Security Alerts
November 8, 2005
Microsoft Releases Patch for Critical Vulnerability
Summary
On Nov 8, 2005, Microsoft released a new security update that is rated as critical. All current versions of Windows are affected by this update. Windows 98 is not affected.
The vulnerability can result in system compromise if the user opens or previews a maliciously constructed HTML email message or web page.
What to Do
Windows users can manually use "Windows Update" to download and install the current operating system patches.
Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.
Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
Technical Detail
Information regarding this security update is available at http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx. The following is a brief summary of this critical update.
MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (KB896424)
- Affected platforms:
- Windows 2000, all current versions
- Windows XP, all versions
- Windows Server 2003, all versions
- Activated by viewing a malicious image, such as in an HTML email or web page.
- An exploit might not require user interaction if email previews are active.
The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.