Neowin.net - Microsoft Security Bulletin recap for this week

Microsoft Security Bulletin recap for this week

Posted by configure on 15 June 2002 - 17:19 · no comments & 154 views

Here's a recap that I've put together from the emails that I recieved from Microsoft Security Alerts. 5 Security Bulletin updates were made this week, and I would like to thank everyone who sent us an email regarding these update and those people who posted a thread in the forum.

(Revised 14 June 2002, version 2.0)
On June 11, 2002, Microsoft released the original version of this bulletin. In it, Microsoft detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was re-released on June 14, 2002 to announce the availability of patches for Proxy Server 2.0 and ISA Server 2000 and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for IE are forthcoming and this bulletin will be re-released to announce their availability.

Title: Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889)
Released: 11 June 2002
Software: Software: Internet Explorer, Proxy Server, Internet Security and Acceleration Server
Impact: Run Code of Attacker's Choice
Max Risk: Critical

View: Microsoft Security Bulletin ID MS02-027 for more information and patch availability

The recap continues inside, read more

This patch eliminates a newly discovered vulnerability affecting Internet Information Services. Although Microsoft typically delivers cumulative patches for IIS, in this case Microsoft have delivered a patch that eliminates only this new vulnerability, while completing a cumulative patch. When the cumulative patch is customer-ready, Microsoft will update this bulletin with information on its availability. The FAQ provides information on the circumstances surrounding the vulnerability, and why Microsoft believe releasing a singleton patch immediately is in customers' best interests. To ensure that servers are fully protected against past as well as current vulnerabilities, Microsoft strongly recommend installing the previous cumulative patch (discussed in Microsoft Security Bulletin MS02-018) before installing this patch.

Title: Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise (Q321599)
Date: 12 June 2002
Software: Internet Information Server
Impact: Run Code of Attacker's Choice
Max Risk: Moderate

View: Microsoft Security Bulletin ID MS02-028 for more information and patch availability

A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.

Title: Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)
Date: 12 June 2002
Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP, Routing and Remote Access Server (RRAS)
Impact: Local Privilege Escalation
Max Risk: Critical

View: Microsoft Security Bulletin ID MS02-029 for more information and patch availability

An unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server.

A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone.

Title: Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
Date: 12 June 2002
Software: Microsoft SQLXML
Impact: Two vulnerabilities, the most serious of which could run code of attacker's choice.
Max Risk: Moderate

View: Microsoft Security Bulletin ID MS02-030 for more information and patch availability

(Revised: 11 June 2002, version 2.0)
On May 8 2002, Microsoft released the original version of this bulletin. On June 11, 2002 the bulletin was updated to announce that while the fixes issued on May 8 2002 resolved the vulnerability, they did not protect in all cases against the reintroduction of the vulnerable control. As a result, a new set of fixes is being released to ensure that systems are fully protected against the reintroduction of the vulnerable control. A new MSN Chat control, updated patch, updated version of MSN Messenger and an updated version of Exchange Instant Messenger have been made available. Customers who have applied any of the fixes released on May 8, 2002 are encouraged to consider applying the updated fixes.

Title: Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)
Released: 08 May 2002
Software: MSN Chat, MSN Messenger, Exchange Instant Messenger
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-022

View: Microsoft Security Bulletin ID MS02-022 for more information and patch availability

Hide additional information

About the Author
Full name: Unknown
Forum name: vet

configure
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 0

Bookmark on del.icio.us

Advertisement

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top