Remote Code Execution Vulnerability in Multiple Microsoft Products

RemoteCode Execution Vulnerability in Multiple Microsoft Products

ReportedJune 14, 2005 by Microsoft

VERSIONS AFFECTED

DESCRIPTION

Multiplevulnerabilities have been discovered in Windows and its componentsthat could allow intruders to launch code from a remote location onsystems running the affected software.

Anunchecked buffer in the PNG rendering library used by InternetExplorer (IE) might allow an intruder to launch code on an affectedsystem that could let the intruder take complete control over thatsystem. Also, IE doesn't handle Web site redirects properly whenprocessing XML data. Because of this vulnerability, an intruder mightbe able to gain access to XML data outside the intruder's domain.Microsoft released a cumulative update for IE to address theseissues. The update also corrects other problems in IE, including anissue with the pop-up blocker as well as problems with? GIF and XBMimage rendering.

The Windows HTML Helpfacility doesn't properly validate input, which could allow anintruder to take complete control of an affected system.

Due to an error in theway Windows processes Server Message Block (SMB) packets, an intrudercould craft specialized packets that might allow that intrudercomplete control over an affected system or launch Denial of Service(DoS) attacks.

An unchecked buffer inthe Windows Web Client service might allow an intruder to takecomplete control of an affected system. However the intruder wouldneed valid logon credentials.

Due to the way OutlookWeb Access (OWA) performs HTML encoding in its Compose New Messageform, a cross-site scripting attack could occur. An intruder might beable to convince a user to allow a script to be executed that couldtake any action allowed by the security settings that govern the Website.

An unchecked buffer inthe Network News Transfer Protocol (NNTP) response processingfunction of Outlook Express could allow an intruder to take completecontrol of an affected system.

MIcrosoft'sStep-by-Step Interactive Training component contains an uncheckedbuffer in the function that processes bookmarks. This buffer couldallow an intruder to take complete control over an affected system.

VENDOR RESPONSE

Microsoft releasedseveral security bulletins to address these problems:

CumulativeSecurity Update for Internet Explorer (883939)
Vulnerabilityin HTML Help Could Allow Remote Code Execution (896358)
Vulnerabilityin Server Message Block Could Allow Remote Code Execution (896422)

Vulnerabilityin Web Client Service Could Allow Remote Code Execution(896426)
Vulnerabilityin Outlook Web Access for Exchange Server 5.5 Could Allow Cross-SiteScripting Attacks (895179)
CumulativeSecurity Update in Outlook Express (897715)
Vulnerabilityin Step-by-Step Interactive Training Could Allow Remote CodeExecution (898458)

CREDITS

Mark Dowd of ISSX-Force reported the PNG image rendering problem.

MarkLitchfield of Next Generation Security Software reported the issueswith XML and the Web Client service.

Thor Larholm of PivXSolutions reported the pop-up blocker issue.

The UK NationalInfrastructure Security Co-ordination Centre (NISCC) reported theGIF- and XBM-rendering issues.

Both PeterWinter-Smith with Next Generation Security Software and eEye DigitalSecurity reported the HTML Help vulnerability.

Qualys reported theSMB vulnerability.

Gaël Delalleauand iDEFENSE reported the Outlook Web Access vulnerability.

iDEFENSE reported theissue with Outlook Express.

iDEFENSE and BrettMoore of Security-Assessment.com reported the vulnerability inStep-by-Step Interactive Training.