4 Service Pack 5
- Windows NT4 Service Pack 6a
Patch: Q300477.exe
MS01-036 - Function Exposed via LDAP over SSL Could Enable Passwords to be Changed
Posted: 2001/06/25
Q299687
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
- Windows 2000 Server
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 1
Patch: Q299687_W2K_SP3_x86_en.EXE
MS01-037 - Authentication Error in SMTP Service Could Allow Mail Relaying
Posted: 2001/07/05
Q302755
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q302755_W2k_SP3_x86_en.exe
MS01-038 - Outlook View Control Exposes Unsafe Functionality
Posted: 2001/07/12
Q303833
Affected Products:
- Outlook 2000
- Office 2000 Service Pack 2
Patch: outlctlx.exe
Q303825
Affected Products:
- Outlook 2002
- Outlook 2002 Gold
Patch: olk1003.exe
MS01-039 - Services for Unix 2.0 Telnet and NFS Services Contain Memory Leaks
Posted: 2001/07/24
Q294380
Affected Products:
- Services for Unix 2.0 (NT)
- Services for Unix 2.0 (NT) Gold
Patch: q294380_sfu_2_x86.exe
Q301514
Affected Products:
- Services for Unix 2.0 (NT)
- Services for Unix 2.0 (NT) Gold
Patch: q301514_sfu_2_x86.exe
Q294380
Affected Products:
- Services for Unix 2.0 (Win2K)
- Services for Unix 2.0 (Win2K) Gold
Patch: q294380_sfu_2_x86.Exe
Q301514
Affected Products:
- Services for Unix 2.0 (Win2K)
- Services for Unix 2.0 (Win2K) Gold
Patch: q301514_sfu_2_x86.Exe
MS01-040 - Invalid RDP Data Can Cause Memory Leak in Terminal Services
Posted: 2001/07/25
Q292435
Affected Products:
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: q292435_w2k_sp3_x86_en.exe
Q292435
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 5
- Windows NT4 Service Pack 6a
Patch: q292435i.exe
MS01-041 - Malformed RPC Request Can Cause Service Failure
Posted: 2001/07/26
Q299444
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q299444i.exe
Q299444
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
Patch: Q299444I.exe
Q298012
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: q298012_w2k_sp3_x86_en.exe
Q298012
Affected Products:
- SQL Server 2000
- SQL Server 2000 Gold
Patch: q298012_sql2000_x86_en.exe
Q298012
Affected Products:
- SQL Server 7.0
- SQL Server 7.0 SP2
Patch: q298012_sql70sp2_x86_en.exe
Q304062
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP4
Patch: q304062engi386.exe
Q304063
Affected Products:
- Exchange 2000 Server
- Exchange 2000 Gold
- Exchange 2000 Enterprise Server
- Exchange 2000 Gold
Patch: q304063engi386.exe
MS01-042 - Windows Media Player .NSC Processor Contains Unchecked Buffer
Posted: 2001/07/26
Q304404
Affected Products:
- Windows Media Player 6.4
- Windows Media Player 6.4 Gold
- Windows Media Player 7.1
- Windows Media Player 7.1 Gold
Patch: wmsu55362.exe
MS01-043 - NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak
Posted: 2001/08/14
Q303984
Affected Products:
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: q304876engi386.exe
Q303984
Affected Products:
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Exchange 2000 Server
- Exchange 2000 Gold
- Exchange 2000 SP1
- Exchange 2000 Enterprise Server
- Exchange 2000 Gold
- Exchange 2000 SP1
Patch: q303984_w2k_sp3_x86_en.exe
MS01-044 - 15 August 2001 Cumulative Patch for IIS
Posted: 2001/08/15
Q301625
Affected Products:
- Internet Information Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT4 Service Pack 5
Patch: q301625i.exe
Q301625
Affected Products:
- Internet Information Services 5.0
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: q301625_w2k_sp3_x86_en.exe
MS01-045 - ISA Server H.323 Gatekeeper Service Contains Memory Leak
Posted: 2001/08/16
Q289503
Affected Products:
- ISA Server 2000
- ISA Server 2000 Gold
Patch: isahf68.exe
MS01-046 - Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart
Posted: 2001/08/21
Q252795
Affected Products:
- Windows 2000 Professional
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q252795_W2K_SP3_x86_en.EXE
MS01-047 - OWA Function Allows Unauthenticated User to Enumerate Global Address List
Posted: 2001/09/06
Q307195
Affected Products:
- Exchange Server 5.5
- Exchange Server 5.5 SP4
Patch: Q307195engi386.EXE
MS01-048 - Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail
Posted: 2001/09/10
Q305399
Affected Products:
- Windows NT Workstation 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0
- Windows NT4 Service Pack 6a
- Windows NT Server 4.0, Enterprise Edition
- Windows NT4 Service Pack 6a
Patch: Q305399i.exe
MS01-049 - Deeply-nested OWA Request Can Consume Server CPU Availability
Posted: 2001/09/26
Q303451
Affected Products:
- Exchange 2000 Enterprise Server
- Exchange 2000 SP1
- Exchange 2000 Server
- Exchange 2000 SP1
Patch: Q303451engi386.EXE
MS01-050 - Malformed Excel or PowerPoint Document Can Bypass Macro Security
Posted: 2001/10/04
Q306603
Affected Products:
- Excel 2000
- Office 2000 SR-1a
- Office 2000 Service Pack 2
Patch: xl2000
Q306603
Affected Products:
- Excel 2002
- Office 2002 Gold
Patch: xl2002
Q306603
Affected Products:
- PowerPoint 2000
- Office 2000 SR-1a
- Office 2000 Service Pack 2
Patch: Ppt2000
Q306603
Affected Products:
- PowerPoint 2002
- Office 2002 Gold
Patch: Ppt2002
MS01-051 - Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone
Posted: 2001/10/10
Q306121
Affected Products:
- Internet Explorer 5.01
- Internet Explorer 5.01 SP2
Patch: q306121.exe
Q306121
Affected Products:
- Internet Explorer 5.5
- Internet Explorer 5.5 SP2
Patch: Q306121.exe
Q306121
Affected Products:
- Internet Explorer 6
- Internet Explorer 6 Gold
Patch: q306121.Exe
MS01-052 - Invalid RDP Data can Cause Terminal Service Failure
Posted: 2001/10/18
Q307454
Affected Products:
- Windows NT Server 4.0, Terminal Server Edition
- Windows NT4 Terminal Server Service Pack 6
Patch: Q307454i.exe
Q307454
Affected Products:
- Windows 2000 Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Advanced Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
- Windows 2000 Datacenter Server
- Windows 2000 Service Pack 1
- Windows 2000 Service Pack 2
Patch: Q307454_W2K_SP3_x86_en.exe
MS01-053 - Downloaded Applications Can Execute on Mac IE 5.1 for OS X
Posted: 2001/10/23
Q311052
Affected Products:
- IE 5.1 for Macintosh
- IE 5.1 for Macintosh Gold
Patch: MacIE501
MS01-054 - Invalid Universal Plug and Play Request can Disrupt System Operation
Posted: 2001/11/01
Q311311
Affected Products:
- Windows 98
- Windows 98 Gold
- Windows 98 SP1
- Windows 98 SE
- Windows 98se Gold
Patch: 309073USA8.EXE
Q311311
Affected Products:
- Windows Me
- Windows Me Gold
Patch: WinMEUPnP
Q309521
Affected Products:
- Windows XP Home Edition
- Windows XP Gold
- Windows XP Professional
- Windows XP Gold
Patch: WinXPUPnP
MS01-055 - Cookie Data in IE Can Be Exposed or Altered Through Script Injection
Posted: 2001/11/08
Affected Products:
- Internet Explorer 6
- Internet Explorer 6 Gold
- Internet Explorer 5.5
- Internet Explorer 5.5 SP2
- Internet Explorer 5.5 SP1
- Internet Explorer 5.5 Gold
Patch: TBA
