On Aug 9, 2005, Microsoft released six new security updates, three of them rated as critical.  All current versions of Windows are affected by some of them.

Some of these vulnerabilities can result in system-level compromise without direct user interaction.  Others can result in compromise if the user opens a maliciously constructed HTML email message or web page.

Windows users can manually use "Windows Update" to download and install the current operating system patches.

Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

• Affected platforms:
  
  • Windows 98, 98SE, ME
    
  • Windows 2000, all versions
    
  • Windows XP, all versions
    
  • Windows Server 2003, all versions
    
• Activated by opening a malicious web page.
  
• Exploit code is publicly available

• Affected platforms:
  
  • Windows 2000, all versions
  • Windows XP, all versions
  • Windows Server 2003, all versions
    
• No credentials or user interaction required on Windows 2000
• Exploit code is publicly available

• Affected platforms:
  
  • Windows 2000, all versions
  • Windows XP, all 32-bit versions
  • Windows Server 2003, without Service Pack 1
    
• No credentials or user interaction required on Windows 2000 and Windows XP Service Pack 1.

Additional information regarding these vulnerabilities is available at

• http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx

The Information Security Office would like to thank the Windows Systems Team in ITSS for their assistance in producing this alert.