• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases Patches for Multiple Critical Vulnerabilities

Security Alerts

Search Security Alerts:

January 12, 2005

Microsoft Releases Patches for Multiple Critical Vulnerabilities

Summary

On Jan 11, 2005, Microsoft released three updates including two critical updates that address several vulnerabilities. These updates are:

MS05-001

Vulnerability in HTML Help could allow code execution

MS05-002

Vulnerability in Cursor and Icon Format Handling could allow remote code execution

MS05-003

Vulnerability in Indexing Service could allow remote code execution

The following platforms are affected by one or more of these vulnerabilities:

• Windows Server 2003
• Windows XP
• Windows 2000
• Windows NT
• Windows ME
• Windows 98

What to Do

Windows users can manually use "Windows Update" to download and install the current patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

Technical Detail

MS05-001 affects Windows 2000, Windows XP, Windows 2003, Windows 98, and Windows ME. It could also affect Windows NT if Internet Explorer 6.0 SP1 is installed. This issue takes advantage of a cross-domain vulnerability in the HTML Help ActiveX control and could allow an attacker to gain complete control of the system. It requires that a user visit a malicious web page, or view a malicious HTML email message.

MS05-002 affects Windows NT, Windows 2000, Windows XP SP1, Windows 2003, Windows 98, and Windows ME. It does not affect Windows XP SP2. This vulnerability encompasses two sub-vulnerabilities: both related to cursor and icon format handling. It requires that a user visit a malicious web page, or view a malicious HTML email message. It could allow an attacker to gain complete control of the system.

MS05-003 affects Windows 2000, Windows XP SP1, and Windows 2003. It does not affect Windows NT, Windows XP SP2, Windows 98, or Windows ME. This vulnerability relates to a buffer overflow in the Indexing Service. It requires that an administrator have enabled, "an anonymous Web-based query interface through Internet Information Services (IIS) to the Indexing Service". There are several manual steps that would have to be taken to be vulnerable to this exploit.

References

Additional information regarding these vulnerabilities is available at

• http://www.microsoft.com/technet/security/bulletin/ms05-jan.mspx