• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases Patches for Multiple Critical Vulnerabilities

Security Alerts

April 15, 2005

Microsoft Releases Patches for Multiple Critical Vulnerabilities

Summary

On Apr 12, 2005, Microsoft released eight new security updates, five of them rated as critical. Most current versions of Windows are affected by some of them.

Some of these vulnerabilities can result in system-level compromise without direct user interaction. Others can result in compromise if the user opens a maliciously constructed document, HTML email message, or web page.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Updates for Microsoft Office products can be downloaded from the Office Update web site.

Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

Technical Detail

Information regarding all eight security updates is available at http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx. The following are brief summaries of those the Information Security Office considers most critical.

MS05-016 - Vulnerability in Windows Shell Could Allow Remote Code Execution (KB893086)

• Affected platforms:
  • Windows 98, 98SE, ME
  • Windows 2000, all versions
  • Windows XP, all versions
  • Windows Server 2003 (except Service Pack 1)
• Activated by administrative user opening a malicious file.
• Exploit code is publicly available.

MS05-019 - Vulnerabilities in TCP/IP Could Allow Remote Code Execution (KB893066)

• Affected platforms:
  • Windows 98, 98SE, and ME
  • Windows 2000, all versions
  • Windows XP, all versions
  • Windows Server 2003 (except Service Pack 1)
• No credentials or user interaction required.
• No public exploit known at this time.

MS05-020 - Cumulative Security Update for Internet Explorer (KB890923)

• Affected software:
  • Internet Explorer on all current Windows versions except Windows Server 2003 Service Pack 1
  • Activated by opening a malicious email message or web page.
  • Exploit code is publicly available.

  MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution (KB894549)

  • Affected software:
    • Microsoft Exchange Server 2000
    • Microsoft Exchange Server 2003
    • Microsoft Exchange Server 2003 Service Pack 1
  • No credentials or user interaction required on Exchange Server 2000.
  • Server authentication required on Exchange Server 2003.
  • No public exploit known at this time.

  MS05-022 - Vulnerability in MSN Messenger Could Lead to Remote Code Execution (KB896597)

  • Affected software:
    • MSN Messenger 6.2
  • Activated by user adding malicious account to their contact list.
  • No public exploit known at this time.

  MS05-023 - Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (KB890169)

  • Affected software:
    • Microsoft Word 2000, 2002, and 2003
    • Microsoft Works Suite 2001, 2002, 2003, and 2004
  • Activated by opening a malicious document.
  • No public exploit known at this time.

  References

  Additional information regarding these vulnerabilities is available at

  • http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx

  The Information Security Office would like to thank the Windows Systems Group in ITSS for their assistance in producing this alert.

  Last modified Monday, 08-Oct-2007 04:34:18 PM