MS04-037: Vulnerability in Windows Shell

[Steven]

Microsoft Security Bulletin MS04-037

Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)

Issued: October 12, 2004

Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

?Microsoft Windows NT Server 4.0 Service Pack 6a ? Download the update

?Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ? Download the update

?Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 ? Download the update

?Microsoft Windows XP and Microsoft Windows XP Service Pack 1 ? Download the update

?Microsoft Windows XP 64-Bit Edition Service Pack 1 ? Download the update

?Microsoft Windows XP 64-Bit Edition Version 2003 ? Download the update

?Microsoft Windows Server 2003 ? Download the update

?Microsoft Windows Server 2003 64-Bit Edition ? Download the update

?Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) ? Review the FAQ section of this bulletin for details about these operating systems.

Non-Affected Software:

?Microsoft Windows XP Service Pack 2

The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

Executive Summary:

This update resolves several newly-discovered, public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section.

If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit these vulnerabilities.

We recommend that customers apply the update immediately.

http://www.microsoft.com/technet/security/...n/MS04-037.mspx