Security Alerts
December 13, 2005
Microsoft Releases Patch for Critical Vulnerability
Summary
On Dec 13, 2005, Microsoft released two new security updates, one of them rated as critical. All current versions of Windows are affected by this update.
The critical vulnerability can result in compromise if the user opens a maliciously constructed HTML email message or web page.
What to Do
Windows users can manually use "Windows Update" to download and install the current operating system patches.
Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.
Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
Technical Detail
Information regarding both security updates is available at http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx. The following is a brief summary of the update rated as critical.
MS05-054 - Cumulative Security Update for Internet Explorer (KB905915)
- Affected platforms:
- Windows 98, 98SE, ME
- Windows 2000, all versions
- Windows XP, all versions
- Windows Server 2003, all versions
- Activated by opening a malicious web page or HTML email.
- Exploits of this vulnerability are already circulating on the Internet.
References
Additional information regarding these vulnerabilities is available at
The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.