From daniela em ccuec.unicamp.br  Thu Jul  1 10:14:50 2004
From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti Silva)
Date: Thu, 1 Jul 2004 10:14:50 -0300
Subject: [SECURITY-L] Apache HTTP Server 2.0.50 Released
Message-ID: <20040701131448.GA19885@ccuec.unicamp.br>

----- Forwarded message from Sander Striker <striker em apache.org> -----

From: Sander Striker <striker em apache.org>
Subject: [S] [ANNOUNCE] Apache HTTP Server 2.0.50 Released
To: announce em httpd.apache.org
Date: Thu, 01 Jul 2004 01:28:48 +0200
X-Mailer: Ximian Evolution 1.4.5 


                   Apache HTTP Server 2.0.50 Released

   The Apache Software Foundation and the  The Apache HTTP Server Project are
   pleased to announce the release of version 2.0.50 of the Apache HTTP
   Server ("Apache").  This Announcement notes the significant changes
   in 2.0.50 as compared to 2.0.49.  The Announcement is also available in
   German from:
     
     http://www.apache.org/dist/httpd/Announcement2.txt.de

   This version of Apache is principally a bug fix release.  A summary of
   the bug fixes is given at the end of this document.  Of particular
   note is that 2.0.50 addresses two security vulnerabilities:

     A remotely triggered memory leak in http header parsing can allow a
     denial of service attack due to excessive memory consumption.
     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]

     Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
     (trusted) client certificate subject DN which exceeds 6K in length.
     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]
 
   This release is compatible with modules compiled for 2.0.42 and later
   versions.  We consider this release to be the best version of Apache
   available and encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.0.50 is available for download from

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.0 file, linked from the above page, for
   a full list of changes.

   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  For an overview of new features introduced
   after 1.3 please see

     http://httpd.apache.org/docs-2.0/new_features_2_0.html

   When upgrading or installing this version of Apache, please keep
   in mind the following:
   If you intend to use Apache with one of the threaded MPMs, you must
   ensure that the modules (and the libraries they depend on) that you
   will be using are thread-safe.  Please contact the vendors of these
   modules to obtain this information.


----- End forwarded message -----


From security em unicamp.br  Thu Jul  1 14:25:51 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 1 Jul 2004 14:25:51 -0300
Subject: [SECURITY-L] Pop-up e' nova ameaca para usuarios do IE
Message-ID: <20040701172551.GA19964@unicamp.br>

----- Forwarded message from Sysop - ATINET <sysop em atinet.com.br> -----

From: "Sysop - ATINET" <sysop em atinet.com.br>
Subject: [GTS-L] Pop-up é nova ameaça para usuários do IE 
To: <gts-l em listas.unesp.br>
Date: Thu, 1 Jul 2004 11:36:11 -0300
X-Mailer: Microsoft Outlook Express 6.00.2800.1409

Pop-up é nova ameaça para usuários do IE
Quarta-feira, 30 junho de 2004 - 12:56
IDG Now!

Usuários do navegador Internet Explorer estão mais uma vez sob grave ameaça.
O SANS Institute anunciou nesta terça-feira (29/06) ter descoberto um novo
cavalo de tróia responsável por roubar dados bancários de clientes
infectados por meio de uma falha no processamento de arquivos no formato
Browser Help Object (BHO).

Segundo o instituto, o trojan, que ainda não pode ser detectado por
softwares antivírus, utiliza o componente do Internet Explorer para roubar
dados de aproximadamente 50 sites de bancos específicos, incluindo Citibank,
Barclays, HSBC e Deutsche Bank, enviando-os a hackers provavelmente
localizados na América do Sul. O SANS Institute revela ainda que o
componente é integrado ao IE de tal maneira que torna complexa a sua
desabilitação.

O instituto descobriu ainda que o arquivo malicioso está se propagando
através de janelas pop-up de propaganda quando "uma grande empresa pontocom"
encaminhou o arquivo aos seus especialistas. O arquivo continha uma função
de auto-instalação em um arquivo DLL aleatório dentro da pasta System32 do
Windows, onde estão localizados os arquivos substanciais para o
funcionamento do sistema operacional da Microsoft.

O arquivo malicioso monitora as páginas do protocolo HTTPS (que indica
conexões seguras) em busca de qualquer dado que tenha o formato de nome de
usuário e senha da vítima antes que seja encriptado.

Usuários podem evitar serem atacados ao modificar o nível de segurança do
Internet Explorer para "Alto" (a partir do menu Opções de Internet, em
Ferramentas). A Microsoft afirmou também que o Windows XP Service Pack 2
conterá uma ferramenta para detecção e remoção de arquivos HBO maliciosos.

A ameaça surge apenas uma semana depois de descoberta outra vulnerabilidade
no navegador, permitindo que hackers se apoderassem de informações
financeiras confidenciais utilizando um cavalo de tróia instalado em grandes
páginas de comércio eletrônico na internet.

A ameaça pode estar ligada com o grupo criador do vírus Korgo, que já está
em sua variante V e é classificado freqüentemente como de alto risco por
empresas fabricantes de softwares antivírus.

O fato de que a Microsoft ainda não divulgou nenhuma correção para as falhas
críticas está levando especialistas de segurança a recomendarem que usuários
não utilizem o Internet Explorer, pelo menos temporariamente, mas comecem a
usar outros produtos alternativos, como os navegadores Mozilla Firefox e
Opera.
Matthew Broersma - Techworld.com


----- End forwarded message -----


From security em unicamp.br  Fri Jul  2 09:34:52 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Fri, 2 Jul 2004 09:34:52 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040702123452.GA21573@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Cisco Security Advisory
-----------------------
30/06/2004
Assunto: Cisco Collaboration Server Vulnerability. 
http://www.security.unicamp.br/docs/bugs/2004/06/v112.txt


Debian Security Advisory
------------------------
24/06/2004 - DSA 525-1
Assunto: vulnerabilidade de seguranca no apache. 
http://www.security.unicamp.br/docs/bugs/2004/06/v111.txt


Fedora Legacy Update Advisory
-----------------------------
02/07/2004 - FEDORA-2004-206
Assunto: Fedora Core 1: kernel. 
http://www.security.unicamp.br/docs/bugs/2004/07/v3.txt

02/07/2004 - FEDORA-2004-205
Assunto: Fedora Core 2: kernel. 
http://www.security.unicamp.br/docs/bugs/2004/07/v2.txt

01/07/2004 - FEDORA-2004-116
Assunto: Fedora Core 1: rsync.
http://www.security.unicamp.br/docs/bugs/2004/07/v1.txt

28/06/2004 - FEDORA-2004-197
Assunto: Fedora Core 2: ipsec-tools. 
http://www.security.unicamp.br/docs/bugs/2004/06/v113.txt

23/06/2004 - FEDORA-2004-186
Assunto: Fedora Core 1: kernel.
http://www.security.unicamp.br/docs/bugs/2004/06/v105.txt


FreeBSD Security Advisory
-------------------------
30/06/2004 - FreeBSD-SA-04:13
Assunto: Linux binary compatibility mode input validation error. 
http://www.security.unicamp.br/docs/bugs/2004/06/v120.txt


Gentoo Linux Security Advisory
------------------------------
30/06/2004 - GLSA 200406-22
Assunto: Pavuk: Remote buffer overflow. 
http://www.security.unicamp.br/docs/bugs/2004/06/v119.txt

29/06/2004 - GLSA 200406-21
Assunto: mit-krb5: Multiple buffer overflows in krb5_aname_to_localname.
http://www.security.unicamp.br/docs/bugs/2004/06/v114.txt

25/06/2004 - GLSA 200406-20
Assunto: FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate 
handling. 
http://www.security.unicamp.br/docs/bugs/2004/06/v110.txt

24/06/2004 - GLSA 200406-19
Assunto: giFT-FastTrack: remote denial of service attack. 
http://www.security.unicamp.br/docs/bugs/2004/06/v109.txt

24/06/2004 - GLSA 200406-18
Assunto: gzip: Insecure creation of temporary files. 
http://www.security.unicamp.br/docs/bugs/2004/06/v107.txt


HP Security Bulletin
--------------------
28/06/2004 - HPSBUX01054
Assunto: SSRT3552 rev.0 HP-UX running ARPA transport, local Denial of Service (DoS). 
http://www.security.unicamp.br/docs/bugs/2004/06/v121.txt

28/06/2004 - HPSBUX01047
Assunto: SSRT4758 rev.0 HP-UX ObAM WebAdmin unauthorized access. 
http://www.security.unicamp.br/docs/bugs/2004/06/v115.txt

21/06/2004 - HPSBTU01051
Assunto: SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC Buffer Overrun Attack. 
http://www.security.unicamp.br/docs/bugs/2004/06/v108.txt


Mandrakelinux Security Update Advisory
--------------------------------------
29/06/2004 - MDKSA-2004:065
Assunto: vulnerabilidade de seguranca no pacote apache. 
http://www.security.unicamp.br/docs/bugs/2004/06/v118.txt

29/06/2004 - MDKSA-2004:064
Assunto: vulnerabilidade de seguranca no pacote apache2. 
http://www.security.unicamp.br/docs/bugs/2004/06/v117.txt

29/06/2004 - MDKSA-2004:063
Assunto: vulnerabilidade de seguranca no pacote libpng. 
http://www.security.unicamp.br/docs/bugs/2004/06/v116.txt

23/06/2004 - MDKSA-2004:062
Assunto: vulnerabilidade de seguranca no kernel. 
http://www.security.unicamp.br/docs/bugs/2004/06/v106.txt


SGI Security Advisory
---------------------
21/06/2004 - 20040602-01-U
Assunto: SGI Advanced Linux Environment 2.4 security update #21 
http://www.security.unicamp.br/docs/bugs/2004/06/v103.txt


SUSE Security Announcement:
---------------------------
22/06/2004 - SuSE-SA:2004:019
Assunto: vulnerabilidade de seguranca no pacote dhcp/dhcp-server. 
http://www.security.unicamp.br/docs/bugs/2004/06/v104.txt


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Wed Jul 14 10:40:46 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:40:46 -0300
Subject: [SECURITY-L] CAIS-Alerta: Patch Acumulativo para o Outlook Express
	(823353)
Message-ID: <20040714134046.GA46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Patch Acumulativo para o Outlook Express (823353)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 18:47:38 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta repassando o alerta divulgado pela Microsoft, intitulado 
"Microsoft Security Bulletin MS04-018: Cumulative Patch for Outlook 
Express (823353)", que trata da disponibilizacao de patch acumulativo para 
o Microsoft Outlook Express que elimina uma vulnerabilidade que, se 
explorada, permite ao atacante realizar uma negacao de servico (DoS) que 
resulta na interrupcao do aplicativo.


Sistemas Afetados:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Componentes Afetados:

. Microsoft Outlook Express 5.5 Service Pack 2
. Microsoft Outlook Express 6
. Microsoft Outlook Express 6 Service Pack 1
. Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition)
. Microsoft Outlook Express 6 on Windows Server 2003
. Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition)


Correcoes disponiveis:

A correcao consiste na aplicacao dos correspondentes patches recomendados
pela Microsoft e disponiveis em:

. Microsoft Outlook Express 5.5 Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=9A8D1BF2-93C5-41A9-B79A-31D54743BA0E&displaylang=en

. Microsoft Outlook Express 6
  http://www.microsoft.com/downloads/details.aspx?FamilyId=D5900DF1-10AB-4850-9064-3070CE1F948A&displaylang=en

. Microsoft Outlook Express 6 Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=AD6A96BC-DAF0-4EAB-89B8-BD702B3E3E5D&displaylang=en

. Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=ADCCF304-6CFC-48D6-9A3F-2A601C3A04A5&displaylang=en

. Microsoft Outlook Express 6 on Windows Server 2003
  http://www.microsoft.com/downloads/details.aspx?FamilyId=C99AAFCD-B99B-4B13-A366-5F8EDC83633F&displaylang=en

. Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=10D1AAD0-0313-4BEB-A174-84CF573F31FD&displaylang=en



Mais informacoes:

. Microsoft Security Bulletin MS04-018
  Cumulative Security Update for Outlook Express (823353)
  http://www.microsoft.com/technet/security/Bulletin/MS04-018.mspx

. Microsoft Brasil Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificadores do CVE (http://cve.mitre.org): CAN-2004-0215


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Os alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

         http://www.rnp.br/cais/alertas/rss.xml



Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################



Microsoft Security Bulletin MS04-018
Cumulative Security Update for Outlook Express (823353)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Outlook Express

Impact of Vulnerability:  Denial of Service

Maximum Severity Rating: Moderate

Recommendation: Customers should consider applying the security update.

Security Update Replacement: This bulletin replaces MS04-013: Cumulative 
Update for Outlook Express and any prior Cumulative Security Updates for 
Outlook Express.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4


Microsoft Windows XP and Microsoft Windows XP Service Pack 1


Microsoft Windows XP 64-Bit Edition Service Pack 1


Microsoft Windows XP 64-Bit Edition Version 2003


Microsoft Windows Server 2003


Microsoft Windows Server 2003 64-Bit Edition


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)  Review the FAQ section of this 
bulletin for details about these operating systems.

Affected Components:


Microsoft Outlook Express 5.5 Service Pack 2: Download the Update


Microsoft Outlook Express 6: Download the Update


Microsoft Outlook Express 6 Service Pack 1: Download the Update


Microsoft Outlook Express 6 Service Pack 1 (64 bit Edition): Download the 
Update


Microsoft Outlook Express 6 on Windows Server 2003: Download the Update


Microsoft Outlook Express 6 on Windows Server 2003 (64 bit edition): 
Download the Update

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a public vulnerability. A denial of service 
vulnerability exists in Outlook Express because of a lack of robust 
verification for malformed e-mail headers. The vulnerability is documented 
in the Vulnerability Details section of this bulletin. This update also 
changes the default security settings for Outlook Express 5.5 Service Pack 2 
(SP2). This change is documented in the Frequently Asked Questions related 
to this security update section of this bulletin.

If a user is running Outlook Express and receives a specially crafted e-mail 
message, Outlook Express would fail. If the preview pane is enabled, the 
user would have to manually remove the message, and then restart Outlook 
Express to resume functionality.

We recommend that customers consider applying the security update.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Outlook Express 5.5 
SP2 Outlook Express 6	Outlook Express 6 SP1	Outlook Express 6 (64 bit 
Edition)	Outlook Express 6 for Windows Server 2003 Outlook Express 6 
Windows Server 2003 (64-bit Edition)

Malformed E-mail Header Vulnerability - CAN-2004-0215


Denial of Service


None


Moderate


None


None


None


None

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

What updates does this release replace?
This is a cumulative update that includes the functionality of all the 
previously-released updates for Outlook Express 5.5 and Outlook Express 6. 
The security bulletin ID and operating systems that are affected for the 
previous Outlook Express update are listed in the following table.
Bulletin ID	Outlook Express 5.5 SP2	Outlook Express 6	Outlook 
Express 6 SP1	Outlook Express 6 (64 bit Edition)	Outlook Express 6 
for Windows Server 2003	Outlook Express 6 Windows Server 2003 (64-bit 
Edition)

MS04-013


Replaced


Replaced


Replaced


Replaced


Replaced


Replaced

Does this update contain any other changes to functionality?
Yes. In addition to the change that is listed in the Vulnerability Details 
section of this bulletin, this update includes the following changes in 
functionality:


Sets Outlook Express 5.5 SP2 to view HTML e-mail messages in the Restricted 
Sites zone.


Fixes a behavior that was introduced in MS03-014 where Outlook Express 6 SP1 
and later creates a copy of the Windows Address Book in a predictable 
location with a file name of ~. After you install this update, Outlook 
Express will no longer create this copy of the Windows Address Book in a 
predictable location.

How does the extended support for Windows 98, Windows 98 Second Edition, and 
Windows Millennium Edition affect the release of security updates for these 
operating systems?
Microsoft will only release security updates for critical security issues. 
Non-critical security issues are not offered during this support period. For 
more information about the Microsoft Support Lifecycle policies for these 
operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition 
critically affected by any of the vulnerabilities that are addressed in this 
security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on 
Windows 98 Second Edition, or on Windows Millennium Edition.

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 
have reached the end of their life cycles as previously documented, and 
Microsoft extended this support to June 30, 2004. However, the end-of-life 
for the extended support period occurred very recently. In this case, the 
majority of the steps that are required to address this vulnerability were 
completed before June 30, 2004. Therefore, we have decided to release 
security updates for these operating system versions as part of this 
security bulletin. We do not anticipate doing this for future 
vulnerabilities affecting these operating system versions, but we reserve 
the right to produce updates and to make these updates available when 
necessary.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product Life 
Cycle, visit the following Microsoft Support Lifecycle Web site. For more 
information about the extended security update support period for these 
operating system versions, visit the following Microsoft Product Support 
Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 SP6a 
must contact their Microsoft account team representative, their Technical 
Account Manager, or the appropriate Microsoft partner representative for 
custom support options. Customers without an Alliance, Premier, or 
Authorized Contract can contact their local Microsoft sales office. For 
contact information, visit the Microsoft Worldwide Information Web site, 
select the country, and then click Go to see a list of phone numbers. When 
you call, ask to speak with the local Premier Support sales manager.

For more information, see the Windows Operating System FAQ.

I just scanned my system by using the Microsoft Baseline Security Analyzer 
(MBSA) and it did not tell me that I had to install this update. Am I at 
risk?
MBSA does not currently scan for Outlook Express-related security updates. 
However, Windows Update will successfully detect and install this update if 
it is required. For more information about MBSA and the products that MBSA 
currently scans, visit the following Microsoft Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
No. SMS uses MBSA for detection and this update is not detected by MBSA. 
However, the registry key information that is available in this bulletin can 
also be used to write specific file and registry key collection queries in 
SMS to detect vulnerable systems. For information about how to deploy 
updates not supported by MBSA with SMS, please review Knowledge Base article 
867832 or visit the SMS Web site.
Top of section

Vulnerability Details

Malformed E-mail Header Vulnerability - CAN-2004-0215:

A denial of service vulnerability exists that could allow an attacker to 
send a specially crafted e-mail message causing Outlook Express to fail.

Mitigating Factors for Malformed E-mail Header Vulnerability - CAN-2004-0215:


The following versions of Outlook Express are not affected by this 
vulnerability:


Microsoft Outlook Express 5.5SP2


Microsoft Outlook Express 6 SP1


Microsoft Outlook Express 6 SP1 (64-Bit Edition)


Microsoft Outlook Express 6 on Windows Server 2003


Microsoft Outlook Express 6 on Windows Server 2003 (64-Bit Edition)


If the preview pane is not enabled, the malicious e-mail message would have 
to be opened by the user for Outlook Express to fail.
Top of section

Workarounds for Malformed E-mail Header Vulnerability - CAN-2004-0215:

Disable the preview pane

Disabling the preview pane will prevent the malicious e-mail message from 
causing Outlook Express to fail on each restart. To disable the preview 
pane, follow these steps:

1.


In Outlook Express, click View, and then click Layout.

2.


Click to clear the Show Preview Pane check box, and then click OK.
Top of section

FAQ for Malformed E-mail Header Vulnerability - CAN-2004-0215:

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this 
vulnerability could cause Outlook Express to fail. A user would have to 
manually remove the e-mail message, and then restart Outlook Express to 
restore functionality.

What causes the vulnerability?
The method used by Outlook Express to validate malformed e-mail headers.

What is an e-mail header?
Mail servers and clients must have information that tells them how to 
process incoming and outgoing e-mail messages. This information is provided 
in header fields within the e-mail message. Examples of the type of 
information that is contained in e-mail header fields include the sender's 
e-mail address, the recipient's e-mail addresses, the time that the e-mail 
was sent, and the name of the mail server that received the e-mail message.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause 
Outlook Express to fail unexpectedly.

Who could exploit the vulnerability?
Any user who could deliver a specially crafted message to the affected 
user~Rs e-mail account could attempt to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by creating a specially crafted 
e-mail message, and then sending the message to an affected user's e-mail 
account. If the affected user opens the message, it could cause Outlook 
Express to fail.

I have the preview pane enabled. How can I remove the malicious e-mail 
message without Outlook Express failing when it starts?
You can disable the preview pane without starting Outlook Express by editing 
the registry. The following steps demonstrate how to disable to preview pane 
in Outlook Express:

Note Using Registry Editor incorrectly can cause serious problems that may 
require you to reinstall your operating system. Microsoft cannot guarantee 
that problems resulting from the incorrect use of Registry Editor can be 
solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And 
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and 
Delete Information in the Registry" and "Edit Registry Data" Help topics in 
Regedt32.exe.

Note We recommend backing up the registry before you edit it.

1.


Click Start, click Run, type "regedt32" (without the quotation marks), and 
then click OK.

2.


In Registry Editor, locate the following registry key:

HKCU\Identities\{Identity GUID}\Software\Microsoft\OutLook Express\5.0\Mail\

3.


Click the ShowHybridView data value, click Edit, and change the DWORD value 
to 0.

4.


Click OK and then restart Outlook Express.

Information on how to modify the registry is available in Microsoft 
Knowledge Base article 256986.

What systems are primarily at risk from the vulnerability?
Systems where Outlook Express 6.0 is used to read e-mail messages, such as 
workstations and terminal servers, are primarily at risk from this 
vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that Outlook 
Express validates e-mail headers.

When this security bulletin was issued, had this vulnerability been publicly 
disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned 
Common Vulnerability and Exposure number CAN-2004-0215.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly 
but had not received any information indicating that this vulnerability had 
been publicly used to attack customers when this security bulletin was 
originally issued.

Does applying this security update help protect customers from the code that 
has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently 
being exploited. The vulnerability that has been addressed has been assigned 
the Common Vulnerability and Exposure number CAN-2004-0215.

Top of section
Top of section
Top of section

Security Update Information

Prerequisites

Microsoft has tested the versions of Windows and the versions of Outlook 
Express that are listed in this bulletin to assess whether they are affected 
by this vulnerability and to confirm that the update that this bulletin 
describes addresses this vulnerability.

To install the Outlook Express 6 Service Pack 1 (SP1) versions of this 
update, you must be running Internet Explorer 6 SP1 (version 6.00.2800.1106) 
on one of the following versions of Windows:


Microsoft Windows NT Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6


Microsoft Windows 2000 Service Pack 2, Service Pack 3, or Service Pack 4


Microsoft Windows XP


Microsoft Windows XP Service Pack 1


Microsoft Windows XP 64-Bit Edition Service Pack 1

To install the Outlook Express 6 for Windows Server 2003 versions of this 
update, you must be running Internet Explorer 6 (version 6.00.3790.0000) on 
Windows Server 2003 (32-bit or 64-bit), or you must be running Internet 
Explorer 6 (version 6.00.3790.0000) on Windows XP 64-Bit Edition Version 
2003.

To install the Outlook Express 6 version of this update, you must be running 
Internet Explorer 6 (version 6.00.2600.0000) on a 32-bit version of Windows 
XP.


Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 
2000 SP4


Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 
2000 SP3


Internet Explorer 5.5 Service Pack 2 (version 5.50.4807.2300) Windows 
Millennium Edition

Versions of Windows, versions of Outlook Express, and versions of Internet 
Explorer that are not listed in this article are no longer supported. 
Although you can install some of the update packages that are described in 
this article on these versions of Windows and on these versions of Outlook 
Express, Microsoft has not tested these versions to assess whether they are 
affected by this vulnerability or to confirm that the update that this 
bulletin describes addresses this vulnerability. We recommend that you 
upgrade to a supported version of Windows and to a supported version of 
Outlook Express, and then apply the appropriate update.

For more information about how to determine the version of Internet Explorer 
that you are running, see Microsoft Knowledge Base Article 164539.

For more information about support lifecycles for Windows components, visit 
the following Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack for 
Internet Explorer 6, see Microsoft Knowledge Base Article 328548.

For more information about how to obtain the latest service pack for 
Internet Explorer 5.5, see Microsoft Knowledge Base Article 276369.

For more information about how to obtain the latest service pack for 
Internet Explorer 5.01, see Microsoft Knowledge Base Article 267954.

Restart Requirements

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

The Windows Server 2003 versions of this security update (including Windows 
XP 64-Bit Edition Version 2003) support the following setup switches:

        /help                 Displays the command line options

Setup Modes

        /quiet                Quiet mode (no user interaction or display)

        /passive            Unattended mode (progress bar only)

        /uninstall          Uninstalls the package

Restart Options

        /norestart          Do not restart when installation is complete

        /forcerestart      Restart after installation

Special Options

        /l                        Lists installed Windows hotfixes or update 
packages

        /o                       Overwrite OEM files without prompting

        /n                       Do not backup files needed for uninstall

        /f                        Force other programs to close when the 
computer shuts down

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that the 
previous version of the setup utility uses. For more information about the 
supported installation switches, see Microsoft Knowledge Base Article about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install this security update on Windows Server 2003 without any user 
intervention, use the following command at a command prompt:

windowsserver2003-kb823353-x86-enu.exe /quiet /passive

To install this security update on Windows Server 2003 without forcing the 
system to restart, use the following command at a command prompt:

windowsserver2003-kb823353-x86-enu.exe /norestart

The other update packages for this security update support the following 
Setup switches:

       /q             Use Quiet mode or suppress messages when the files are 
being extracted.

       /q:u          Use User-Quiet mode. User-Quiet mode presents some 
       dialog boxes to the user.

       /q:a          Use Administrator-Quiet mode. Administrator-Quiet mode 
       does not present any dialog boxes to the user.

       /t: path:    Specify the location of the temporary folder that Setup 
       uses or the target folder for extracting the files (when you also use the /c 
switch).

       /c:             Extract the files without installing them. If you do 
       not specify the /t: path switch, you are prompted for a target folder.

       /c: path     Specify the path and the name of the Setup .inf file or 
       the .exe file.

       /r:n            Never restart the computer after the installation 
       process has completed.

       /r:i             Prompt the user to restart the computer if a restart 
       is required, except when you use this switch together with the /q:a switch.

       /r:a           Always restart the computer after the installation 
       process has completed.

       /r:s           Restart the computer after the installation process 
       has completed without prompting the user.

       /n:v          Do not verify the version. Use this switch with caution 
       to install the update on any version of Internet Explorer.

For more information about these supported setup switches, see Microsoft 
Knowledge Base Article 197147.

To install the security update without any user intervention, use the 
following command replacing "package_name" with the filename for the package 
being installed:

package_name /q:a /r:n

Verifying Update Installation

To verify the files that this security update has installed, use one of the 
following methods:


Confirm that Q823353 appears in the Update Versions field in the About 
Internet Explorer dialog box. You cannot use this method on Windows Server 
2003 or on Windows XP 64-Bit Edition Version 2003 because the package does 
not update the Update Versions field for these versions of Windows.


Compare the versions of the updated files on your computer with the files 
that are listed in the File Information section in this bulletin.


Confirm that the following registry entries exist:


For Windows Server 2003 and Windows XP 64-Bit Edition Version 2003, confirm 
that the Installed DWORD value that has a data value of 1 appears in the 
following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Hotfix\KB823353


For all other versions of Windows, confirm that the IsInstalled DWORD value 
that has a data value of 1 appears in the following registry 
key:HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\{F5173CF0-1DFB-4978-8E50-A90169EE7CA9}

Removal Information

To remove this update, use the Add or Remove Programs tool (or the 
Add/Remove Programs tool) in Control Panel. Click Outlook Express Q823353, 
and then click Change/Remove (or click Add/Remove).

On Windows Server 2003 and on Windows XP 64-Bit Edition Version 2003, system 
administrators can also use the Spuninst.exe utility to remove this security 
update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB823353$\Spuninst folder. This utility supports the 
following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

On all other versions of Windows, system administrators can use the 
Ieuninst.exe utility to remove this update. This security update installs 
the Ieuninst.exe utility in the %Windir% folder. This utility supports the 
following setup switches:

/?: Show the list of installation switches.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

To remove this update quietly, use the following command at a command prompt:

c:\windows\ieuninst /q c:\windows\inf\q823353.inf

This command assumes that Windows is installed in the C:\Windows folder.

File Information

The English version of this security update has the file attributes (or 
later) that are listed in the following table. The dates and times for these 
files are listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Because of file dependencies, this update may contain additional files.For 
information about the specific security update for your operating system, 
click the appropriate link.

Outlook Express 6 SP1 for Windows XP, Windows XP SP1, Windows 2000 SP3, 
Windows 2000 SP4, and Windows NT 4.0 SP6a

Date         Time   Version            Size    File name
- --------------------------------------------------------------
03-Mar-2003  23:57  6.0.2800.1123      75,776  Directdb.dll
07-Jun-2004  21:19  6.0.2800.1441     596,480  Inetcomm.dll
11-Oct-2002  22:08  6.0.2800.1123      47,616  Inetres.dll
03-Mar-2003  23:57  6.0.2800.1123      44,032  Msident.dll
03-Mar-2003  23:57  6.0.2800.1123      56,832  Msimn.exe
26-May-2004  21:26  6.0.2800.1437   1,175,040  Msoe.dll
03-Mar-2003  23:57  6.0.2800.1123     228,864  Msoeacct.dll
11-Oct-2002  22:09  6.0.2800.1123   2,479,616  Msoeres.dll
03-Mar-2003  23:57  6.0.2800.1123      91,136  Msoert2.dll
03-Mar-2003  23:57  6.0.2800.1123      93,184  Oeimport.dll
03-Mar-2003  23:57  6.0.2800.1123      55,808  Oemig50.exe
03-Mar-2003  23:57  6.0.2800.1123      31,744  Oemiglib.dll
03-Mar-2003  23:57  6.0.2800.1123      42,496  Wab.exe
24-Jun-2004  21:26  6.0.2800.1450      463,360 Wab32.dll
03-Mar-2003  23:57  6.0.2800.1123      30,208  Wabfind.dll
03-Mar-2003  23:57  6.0.2800.1123      77,824  Wabimp.dll
03-Mar-2003  23:57  6.0.2800.1123      27,648  Wabmig.exe

Top of section


Outlook Express 6 SP1 (64-Bit) for Windows XP 64-Bit Edition Service Pack 1

Date         Time   Version            Size    File name
- --------------------------------------------------------------
03-Mar-2003  22:57  6.0.2800.1123      75,776  Directdb.dll
07-Jun-2004  20:18  6.0.2800.1441     593,408  Inetcomm.dll
11-Oct-2002  21:08  6.0.2800.1123      47,616  Inetres.dll
03-Mar-2003  22:57  6.0.2800.1123      44,032  Msident.dll
03-Mar-2003  22:57  6.0.2800.1123      56,832  Msimn.exe
02-Mar-2004  20:18  6.0.2800.1437   1,175,040  Msoe.dll
03-Mar-2003  22:57  6.0.2800.1123     228,864  Msoeacct.dll
11-Oct-2002  21:09  6.0.2800.1123   2,479,616  Msoeres.dll
03-Mar-2003  22:57  6.0.2800.1123      91,136  Msoert2.dll
03-Mar-2003  22:57  6.0.2800.1123      93,184  Oeimport.dll
03-Mar-2003  22:57  6.0.2800.1123      55,808  Oemig50.exe
03-Mar-2003  22:57  6.0.2800.1123      31,744  Oemiglib.dll
03-Mar-2003  22:57  6.0.2800.1123      42,496  Wab.exe
24-Jun-2004  20:18  6.0.2800.1450     463,360  Wab32.dll
03-Mar-2003  22:57  6.0.2800.1123      30,208  Wabfind.dll
03-Mar-2003  22:57  6.0.2800.1123      77,824  Wabimp.dll
03-Mar-2003  22:57  6.0.2800.1123      27,648  Wabmig.exe

Top of section


Outlook Express 6 for Windows XP

Date         Time   Version            Size    File name
- --------------------------------------------------------------
02-Jun-2004  19:00  6.0.2742.200      599,040  Inetcomm.dll
26-May-2004  21:59  6.0.2741.2600   1,175,552  Msoe.dll

Top of section


Outlook Express 6 for Windows Server 2003

Date         Time   Version            Size    File name     Folder
- --------------------------------------------------------------------
22-Jun-2004  22:38  6.0.3790.181      608,256  Inetcomm.dll  RTMGDR
22-Jun-2004  22:38  6.0.3790.181    1,202,176  Msoe.dll      RTMGDR
22-Jun-2004  22:38  6.0.3790.181      474,624  Wab32.dll     RTMGDR
22-Jun-2004  22:46  6.0.3790.185      608,256  Inetcomm.dll  RTMQFE
22-Jun-2004  22:46  6.0.3790.181    1,202,176  Msoe.dll      RTMQFE
22-Jun-2004  22:46  6.0.3790.181      474,624  Wab32.dll     RTMQFE

Top of section


Outlook Express 6 (64-Bit) for Windows Server 2003 64-Bit Editions and 
Windows XP 64-Bit Edition Version 2003

Date         Time   Version            Size    File name     Platform
- -----------------------------------------------------------------------
22-Jun-2004  22:40  6.0.3790.181    2,030,080  Inetcomm.dll     IA64
22-Jun-2004  22:40  6.0.3790.181    4,085,760  Msoe.dll         IA64
22-Jun-2004  22:40  6.0.3790.181    1,550,848  Wab32.dll        IA64
22-Jun-2004  22:38  6.0.3790.181      608,256  Winetcomm.dll    X86
22-Jun-2004  22:38  6.0.3790.181    1,202,176  Wmsoe.dll        X86
22-Jun-2004  22:38  6.0.3790.181      474,624  Wwab32.dll       X86
22-Jun-2004  22:48  6.0.3790.185    2,029,056  Inetcomm.dll     IA64
22-Jun-2004  22:48  6.0.3790.181    4,085,760  Msoe.dll         IA64
22-Jun-2004  22:48  6.0.3790.181    1,550,848  Wab32.dll        IA64
22-Jun-2004  22:46  6.0.3790.185      608,256  Winetcomm.dll    X86
22-Jun-2004  22:46  6.0.3790.181    1,202,176  Wmsoe.dll        X86
22-Jun-2004  22:46  6.0.3790.181      474,624  Wwab32.dll       X86

Top of section


Outlook Express 5.5 SP2 on Windows 2000 SP3, Windows 2000 SP4, and Windows 
Millennium Edition

Date         Time   Version            Size    File name
- --------------------------------------------------------------
04-Jun-2004  16:10  5.50.4942.400     575,248  Inetcomm.dll
04-Jun-2004  16:11  5.50.4942.400   1,147,152  Msoe.dll

Top of section

Note When you install this security update on Windows Server 2003 or on 
Windows XP 64-Bit Edition Version 2003, the installer verifies whether one 
or more of the files that are being updated on your system have been updated 
previously by a Microsoft hotfix. If you have previously installed a hotfix 
to update one of these files, the installer copies the RTMQFE files to your 
system. Otherwise, the installer copies the RTMGDR files to your system. For 
more information, see Microsoft Knowledge Base Article 824994.

Top of section

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for 
support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security updates 
to Windows 2000 and Windows Server 2003-based servers, and to desktop 
systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to perform 
controlled deployment of these updates throughout the enterprise with 
minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 2003 
Security Patch Management Web site. SMS 2.0 users can also use Software 
Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin update 
detection and deployment. Some software updates may not be detected by these 
tools. Administrators can use the inventory capabilities of the SMS in these 
cases to target updates to specific systems. For more information about this 
procedure, see the following Web site. Some security updates require 
administrative rights following a restart of the system. Administrators can 
use the Elevated Rights Deployment Tool (available in the SMS 2003 
Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) 
to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRYiekli63F4U8VAQE2gQP/bz5S6qB10qNhVC8JdKonRe9Us6FYxBgq
q1/vYvs0Hxz7xZDOhH9vT2DU1LdSL3rgT7t7q1lDZrZuuIBRpBdaT/NuVITEq0oX
dckGgpBp8m99aQyw9bWuCFKxSFQtTpcl2JaxZ2rsszYY/adLxYOvGGBwrkZmWRZG
4beO/wTqJpI=
=4cwh
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:41:04 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:41:04 -0300
Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Utility Manager
	(842526)
Message-ID: <20040714134104.GB46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Vulnerabilidade no Utility Manager (842526)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:01:48 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft, intitulado "Microsoft 
Security Bulletin MS04-019: Vulnerability in Utility Manager Could Allow 
Code Execution (842526)", que trata de uma vulnerabilidade de elevacao de 
privilegios existente na forma como o Utility Manager inicia aplicativos.

Um usuario registrado no sistema poderia forcar o Utility Manager a 
iniciar um aplicativo com privilegios do sistema, obtendo assim total 
controle sobre este, podendo entao instalar programas, acessar ou apagar 
documentos e adicionar novos usuarios com totais privilegios ao sistema. 
Reparem que nao e' possivel explorar remotamente essa vulnerabilidade, e o 
atacante tera que possuir um logon valido no sistema.


Sistemas afetados:

. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4


Sistemas *nao* afetados:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
. Microsoft Windows XP and Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Correcoes disponiveis:

Recomenda-se fazer a atualizacao para as versoes disponiveis na URL do 
boletim original, que tambem fornece orientacoes para se mitigar ou 
contornar a vulnerabilidade.

. Microsoft Windows 2000 Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=94CD9925-D99B-4CB6-B51E-248D4FD8AF07&displaylang=en

. Microsoft Windows 2000 Service Pack 3
  http://www.microsoft.com/downloads/details.aspx?FamilyId=94CD9925-D99B-4CB6-B51E-248D4FD8AF07&displaylang=en

. Microsoft Windows 2000 Service Pack 4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=94CD9925-D99B-4CB6-B51E-248D4FD8AF07&displaylang=en


Mais informacoes:

. Microsoft Security Bulletin MS04-019
  Vulnerability in Utility Manager Could Allow Code Execution (842526)
  http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx

. Microsoft Brasil Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificador CVE: CAN-2004-0213 (http://cve.mitre.org)


O CAIS recomenda que os administradores mantenham seus sistemas e 
aplicativos sempre atualizados, de acordo com as ultimas versoes e 
correcoes oferecidas pelos fabricantes.

Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################


Microsoft Security Bulletin MS04-019
Vulnerability in Utility Manager Could Allow Code Execution (842526)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows 2000

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest 
opportunity.

Security Update Replacement: This bulletin replaces MS03-025. See the 
frequently asked questions (FAQ) section of this bulletin for more 
information.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4  Download the update

Non-Affected Software:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6


Microsoft Windows XP and Microsoft Windows XP Service Pack 1


Microsoft Windows XP 64-Bit Edition Service Pack 1


Microsoft Windows XP 64-Bit Edition Version 2003


Microsoft Windows Server 2003


Microsoft Windows Server 2003 64-Bit Edition


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. A 
privilege elevation vulnerability exists in the way that Utility Manager 
launches applications. A logged-on user could force Utility Manager to start 
an application with system privileges and could take complete control of the 
system. The vulnerability is documented in the Vulnerability Details section 
of this bulletin.

An attacker who successfully exploited this vulnerability could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have full 
privileges.

We recommend that customers install the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Windows 2000

Utility Manager Vulnerability - CAN-2004-0213


Privilege Elevation


Important

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

What updates does this release replace?
This security update replaces a prior security bulletin. The security 
bulletin ID and operating systems that are affected are listed in the table 
below.
Bulletin ID	Windows NT 4.0	Windows 2000	Windows XP	Windows 
Server 2003

MS03-025


Not Applicable


Replaced


Not Applicable


Not Applicable

Does this update contain any other changes to functionality?
Yes. In addition to the changes that are listed in the Vulnerability Details 
section of this bulletin, this update includes the following change in 
functionality. Utility Manger is no longer able to use context-sensitive 
help. This feature has been removed to provide greater security and to help 
prevent potential malicious use. Microsoft considers this to be a 
defense-in-depth measure that we are taking to help provide additional 
protection against future malicious use of Utility Manager.

I'm still using Windows 2000 Service Pack 2, but extended security update 
support ended on June 30, 2004. However, this bulletin has a security update 
for this operating system version. Why is that?
Windows 2000 Service Pack 2 reached the end of their life cycle as 
previously documented, and Microsoft extended this support to June 30, 2004. 
However, the end-of-life for the extended support period occurred very 
recently. In this case, the majority of the steps that are required to 
address this vulnerability were completed before June 30, 2004. Therefore, 
we have decided to release a security update for this operating system 
version as part of this security bulletin. We do not anticipate doing this 
for future vulnerabilities affecting this operating system version, but we 
reserve the right to produce updates and to make these updates available 
when necessary.

It should be a priority for customers who have this operating system version 
to migrate to a supported version to prevent potential exposure to future 
vulnerabilities. For more information about the Windows Product Life Cycle, 
visit the following Microsoft Support Lifecycle Web site. For more 
information about the extended security update support period for this 
operating system version, visit the following Microsoft Product Support 
Services Web site.

For more information, see the Windows Operating System FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
Yes. MBSA will determine if this update is required. For more information 
about MBSA, visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 
and earlier versions is no longer being updated with new security bulletin 
data. Therefore, scans that are performed after that date with MBSA 1.1.1 or 
earlier will be incomplete. All users should upgrade to MBSA 1.2 because it 
provides more accurate security update detection and supports additional 
products. Users can download MBSA 1.2 from the MBSA Web site. For more 
information about MBSA support, visit the following Microsoft Baseline 
Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
Yes. SMS can help detect and deploy this security update. For information 
about SMS, visit the SMS Web site.
Top of section

Vulnerability Details

Utility Manager Vulnerability - CAN-2004-0213:

A privilege elevation vulnerability exists in the way that Utility Manager 
launches applications. A logged-on user could force Utility Manager to start 
an application with system privileges and could take complete control of the 
system.

Mitigating Factors for Utility Manager Vulnerability - CAN-2004-0213:


An attacker must have valid logon credentials and be able to logon locally 
to exploit this vulnerability. The vulnerability could not be exploited 
remotely or by anonymous users.


Windows NT 4.0, Windows XP, and Windows Server 2003 are not affected by this 
vulnerability. Windows NT 4.0 does not implement Utility Manager.


The Windows 2000 Hardening Guide recommends disabling the Utility Manger 
service. Environments that comply with these guidelines would be at a 
reduced risk from this vulnerability.
Top of section

Workarounds for Utility Manager Vulnerability - CAN-2004-0213:

Microsoft has tested the following workarounds. While these workarounds will 
not correct the underlying vulnerability, they help block known attack 
vectors. When a workaround reduces functionality, it is identified below.

Use the Group Policy settings to disable Utility Manager on all affected 
systems that do not require this feature.
Because Utility Manager is a possible attack vector, disable it by using the 
Group Policy settings. The Utility Manager process name is Utilman.exe. The 
following guide provides information about how to require users to run only 
approved applications by using the Group Policy settings.

Note You may also review the Windows 2000 Hardening Guide. This guide 
includes information about how to disable Utility Manager.

Impact of Workaround: Utility Manager provides easy access to many of the 
accessibility features of the operating system. This access would be 
unavailable until the restrictions are removed. For more information about 
how to start many of the accessibility features manually, visit the 
following Web site.
Top of section

FAQ for Utility Manager Vulnerability - CAN-2004-0213:

What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully 
exploited this vulnerability could take complete control of an affected 
system, including installing programs; viewing, changing, or deleting data; 
or creating new accounts that have full privileges.

What causes the vulnerability?
The process that Utility Manager uses to launch applications. It is possible 
that Utility Manager could launch applications with system privileges.

What is Utility Manager?
Utility Manager is an accessibility utility that allows users to determine 
the status of accessibility programs such as Microsoft Magnifier, Narrator, 
or On-Screen Keyboard, and to start or stop them.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have full 
privileges.

Who could exploit the vulnerability?
An attacker must be able to log on to the system and then, after starting 
Utility Manager, run a program that sends a specially crafted message to 
Utility Manager to attempt to exploit the vulnerability.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to start Utility 
Manager on Windows 2000 and then run a specially designed application that 
could exploit the vulnerability. In default configurations of Window 2000, 
Utility Manager is installed but is not running. This vulnerability could 
allow an attacker to gain complete control over a Windows 2000 system.

What systems are primarily at risk from the vulnerability?
Windows 2000 systems are affected by this vulnerability. Workstations and 
terminal servers that are based on Windows 2000 are primarily at risk. 
Servers are only at risk if users who do not have sufficient administrative 
credentials are given the ability to log on to servers and to run programs. 
However, best practices strongly discourage allowing this.

I am using Windows 2000, but I am not using Utility Manager or any of the 
accessibility features. Am I still vulnerable?
Yes. By default, Utility Manager is installed and is enabled. However, 
Utility Manager is not running by default.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is 
targeted for attack. An attacker cannot load and run a program remotely by 
using this vulnerability.

What does the update do?
This update removes the vulnerability by removing the Utility Manager's 
ability to launch certain applications.

How does this vulnerability relate to the Utility Manager vulnerability that 
is addressed by MS04-011?
Both vulnerabilities are related to Utility Manager. However, this update 
corrects a new vulnerability that was not addressed as part of MS04-011. 
MS04-011 helps protect against the vulnerability that is discussed in that 
bulletin, but it does not address this new vulnerability. This update does 
not replace MS04-011. You must install this update and the update that is 
provided as part of the MS04-011 security bulletin to help protect your 
system from both vulnerabilities.

When this security bulletin was issued, had this vulnerability been publicly 
disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information 
indicating that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security bulletin 
was originally issued.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click 
the appropriate link:

Windows 2000 (all versions)

Prerequisites
For Windows 2000, this security update requires Service Pack 2 (SP2), 
Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that the 
previous version of the setup utility uses. For more information about the 
supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb842526-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb842526-x86-enu /norestart

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB842526$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details on 
verifying an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 
Service Pack 4:

Date         Time   Version        Size       File name
- ------------------------------------------------------
16-May-2004  19:43  5.0.2195.6928  5,873,664  Sp3res.dll
22-May-2004  03:33  1.0.0.5           27,920  Umandlg.dll

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you may 
be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This 
tool allows administrators to scan local and remote systems for missing 
security updates and for common security misconfigurations. For more 
information about MBSA, visit the Microsoft Baseline Security Analyzer Web 
site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the following 
steps may be different on your computer. If they are, see your product 
documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs installed, 
some of the files that are listed in the file information table may not be 
installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. Also, 
in certain cases, files may be renamed during installation. If the file or 
version information is not present, use one of the other available methods 
to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
2000\SP5\KB842526\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 842526 security update into the 
Windows installation source files.
Top of section
Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:


Cesar Cerrudo of Application Security Inc. for reporting Utility the Manager 
Vulnerability (CAN-2004-0213).

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for 
support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security updates 
to Windows 2000 and Windows Server 2003-based servers, and to desktop 
systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to perform 
controlled deployment of these updates throughout the enterprise with 
minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 2003 
Security Patch Management Web site. SMS 2.0 users can also use Software 
Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin update 
detection and deployment. Some software updates may not be detected by these 
tools. Administrators can use the inventory capabilities of the SMS in these 
cases to target updates to specific systems. For more information about this 
procedure, see the following Web site. Some security updates require 
administrative rights following a restart of the system. Administrators can 
use the Elevated Rights Deployment Tool (available in the SMS 2003 
Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) 
to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRb2+kli63F4U8VAQH+pQQAtD9Waj4Y+PV0UW4SqMQdAoA87FVjG3p7
Nw+RZJlzj0fB/Qm2nj9MPrJF536n+B/WCnxeAM/VDG5IPe2UVJ28cAcbtx1i60y9
jWHKliflDOcs27TFsUMVuFX0ssVLHSz+esIuP06GrqwSsi4exEnsw5BsfCTvD1zA
1ysamanDBB4=
=JNGN
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:41:24 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:41:24 -0300
Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no subsistema POSIX do
	Windows (841872)
Message-ID: <20040714134123.GC46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Vulnerabilidade no subsistema POSIX do Windows (841872)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:08:42 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft, intitulado 
"Microsoft Security Bulletin MS04-020: Vulnerability in POSIX Could Allow 
Code Execution (841872)", que trata de uma vulnerabilidade presente no 
subsistema POSIX do Windows, que pode ser explorada localmente permitindo 
a execucao de codigo arbritario.

O POSIX (Portable Operating System Interface for UNIX) é um subsistema do 
Windows que permite a execucao de programas que nao foram desenvolvidos 
originalmente para Windows. Uma vulnerabilidade neste subsistema permite a 
um usuario local a execucao de codigo malicioso com privilegios 
administrativos. Reparem que nao e' possivel explorar remotamente essa 
vulnerabilidade, e o atacante tera que possuir um logon valido no sistema.


Sistemas afetados:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4


Sistemas *nao* afetados:

. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Correcoes disponiveis:

A correcao consiste na aplicacao dos correspondentes patches recomendados
pela Microsoft e disponiveis em:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=25993F70-191B-4E35-AA1B-0AA1A7027880&displaylang=en

. Microsoft Windows NT Server 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=C2018A81-446C-4930-A6CC-EA5B5960FF05&displaylang=en

. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
  http://www.microsoft.com/downloads/details.aspx?FamilyId=9CFC4AF3-B0BC-4798-BC23-F45739E3B802&displaylang=en

. Microsoft Windows 2000 Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=05203A7E-4A11-4F88-AA73-75A6C81466B8&displaylang=en

. Microsoft Windows 2000 Service Pack 3
  http://www.microsoft.com/downloads/details.aspx?FamilyId=05203A7E-4A11-4F88-AA73-75A6C81466B8&displaylang=en

. Microsoft Windows 2000 Service Pack 4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=05203A7E-4A11-4F88-AA73-75A6C81466B8&displaylang=en


Mais informacoes:

. Microsoft Security Bulletin MS04-020
  Vulnerability in POSIX Could Allow Code Execution (841872)
  http://www.microsoft.com/technet/security/bulletin/ms04-020.mspx

. Microsoft Brasil Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificador do CVE (http://cve.mitre.org): CAN-2004-0210


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Os alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

Microsoft Security Bulletin MS04-020
Vulnerability in POSIX Could Allow Code Execution (841872)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows 2000 
or Windows NT 4.0

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest 
opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a ~V Download the 
update


Microsoft Windows NT Server 4.0 Service Pack 6a ~V Download the update


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ~V 
Download the update


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4 ~V Download the update

Non-Affected Software:


Microsoft Windows XP and Microsoft Windows XP Service Pack 1


Microsoft Windows XP 64-Bit Edition Service Pack 1


Microsoft Windows XP 64-Bit Edition Version 2003


Microsoft Windows Server~Y 2003


Microsoft Windows Server 2003 64-Bit Edition


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support 
or may not be affected. To determine the support lifecycle for your 
product and version, visit the following Microsoft Support Lifecycle Web 
site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. 
A privilege elevation vulnerability exists in the POSIX operating system 
component (subsystem). The vulnerability is documented in the 
Vulnerability Details section of this bulletin.

An attacker who successfully exploited this vulnerability could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have 
full privileges.

We recommend that customers install the update at the earliest 
opportunity.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Windows NT 4.0 
Windows 2000

POSIX Vulnerability - CAN-2004-0210


Privilege Elevation


Important


Important

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 
have reached the end of their life cycles as previously documented, and 
Microsoft extended this support to June 30, 2004. However, the end-of-life 
for the extended support period occurred very recently. In this case, the 
majority of the steps that are required to address this vulnerability were 
completed before June 30, 2004. Therefore, we have decided to release 
security updates for these operating system versions as part of this 
security bulletin. We do not anticipate doing this for future 
vulnerabilities affecting these operating system versions, but we reserve 
the right to produce updates and to make these updates available when 
necessary.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product 
Life Cycle, visit the following Microsoft Support Lifecycle Web site. For 
more information about the extended security update support period for 
these operating system versions, visit the following Microsoft Product 
Support Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 
SP6a must contact their Microsoft account team representative, their 
Technical Account Manager, or the appropriate Microsoft partner 
representative for custom support options. Customers without an Alliance, 
Premier, or Authorized Contract can contact their local Microsoft sales 
office. For contact information, visit the Microsoft Worldwide Information 
Web site, select the country, and then click Go to see a list of phone 
numbers. When you call, ask to speak with the local Premier Support sales 
manager.

For more information, see the Windows Operating System FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
Yes. MBSA will determine if this update is required. For more information 
about MBSA, visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 
1.1.1 and earlier versions is no longer being updated with new security 
bulletin data. Therefore, scans that are performed after that date with 
MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 
1.2 because it provides more accurate security update detection and 
supports additional products. Users can download MBSA 1.2 from the MBSA 
Web site. For more information about MBSA support, visit the following 
Microsoft Baseline Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
Yes. SMS can help detect and deploy this security update. For information 
about SMS, visit the SMS Web site.

Top of section

Vulnerability Details

POSIX Vulnerability - CAN-2004-0210

A privilege elevation vulnerability exists in the POSIX subsystem. This 
vulnerability could allow a logged on user to take complete control of the 
system.

Mitigating Factors for POSIX Vulnerability - CAN-2004-0210:
~U

An attacker must have valid logon credentials and be able to logon locally 
to exploit this vulnerability. The vulnerability could not be exploited 
remotely or by anonymous users.
~U

Windows XP and Windows Server 2003 are not affected by this vulnerability.
Top of section

Workarounds for POSIX Vulnerability - CAN-2004-0210:

Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
below.


Disable the POSIX subsystem through the registry

This workaround is fully documented in Microsoft Knowledge Base Article 
101270. This article is summarized in the following paragraphs.

The following steps demonstrate how to disable the POSIX subsystem.

Note Using Registry Editor incorrectly can cause serious problems that may 
require you to reinstall your operating system. Microsoft cannot guarantee 
that problems resulting from the incorrect use of Registry Editor can be 
solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys 
And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add 
and Delete Information in the Registry" and "Edit Registry Data" Help 
topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

1.


Click Start, click Run, type "regedt32" (without the quotation marks), and 
then click OK.

2.


In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Subsystems\Posix

3.


Click the POSIX data value, click Edit, and then click Delete.

4.


Click OK to confirm the delete, and then restart the system.

Note To enable the POSIX subsystem, re-create the registry key. The name 
if the registry key is Posix, the type of registry key is REG_EXPAND_SZ, 
and the registry key value is %SystemRoot%\system32\psxss.exe. After you 
have done this, restart the system.

Impact of Workaround: POSIX programs are disabled until the POSIX 
subsystem is enabled.
Top of section

FAQ for POSIX Vulnerability - CAN-2004-0210:

What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully 
exploited this vulnerability could take complete control of an affected 
system, including installing programs; viewing, changing, or deleting 
data; or creating new accounts that have full privileges.

What causes the vulnerability?
An unchecked buffer in the POSIX subsystem.

What is the POSIX subsystem?
You can run applications that are created for the Portable Operating 
System Interface for UNIX (POSIX) standard under Windows NT 4.0 and 
Windows 2000. The operating systems provide support for nonnative 
applications by emulating the environments in which they are designed to 
be processed. This support is provided through environment subsystems. 
Except for the Microsoft Win32 subsystem, which is the native environment 
of Windows, each environment is optional and is used only when a client 
application requires its services. For more information about POSIX 
support, visit the following MSDN Library Web Site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of the affected system.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally 
to a system that has the POSIX subsystem enabled.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to 
the system. An attacker could then run a specially-designed program that 
could attempt to exploit the vulnerability, and thereby gain complete 
control over the affected system.

An attacker could also access the affected component through another 
vector. For example, an attacker could use another program that passes 
parameters to the vulnerable component (locally or remotely).

What systems are primarily at risk from the vulnerability?
Windows NT 4.0 and Windows 2000 systems are at risk from this 
vulnerability. Windows XP and Windows Server 2003 do not contain the POSIX 
subsystem. For more information about the support of POSIX in Windows XP 
and in Windows Server 2003, see Microsoft Knowledge Base Article 308259.

Workstations and terminal servers are primarily at risk. Servers are only 
at risk if users who do not have sufficient administrative credentials are 
given the ability to log on to servers and to run programs. However, best 
practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is 
targeted for attack. An attacker cannot load and run a program remotely by 
exploiting this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that the POSIX 
subsystem validates the length of a message before it passes the message 
to the allocated buffer.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information 
indicating that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, 
click the appropriate link:

Windows 2000 (all versions)

Prerequisites
For Windows 2000, this security update requires Service Pack 2 (SP2), 
Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841872-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841872-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB841872$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. Refer to the Verifying Update Installation section for 
details on verifying an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 
Service Pack 4:

Date         Time   Version        Size     File name
- ------------------------------------------------------
16-May-2004  19:32  5.0.2195.6929  90,384   Psxss.exe

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
2000\SP5\KB841872\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841872 security update into the 
Windows installation source files.
Top of section


Windows NT 4.0 (all versions)

Prerequisites
This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 
4.0 Terminal Server Edition Service Pack 6 (SP6).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the following Microsoft Support Lifecycle 
Web site.

For more information about obtaining the latest service pack, see 
Microsoft Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

    /y: Perform removal (only with /m or /q )

    /f: Force programs to quit during the shutdown process

    /n: Do not create an Uninstall folder

    /z: Do not restart when the update completes

    /q: Use Quiet or Unattended mode with no user interface (this switch is 
a superset of /m )

    /m: Use Unattended mode with a user interface

    /l: List the installed hotfixes

    /x: Extract the files without running Setup

Note You can combine these switches into one command. For more information 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb841872-x86-enu /q

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb841872-x86-enu /q

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb841872-x86-enu /q

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb841872-x86-enu /z

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb841872-x86-enu /z

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb841872-x86-enu /z

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the needed services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add/Remove Programs tool in 
Control Panel.

System administrators can also use the Hotfix.exe utility to remove this 
security update. The Hotfix.exe utility is located in the 
%Windir%\$NTUninstallKB841872$ folder. The Hotfix.exe utility supports the 
following setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a 
superset of the /m switch)

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, filename, or size information could change during 
installation. Refer to the Verifying Update Installation section for 
details on verifying an installation.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date         Time   Version        Size     File name
- ------------------------------------------------------
20-May-2004  15:04  4.0.1381.7269  93,968  Psxss.exe

Windows NT Server 4.0 Terminal Server Edition:

Date         Time   Version         Size     File name
- -------------------------------------------------------
21-May-2004  13:31  4.0.1381.33567  94,480   Psxss.exe

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Hotfix\KB841872\File 1

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841872 security update into the 
Windows installation source files.
Top of section
Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect 
customers:


Rafal Wojtczuk working with McAfee for reporting the POSIX Vulnerability 
(CAN-2004-0210).

Obtaining Other Security Updates:

Updates for other security issues are available from the following 
locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge 
for support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security 
updates to Windows 2000 and Windows Server 2003-based servers, and to 
desktop systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to 
perform controlled deployment of these updates throughout the enterprise 
with minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 
2003 Security Patch Management Web site. SMS 2.0 users can also use 
Software Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin 
update detection and deployment. Some software updates may not be detected 
by these tools. Administrators can use the inventory capabilities of the 
SMS in these cases to target updates to specific systems. For more 
information about this procedure, see the following Web site. Some 
security updates require administrative rights following a restart of the 
system. Administrators can use the Elevated Rights Deployment Tool 
(available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 
Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as 
is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRd5ukli63F4U8VAQFacwP/QFEMHhbeGE/lXO4d3UGKIgml002OqUfm
6xwoBoIWU6YX6cFAmq4Sp8Bs76UE3361u4Jx/yjXq4Px8uD7P6D6qr9CHXC4nYOF
1UrGzR5DEtooypFkAhmRMCiEJmBcEXXQOi56emt2ZPk5hXVtP0LGS3btR/PVRCh1
mCG9KmWYRl8=
=Dylz
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:41:43 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:41:43 -0300
Subject: [SECURITY-L] CAIS-Alerta: Update de seguranca para o IIS 4.0
	(841373)
Message-ID: <20040714134142.GD46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Update de seguranca para o IIS 4.0 (841373)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:18:08 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft intitulado 
"Microsoft Security Bulletin MS04-021: Security Update for IIS 4.0 
(841373)", que trata da eliminacao de uma vulnerabilidade recentemente 
identificada no Microsoft Internet Information Server e que se explorada 
pode permitir a um atacante remoto o controle total do sistema.


Sistemas afetados:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a


Componentes afetados:

. Microsoft Internet Information Server (IIS) 4.0


Sistemas *nao* afetados:

. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Componentes *nao* afetados:

. Microsoft Internet Information Services 5.0
. Microsoft Internet Information Services 5.1
. Microsoft Internet Information Services 6.0


Correcoes disponiveis:

A correcao consiste na aplicacao do patch recomendado pela Microsoft e 
disponivel em:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=3A2B38C5-FA73-49EC-9EEF-06FE8D6495C0&displaylang=en

. Microsoft Windows NT Server 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=3A2B38C5-FA73-49EC-9EEF-06FE8D6495C0&displaylang=en


Mais informacoes:

. Microsoft Security Bulletin MS04-021
  Security Update for IIS 4.0 (841373)
  http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx

. Microsoft Brasil - Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificador do CVE: CAN-2004-0205, (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Os alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################


Microsoft Security Bulletin MS04-021
Security Update for IIS 4.0 (841373)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows NT 4.0

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest 
opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a ~V Download the update


Microsoft Windows NT Server 4.0 Service Pack 6a ~V Download the update

Non-Affected Software:


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4


Microsoft Windows XP and Microsoft Windows XP Service Pack 1


Microsoft Windows XP 64-Bit Edition Service Pack 1


Microsoft Windows XP 64-Bit Edition Version 2003


Microsoft Windows Server 2003


Microsoft Windows Server 2003 64-Bit Edition


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)

Tested Microsoft Windows Components:

Affected Components:


Microsoft Internet Information Server (IIS) 4.0

Non-Affected Components:


Microsoft Internet Information Services 5.0 (included with Windows 2000 
Server)


Microsoft Internet Information Services 5.1 (included with Windows XP)


Microsoft Internet Information Services 6.0 (included with Windows Server 
2003

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability.

An attacker who successfully exploited this vulnerability could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have full 
privileges.

Customers should install the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Windows NT 4.0

IIS Redirection Vulnerability - CAN-2004-0205


Remote Code Execution


Important

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a has reached the end of its life 
cycles as previously documented, and Microsoft extended this support to June 
30, 2004. However, the end-of-life for the extended support period occurred 
very recently. In this case, the majority of the steps that are required to 
address this vulnerability were completed before June 30, 2004. Therefore, 
we have been able to release security updates for these operating system 
versions as part of this security bulletin. We do not anticipate doing this 
for future vulnerabilities affecting these operating system versions.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product Life 
Cycle, visit the following Microsoft Support Lifecycle Web site. For more 
information about the extended security update support period for these 
operating system versions, visit the following Microsoft Product Support 
Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 SP6a 
must contact their Microsoft account team representative, their Technical 
Account Manager, or the appropriate Microsoft partner representative for 
custom support options. Customers without an Alliance, Premier, or 
Authorized Contract can contact their local Microsoft sales office. For 
contact information, visit the Microsoft Worldwide Information Web site, 
select the country, and then click Go to see a list of phone numbers. When 
you call, ask to speak with the local Premier Support sales manager.

For more information, see the Windows Operating System FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
Yes. MBSA will determine if this update is required. For more information 
about MBSA, visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 
and earlier versions is no longer being updated with new security bulletin 
data. Therefore, scans that are performed after that date with MBSA 1.1.1 or 
earlier will be incomplete. All users should upgrade to MBSA 1.2 because it 
provides more accurate security update detection and supports additional 
products. Users can download MBSA 1.2 from the MBSA Web site. For more 
information about MBSA support, visit the following Microsoft Baseline 
Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
Yes. SMS can help detect and deploy this security update. For information 
about SMS, visit the SMS Web site.
Top of section

Vulnerability Details

IIS Redirection Vulnerability - CAN-2004-0205:

A buffer overrun vulnerability exists in Internet Information Server 4.0 
that could allow remote code execution on an affected system. An attacker 
who successfully exploited this vulnerability could take complete control of 
the affected system.

Mitigating Factors for IIS Redirection Vulnerability - CAN-2004-0205:


Internet Information Server 5.0, Internet Information Server 5.1, and 
Internet Information Server 6.0 are not affected by this vulnerability.


Customers who have disabled permanent redirects are not at risk from this 
vulnerability.
Top of section

Workarounds for IIS Redirection Vulnerability - CAN-2004-0205:

Microsoft has tested the following workarounds. While these workarounds will 
not correct the underlying vulnerability, they help block known attack 
vectors. When a workaround reduces functionality, it is identified below.


Disable permanent redirects

1.


Open the IIS Configuration manager.

2.


Right-click the Web site that you want to administer, and then click 
Properties.

3.


Click Home Directory.

4.


Uncheck A permanent redirection for this resource, and then click OK.

Impact of Workaround: The server will no longer perform redirects.


Use URLScan to disallow the use of large requests

1.


Visit the following Web site to Download and install the URLScan security 
tool.

2.


Start Notepad, and then open the %systemroot%\winnt\urlscan\UrlScan.ini file.

3.


Configure the MaxUrl setting so that it limits requests to 16 kilobytes 
(KB). To configure the MaxUrl setting to that it limits requests to 16 KB, 
add the following line to the RequestLimits section of the file:

MaxUrl = 16384

4.


Save, and then close the UrlsScan.ini file.

5.


Start, and then stop the World Wide Web Publishing Service by using the 
Services item in Control Panel. You can also do this by using the net stop 
IIsadmin command and the net start w3svc command at a command prompt. For 
information about how to do this, see Microsoft Knowledge Base Article 185382

Impact of workaround: The URLScan tool will block all the incoming requests 
that are larger than 16 KB.


Reduce MaxClientRequestBuffer

1.


Start Registry Editor (Regedt32.exe).

2.


Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters

3.


Click Edit, click Add Value, and then add the following registry value:


Value Name: MaxClientRequestBufferData Type: REG_DWORD

4.


In the DWORD Editor dialog box, under Radix, click Decimal.

5.


In the Data box, type the number of bytes for the maximum URL request. Set 
the size so that it is equal to or less than 16384 bytes.

Note You must restart the IIS service for the changes to take effect.

For more information, see Microsoft Knowledge Base Article 260694

Impact of workaround: Any incoming request that is larger than 16384 bytes 
will fail.


Stop, disable, or remove IIS


You can stop the World Wide Web Publishing Service component of IIS by 
issuing the net stop w3svc command at a command prompt.


You can use the IIS Manager to disable or stop IIS.


You can stop or disable the World Wide Web Publishing Service by using the 
Services item in Control Panel.


You can use Add or Remove Programs in Control Panel to remove IIS from your 
system. To find IIS, click Add/Remove Windows Components.

Impact of Workaround: If you stop the World Wide Web Publishing Service 
component of IIS, the system can no longer provide Web content. If you stop 
or remove IIS, the system can no longer provide Web, File Transfer Protocol 
(FTP), or NTP content. The Simple Mail Transfer Protocol (SMTP) service will 
also be unavailable.
Top of section

FAQ for IIS Redirection Vulnerability - CAN-2004-0205:

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully 
exploited this vulnerability could remotely take complete control of an 
affected system, including installing programs; viewing, changing, or 
deleting data; or creating new accounts that have full privileges.

What causes the vulnerability?
The vulnerability is caused by an unchecked buffer in the IIS 4.0 redirect 
function.

What is a redirect?
By using the IIS 4.0 redirect function, an administrator can forward 
incoming requests to another virtual directory or to another server.

Does the IIS Lockdown Tool block this attack?
Yes. The IISLockdown tool installs URLScan, which can be used to block this 
attack. You must configure the URLScan tool by following the steps that are 
described in the Workarounds for IIS Redirection Vulnerability section of 
this bulletin to block this attack.

Will the URLScan tool block this attack?
Yes. You can configure the URLScan tool to block this by following the steps 
that are described in the Workarounds for IIS Redirection Vulnerability 
section of this bulletin.

What is redirection?
Redirection occurs when a Web browser makes a request for a Web page that 
does not exist, and the Web server redirects the browser to another page, 
such as to a generic error page or to the Web site's home page. For example, 
the Web page http://microsoft.com/xp does not exist, but instead of 
providing an error, the Web server redirects the browser to a page that 
suggests pages that the user may have been looking for and provides a site 
map. This process is redirection.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially crafted message to the 
affected system could exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by creating a specially crafted 
message and sending the message to an affected system, which could then 
cause the affected system to execute code.

What systems are primarily at risk from the vulnerability?
Systems that have Windows NT 4.0 and IIS 4.0 installed are at risk from this 
vulnerability. IIS 4.0 is available as part of the Windows NT 4.0 Server 
Option Pack.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could exploit this vulnerability over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that IIS 4.0 
validates the length of request before it passes the message to the 
allocated buffer.

When this security bulletin was issued, had this vulnerability been publicly 
disclosed?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly disclosed when this security bulletin was 
originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security bulletin 
was originally issued.

Why is there no update available for Microsoft Windows NT Server 4.0 
Terminal Server Edition?
Windows NT 4.0 Option Pack is not supported on Microsoft Windows NT Server 
4.0 Terminal Server Edition. For more information see Microsoft Knowledge 
Base Article 190157.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click 
the appropriate link:

Windows NT 4.0 (all versions)

Prerequisites
This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), or Windows NT Server 4.0 Service Pack 6a (SP6a).

The software that is listed has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.

For more information about obtaining the latest service pack, see Microsoft 
Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

     /y: Perform removal (only with /m or /q )

     /f: Force programs to quit during the shutdown process

     /n: Do not create an Uninstall folder

     /z: Do not restart when the update completes

     /q: Use Quiet or Unattended mode with no user interface (this switch is 
     a superset of /m )

     /m: Use Unattended mode with a user interface

     /l: List the installed hotfixes

     /x: Extract the files without running Setup

Note You can combine these switches into one command. For more information 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows NT Server 4.0:

Q841373I.exe

For Windows NT Workstation 4.0:

Q841373I.exe

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows NT Server 4.0:

Q841373I.exe

For Windows NT Workstation 4.0:

Q841373I.exe

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

You must restart your computer after you apply this security update.

Removal Information

To remove this security update, use the Add/Remove Programs tool in Control 
Panel.

System administrators can also use the Hotfix.exe utility to remove this 
security update. The Hotfix.exe utility is located in the 
%Windir%\$NTUninstallKB841373$ folder. The Hotfix.exe utility supports the 
following setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a 
superset of the /m switch)

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about how to verify an installation.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date         Time   Version        Size     File name
- -------------------------------------------------------
05/06/04    12:47p  4.2.788.1      851,456  asp.dll
05/06/04    12:47p  4.2.788.1      140,288  httpodbc.dll
05/06/04    12:47p  4.2.788.1      172,544  iislog.dll
05/06/04    12:47p  4.2.788.1      490,496  infocomm.dll
05/06/04    12:47p  4.2.788.1      67,584   iscomlog.dll
05/06/04    12:47p  4.2.788.1      538,112  w3svc.dll
05/06/04    12:47p  4.2.788.1      219,136  wam.dll
05/06/04    12:47p  4.2.788.1      95,232   ssinc.dll
05/06/04    12:47p  4.2.788.1      61,440   sspifilt.dll
05/06/04    12:47p  4.2.788.1      515,072  adsiis.dll

Windows NT Server 4.0 Terminal Server Edition:

Date         Time   Version         Size    File name
- -------------------------------------------------------
05/06/04    12:47p  4.2.788.1      851,456  asp.dll
05/06/04    12:47p  4.2.788.1      140,288  httpodbc.dll
05/06/04    12:47p  4.2.788.1      172,544  iislog.dll
05/06/04    12:47p  4.2.788.1      490,496  infocomm.dll
05/06/04    12:47p  4.2.788.1      67,584   iscomlog.dll
05/06/04    12:47p  4.2.788.1      538,112  w3svc.dll
05/06/04    12:47p  4.2.788.1      219,136  wam.dll
05/06/04    12:47p  4.2.788.1      95,232   ssinc.dll
05/06/04    12:47p  4.2.788.1      61,440   sspifilt.dll
05/06/04    12:47p  4.2.788.1      515,072  adsiis.dll

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you may 
be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This 
tool allows administrators to scan local and remote systems for missing 
security updates and for common security misconfigurations. For more 
information about MBSA, visit the Microsoft Baseline Security Analyzer Web 
site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the following 
steps may be different on your computer. If they are, see your product 
documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs installed, 
some of the files that are listed in the file information table may not be 
installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. Also, 
in certain cases, files may be renamed during installation. If the file or 
version information is not present, use one of the other available methods 
to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Hotfix\KB841373\File 1

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841373 security update into the 
Windows installation source files.
Top of section
Top of section

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for 
support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security updates 
to Windows 2000 and Windows Server 2003-based servers, and to desktop 
systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to perform 
controlled deployment of these updates throughout the enterprise with 
minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 2003 
Security Patch Management Web site. SMS 2.0 users can also use Software 
Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin update 
detection and deployment. Some software updates may not be detected by these 
tools. Administrators can use the inventory capabilities of the SMS in these 
cases to target updates to specific systems. For more information about this 
procedure, see the following Web site. Some security updates require 
administrative rights following a restart of the system. Administrators can 
use the Elevated Rights Deployment Tool (available in the SMS 2003 
Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) 
to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRfrekli63F4U8VAQFyCAP9GA0iFYfaI9UKRC2YhQlLAXgctkPeuaiK
5qCMrYUNlqJpBckI0qSQ6YeII2JWWOPY0Et/eyHnkbMrEQyXAvtsKz2EVUgExF9b
TvC/K6K0kmI/BRb93s3o8HcnQ8kD+5/CEUs6e3XbgfbhraAE9wzs+zVkBxtvjCCt
NWEMPE39s/g=
=+Ey6
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:42:01 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:42:01 -0300
Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Agendador de Tarefas
	(841873)
Message-ID: <20040714134201.GE46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Vulnerabilidade no Agendador de Tarefas (841873)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:22:26 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft, intitulado "Microsoft 
Security Bulletin MS04-022: Vulnerability in Task Scheduler Could Allow 
Code Execution (841873)", que trata de uma vulnerabilidade no Agendador de 
Tarefas.

O Agendador de Tarefas, utilitario usado para agendar a execucao de 
comandos, programas ou scripts em horarios especificos, e' vulneravel no 
modo como lida com a validacao de nomes de aplicacao.

Um atacante que explore esta vulnerabilidade com sucesso pode obter total 
controle sob o sistema e ser capaz, por exemplo, de instalar programas ou 
criar novas contas com privilegios administrativos. Um dos cenarios de 
exploracao seria o atacante adicionar um arquivo .job em um sistema de 
arquivos local e persuadir o usuario a abrir a pasta usando o Internet 
Explorer. Embora as consequencias de um ataque bem sucedido sejam serias 
e' bom lembrar que a necessidade de interacao com um usuario limita 
consideravelmente os cenarios de exploracao.


Sistemas afetados:

. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1


Correcoes disponiveis:

Recomenda-se fazer a atualizacao para as versoes disponiveis em:

. Microsoft Windows 2000 Service Pack 2, 3 e 4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=BBF3C8A1-7D72-4CE9-A586-7C837B499C08&displaylang=en

. Microsoft Windows XP e Microsoft Windows XP Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=8E8D0A2D-D3B9-4DE8-8B6F-FC27715BC0CF&displaylang=en

. Microsoft Windows XP 64-Bit Edition Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=7B4AC0FA-7954-4993-85A1-85298F122CE0&displaylang=en


Mais informacoes:

. Microsoft Security Bulletin MS04-022
  Vulnerability in Task Scheduler Could Allow Code Execution (841873)
  http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

. Microsoft Brasil - Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificador CVE: CAN-2004-0212 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

Microsoft Security Bulletin MS04-022
Vulnerability in Task Scheduler Could Allow Code Execution (841873)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

Caveats: Windows NT Workstation 4.0, Windows NT Server 4.0 and Windows NT 
4.0 Terminal Server Edition are not affected by default. However if you 
have installed Internet Explorer 6.0 Service Pack 1 you will have the 
vulnerable component on your system.

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4  Download the update


Microsoft Windows XP and Microsoft Windows XP Service Pack 1  Download 
the update


Microsoft Windows XP 64-Bit Edition Service Pack 1  Download the update

Non-Affected Software:


Microsoft Windows Server 2003


Microsoft Windows Server 2003 64-Bit Edition


Microsoft Windows XP 64-Bit Edition Version 2003


Microsoft Windows NT® Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)

Tested Microsoft Windows Components:

Affected Components:


Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0 SP6a 
(Workstation, Server, or Terminal Server Edition) - Download the update

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support 
or may not be affected. To determine the support lifecycle for your 
product and version, visit the following Microsoft Support Lifecycle Web 
site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. 
A remote code execution vulnerability exists in the Task Scheduler because 
of an unchecked buffer. The vulnerability is documented in the 
Vulnerability Details section of this bulletin.

If a user is logged on with administrative privileges, an attacker who 
successfully exploited this vulnerability could take complete control of 
an affected system, including installing programs; viewing, changing, or 
deleting data; or creating new accounts with full privileges. However, 
user interaction is required to exploit this vulnerability. Users whose 
accounts are configured to have fewer privileges on the system would be at 
less risk than users who operate with administrative privileges.

We recommend that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Internet Explorer 
6	Windows 2000	Windows XP

Task Scheduler Vulnerability - CAN-2004-0212


Remote Code Execution


Critical


Critical


Critical

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

How does the extended support for Windows 98, Windows 98 Second Edition, 
and Windows Millennium Edition affect the release of security updates for 
these operating systems?
Microsoft will only release security updates for critical security issues. 
Non-critical security issues are not offered during this support period. 
For more information about the Microsoft Support Lifecycle policies for 
these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition 
critically affected by any of the vulnerabilities that are addressed in 
this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, 
on Windows 98 Second Edition, or on Windows Millennium Edition, even with 
Internet Explorer 6 SP1 installed.

Is Windows NT 4.0 Service Pack 6a affected by the vulnerability that is 
addressed in this security bulletin?
By default, this operating system does not natively provide a version of 
the vulnerable component and is not affected. However, the vulnerable 
component is installed on this operating system when you install Internet 
Explorer 6. If you use this version of Internet Explorer on this operating 
system, you should install the provided security update for Internet 
Explorer 6.

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 
have reached the end of their life cycles as previously documented, and 
Microsoft extended this support to June 30, 2004. However, the end-of-life 
for the extended support period occurred very recently. In this case, the 
majority of the steps that are required to address this vulnerability were 
completed before June 30, 2004. Therefore, we have decided to release 
security updates for these operating system versions as part of this 
security bulletin. We do not anticipate doing this for future 
vulnerabilities affecting these operating system versions, but we reserve 
the right to produce updates and to make these updates available when 
necessary.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product 
Life Cycle, visit the following Microsoft Support Lifecycle Web site. For 
more information about the extended security update support period for 
these operating system versions, visit the following Microsoft Product 
Support Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 
SP6a must contact their Microsoft account team representative, their 
Technical Account Manager, or the appropriate Microsoft partner 
representative for custom support options. Customers without an Alliance, 
Premier, or Authorized Contract can contact their local Microsoft sales 
office. For contact information, visit the Microsoft Worldwide Information 
Web site, select the country, and then click Go to see a list of phone 
numbers. When you call, ask to speak with the local Premier Support sales 
manager.

For more information, see the Windows Operating System FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
MBSA will determine if this update is required for Windows 2000 (all 
versions) and Windows XP (all versions). MBSA does not currently support 
the full detection of this update for the Windows NT 4.0 product (all 
versions). For more information about MBSA, visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 
1.1.1 and earlier versions is no longer being updated with new security 
bulletin data. Therefore, scans that are performed after that date with 
MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 
1.2 because it provides more accurate security update detection and 
supports additional products. Users can download MBSA 1.2 from the MBSA 
Web site. For more information about MBSA support, visit the following 
Microsoft Baseline Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
SMS uses MBSA for detection. SMS can help detect and deploy this security 
update for Windows 2000 (all versions) and Windows XP (all versions). This 
update is not detected by MBSA for the Windows NT 4.0 product (all 
versions). However, the file and registry key information that is 
available in this bulletin can be used to write specific file and registry 
key collection queries in SMS to detect vulnerable computers. For 
information about how to deploy updates not supported by MBSA with SMS, 
please review Knowledge Base article 867832. For information about SMS, 
visit the SMS Web site.
Top of section

Vulnerability Details

Task Scheduler Vulnerability - CAN-2004-0212:

A remote code execution vulnerability exists in the Task Scheduler because 
of the way that it handles application name validation. There are many 
ways that a system could be vulnerable to this attack. An attacker who 
successfully exploited this vulnerability could take complete control of 
an affected system. However, user interaction is required to exploit this 
vulnerability.

Mitigating Factors for Task Scheduler Vulnerability - CAN-2004-0212:


In a Web-based attack scenario, an attacker would have to host a Web site 
that contains a Web page that is used to exploit this vulnerability. An 
attacker would have no way to force users to visit a malicious Web site. 
Instead, an attacker would have to persuade them to visit the Web site, 
typically by getting them to click a link that takes them to the 
attacker's site. An attack could only occur after they performed these 
actions.


An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.


Windows Server 2003 is not affected by this vulnerability. Windows NT 4.0 
is not vulnerable unless Internet Explorer 6 is installed. Internet 
Explorer 6 is not affected when installed on other supported operating 
systems. Other versions Internet Explorer are not affected.
Top of section

Workarounds for Task Scheduler Vulnerability - CAN-2004-0212:

Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
below.


Do not open or save .job files that you receive from untrusted sources.
This vulnerability could be exploited when a user views a .job file. Do 
not open files that use this file name extension.
Top of section

FAQ for Task Scheduler Vulnerability - CAN-2004-0212:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system, including 
installing programs; viewing, changing, or deleting data; or creating new 
accounts with full privileges. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges. However, user interaction is 
required to exploit this vulnerability.

What causes the vulnerability?
An unchecked buffer in the Task Scheduler component.

What is the Task Scheduler?
You can use Task Scheduler to schedule commands, programs, or scripts to 
run at specific times. A task is saved as a file that has a .job file name 
extension. This behavior makes it easier to move the task information from 
system to system. Administrators can create scheduled maintenance task 
files and put them where needed. For more information, see the Task 
Scheduler Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have 
full privileges.

How could an attacker exploit this vulnerability?
There are many ways that a system could be vulnerable to this attack. Here 
are some examples:


An attacker could host a malicious Web site that is designed to exploit 
this vulnerability through Internet Explorer and then persuade a user to 
view the Web site.


An attacker could add a specially crafted .job file to the local file 
system or to a network share and then persuade the user to view the folder 
by using Windows Explorer.


An attacker could also access the affected component through another 
vector. For example, an attacker could log on to the system interactively 
or by using another program that passes parameters to the vulnerable 
component (locally or remotely).

What systems are primarily at risk from the vulnerability?

Workstations and terminal servers are primarily at risk. Servers are only 
at risk if users who do not have sufficient administrative credentials are 
given the ability to log on to servers and to run programs. However, best 
practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?

Yes. An attacker could attempt to exploit this vulnerability over the 
Internet. Microsoft has provided information about how you can help 
protect your PC. End users can visit the Protect Your PC Web site. IT 
Professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that Task 
Scheduler validates the length of a message before it passes the message 
to the allocated buffer.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?

No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information 
indicating that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?

No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, 
click the appropriate link:


Windows XP (all versions)

Note For Windows XP 64-Bit Edition Version 2003, this security update is 
the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites
This security update requires the release version of Windows XP or Windows 
XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge 
Base Article 322389.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows XP Service Pack 2.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows XP:

Windowsxp-kb841873-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows XP:

Windowsxp-kb841873-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe is located in the 
%Windir%\$NTUninstallKB841873$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition 
Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet 
PC Edition, and Windows XP Media Center Edition:

Date         Time   Version        Size     File name       Folder
- -------------------------------------------------------------------
08-Jun-2004  22:01  5.1.2600.105    48,640  Browser.dll     RTMQFE
08-Jun-2004  22:01  5.1.2600.155   251,392  Mstask.dll      RTMQFE
03-Jun-2004  22:54  5.1.2600.155     9,728  Mstinit.exe     RTMQFE
08-Jun-2004  22:01  5.1.2600.122   301,568  Netapi32.dll    RTMQFE
08-Jun-2004  22:01  5.1.2600.155   159,232  Schedsvc.dll    RTMQFE
08-Jun-2004  22:02  5.1.2600.1564  260,096  Mstask.dll      SP1QFE
08-Jun-2004  19:59  5.1.2600.1564   10,752  Mstinit.exe     SP1QFE
08-Jun-2004  22:02  5.1.2600.1562  306,688  Netapi32.dll    SP1QFE
08-Jun-2004  22:02  5.1.2600.1564  172,544  Schedsvc.dll    SP1QFE
18-May-2004  03:46  5.1.2600.1555  593,408  Xpsp2res.dll    SP1QFE

Windows XP 64-Bit Edition Service Pack 1:

Date         Time   Version        Size     File name     Platform Folder
- 
-------------------------------------------------------------------------------
05-Jun-2004  03:57  5.1.2600.1555     658,944  Mstask.dll   SP1QFE
18-May-2004  02:34  5.1.2600.1555      25,600  Mstinit.exe  SP1QFE
05-Jun-2004  03:57  5.1.2600.1562     905,728  Netapi32.dll SP1QFE
05-Jun-2004  03:57  5.1.2600.1555     576,000  Schedsvc.dll SP1QFE
18-May-2004  03:38  5.1.2600.1555     592,896  Xpsp2res.dll SP1QFE
05-Jun-2004  03:45  5.1.2600.1562     306,688  Wnetapi32.dll    SP1QFE\WOW
18-May-2004  03:46  5.1.2600.1555     593,408  Wxpsp2res.dll  SP1QFE\WOW

Notes The Windows XP versions of this security update are packaged as a 
dual-mode package, which contain files for both the original version of 
Windows XP and Windows XP Service Pack 1 (SP1). For more information about 
dual-mode packages, see Microsoft Knowledge Base Article 328848.

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, 
which allows administrators to scan local and remote systems for missing 
security updates and for common security misconfigurations. For more 
information about MBSA, visit the Microsoft Baseline Security Analyzer Web 
site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry keys.

For Windows XP Home Edition, Windows XP Professional, Windows XP Home 
Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 
64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows 
XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
XP\SP2\KB841873\Filelist

For Windows XP 64-Bit Edition Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 
2003\SP1\KB841873\Filelist

Note These registry keys may not contain a complete list of installed 
files. Also, these registry keys may not be created correctly if an 
administrator or an OEM integrates or slipstreams the 841873 security 
update into the Windows installation source files.
Top of section


Windows 2000 (all versions)

Prerequisites
For Windows 2000, this security update requires Service Pack 2 (SP2), 
Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841873-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841873-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB841873$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about verifying an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 
Service Pack 4:

Date         Time   Version         Size    File name
- ----------------------------------------------------------
24-Mar-2004  02:17  5.0.2195.6866   69,904  Browser.dll
10-Jun-2004  16:58  4.71.2195.6920 216,848  Mstask.dll
05-Apr-2004  17:51  4.71.2195.6920 119,568  Mstask.exe
10-Jun-2004  16:58  5.0.2195.6949  309,008  Netapi32.dll

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool, 
which allows administrators to scan local and remote systems for missing 
security updates and for common security misconfigurations. For more 
information about MBSA, visit the Microsoft Baseline Security Analyzer Web 
site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
2000\SP5\KB841873\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841873 security update into the 
Windows installation source files.
Top of section


Internet Explorer 6 for Windows NT 4.0 SP6a

Prerequisites

To install the Internet Explorer 6 version of this update, you must be 
running one of the following versions of Windows:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6

Note Versions of Windows and versions of Internet Explorer that are not 
listed in this article are no longer supported or not affected. We 
recommend that you upgrade to a supported version of Windows and of 
Internet Explorer, and then apply the appropriate update.

For more information about support lifecycles for Windows components, see 
the following Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack for 
Internet Explorer 6, see Microsoft Knowledge Base Article 328548.

Installation Information

The security update supports the following setup switches:

    /Q Specifies quiet mode, or suppresses prompts, when files are being 
extracted.

    /Q:U Specifies user-quiet mode, which presents some dialog boxes to the 
user.

    /Q:A Specifies administrator-quiet mode, which does not present any 
dialog boxes to the user.

    /T: <full path> Specifies the target folder for extracting files.

    /C Extracts the files without installing them. If /T: path is not 
specified, you are prompted for a target folder.

    /C: <Cmd> Override Install Command defined by author. Specifies the 
path and name of the Setup .inf or .exe file.

    /R:N Never restarts the computer after installation.

    /R:I Prompts the user to restart the computer if a restart is required, 
except when used with /Q:A.

    /R:A Always restarts the computer after installation.

    /R:S Restarts the computer after installation without prompting the 
user.

    /N:V No version checking - Install the program over any previous 
version.

Note These switches do not necessarily work with all updates. If a switch 
is not available then that functionality is not necessary for the proper 
installation of the update. Also, the use of the /N:V switch is 
unsupported and may result in an unbootable system. If the installation is 
unsuccessful, you should consult your support professional to understand 
why it failed to install.

For additional information about the supported setup switches, see 
Microsoft Knowledge Base Article 197147.

Deployment Information

For example, to install the update without any user intervention and not 
force the system to restart, run the following command:

    IE-KB841873-WindowsNT4sp6-x86-ENU.exe /q:a /r:n

For information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirements

In some cases, you do not have to restart your system after you apply this 
update. However, if the required files are in use, you must restart your 
system after you apply this update. If this behavior occurs, a message is 
displayed that advises you to restart your system. You do not have to use 
an administrator logon after the system restarts for any version of this 
update.

Removal Information

To remove this update, use the Add or Remove Programs tool (or the 
Add/Remove Programs tool) in Control Panel. Click Internet Explorer 
Q841873, and then click Change/Remove (or click Add/Remove).

System administrators can use the Ieuninst.exe utility to remove this 
update. This security update installs the Ieuninst.exe utility in the 
%Windir% folder. This utility supports the following setup switches:

    /?: Show the list of supported switches

    /z: Do not restart when the installation is complete

    /q: Use Quiet mode (no user interaction)

For example, to remove this update without any user intervention, use the 
following command:

    c:\windows\ieuninst /q c:\windows\inf\q841873.inf

Note This command assumes that Windows is installed in the C:\Windows 
folder.

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Date         Time   Version         Size     File name
- --------------------------------------------------------
27-May-2004  19:52  4.71.1979.1     223,504  Mstask.dll

Verifying Update Installation


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKLM\Software\Microsoft\Active Setup\Installed 
Components\{bfb56e60-5895-496c-bd6b-459b97142e4c}

Confirm that the IsInstalled DWORD value that has a data value of 1 
appears in the registry key.


Program Version Verification

Confirm that Q841873 is listed in the Update Versions field in the About 
Internet Explorer dialog box
Top of section
Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect 
customers:


Brett Moore of Security-Assessment.com for reporting the Task Scheduler 
Vulnerability (CAN-2004-0212).


Dustin Schneider for reporting the Task Scheduler Vulnerability 
(CAN-2004-0212).


Peter Winter-Smith of Next Generation Security Software Ltd. for reporting 
the Task Scheduler Vulnerability (CAN-2004-0212).

Obtaining Other Security Updates:

Updates for other security issues are available from the following 
locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge 
for support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security 
updates to Windows 2000 and Windows Server 2003-based servers, and to 
desktop systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to 
perform controlled deployment of these updates throughout the enterprise 
with minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 
2003 Security Patch Management Web site. SMS 2.0 users can also use 
Software Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin 
update detection and deployment. Some software updates may not be detected 
by these tools. Administrators can use the inventory capabilities of the 
SMS in these cases to target updates to specific systems. For more 
information about this procedure, see the following Web site. Some 
security updates require administrative rights following a restart of the 
system. Administrators can use the Elevated Rights Deployment Tool 
(available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 
Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as 
is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRgvukli63F4U8VAQG3MAQAxPnDFfoDb7D8YMsZNVeYRf8VfJwG9MQY
DmHoQHiXAY3xnvxJInLYTVFo2YLbbEb3GYUMABl5VWWtrH2eDx++i2JQcZZaHfzb
MgdpC9yfkkq3gbwKnVpWccKZpYGD05V5mu2cu6w7rnNuBR8rKZAp73v2jdLgCwvt
iXOlLUiU5fs=
=i6TJ
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:42:22 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:42:22 -0300
Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no HTML Help (840315)
Message-ID: <20040714134216.GF46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Vulnerabilidade no HTML Help (840315)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:26:59 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft intitulado "Microsoft 
Security Bulletin MS04-023: Vulnerability in HTML Help Could Allow Code 
Execution (840315)", que trata da correcao de duas vulnerabilidades que 
afetam o HTML Help.

Microsoft HTML Help e' o sistema on-line de ajuda padrao da plataforma 
Windows. A vulnerabilidade descrita em CAN-2003-1041 esta no processamento 
de uma URL showHelp criada por um atacante que permite a execucao de 
codigo malicioso na Zona Local do Internet Explorer, considerada 
confiavel. Ja' a vulnerabilidade descrita em CAN-2004-0201 esta' na 
validacao dos dados de entrada no HTML Help, permitindo execucao remota de 
codigo por um atacante contra usuarios com privilegios administrativos. A 
exploracao de ambas as vulnerabilidades resulta em total controle do 
atacante sob o sistema comprometido.


Sistemas afetados:

. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Correcoes disponiveis:

Recomenda-se fazer a atualizacao para as versoes disponiveis em:

. Microsoft Windows 2000 Service Pack 2, 3 e 4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=3F2F1A7D-5CF2-4791-A7EE-07F20F75796C&displaylang=en

. Microsoft Windows XP and Microsoft Windows XP Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=8B412C7F-44AD-4E77-8973-FD3E84CC496A&displaylang=en

. Microsoft Windows XP 64-Bit Edition Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=0042DB67-C58B-412C-A24F-9D2AA8071897&displaylang=en

. Microsoft Windows XP 64-Bit Edition Version 2003
  http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en

. Microsoft Windows Server 2003
  http://www.microsoft.com/downloads/details.aspx?FamilyId=8B53C35D-E9ED-46AD-936C-30C8E3A7E606&displaylang=en

. Microsoft Windows Server 2003 64-Bit Edition
  http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en

. Microsoft Windows 98, 98 Second Edition (SE) e Millennium Edition (Me) -
  consultar o FAQ do boletim original


Mais informacoes:

. Microsoft Security Bulletin MS04-023
  Vulnerability in HTML Help Could Allow Code Execution (840315)
  http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx

. Microsoft Brasil - Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificadores CVE: CAN-2004-0201 e CAN-2003-1041 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################


Microsoft Security Bulletin MS04-023
Vulnerability in HTML Help Could Allow Code Execution (840315)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

Caveats: Windows NT Workstation 4.0, Windows NT Server 4.0 and Windows NT 
4.0 Terminal Server Edition are not affected by default. However if you 
have installed Internet Explorer 5.5 Service Pack 2 or Internet Explorer 
6.0 Service Pack 1 you will have the vulnerable component on your system.

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4  Download the update


Microsoft Windows XP and Microsoft Windows XP Service Pack 1  Download 
the update


Microsoft Windows XP 64-Bit Edition Service Pack 1  Download the update


Microsoft Windows XP 64-Bit Edition Version 2003  Download the update


Microsoft Windows Server 2003  Download the update


Microsoft Windows Server 2003 64-Bit Edition  Download the update


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)  Review the FAQ section of this 
bulletin for details about these operating systems.

Non-Affected Software:


Microsoft Windows NT® Workstation 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

Tested Microsoft Windows Components:

Affected Components:


Internet Explorer 6.0 Service Pack 1 when installed on Windows NT 4.0 SP6a 
(Workstation, Server, or Terminal Server Edition) - Download the update

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support 
or may not be affected. To determine the support lifecycle for your 
product and version, visit the following Microsoft Support Lifecycle Web 
site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves two newly-discovered vulnerabilities. The HTML Help 
vulnerability was privately reported and the showHelp vulnerability is 
public. Each vulnerability is documented in this bulletin in its own 
Vulnerability Details section.

If a user is logged on with administrative privileges, an attacker who 
successfully exploited the most severe of these vulnerabilities could take 
complete control of an affected system, including installing programs; 
viewing, changing, or deleting data; or creating new accounts that have 
full privileges. Users whose accounts are configured to have fewer 
privileges on the system would be at less risk than users who operate with 
administrative privileges.

We recommend that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Windows 98, 98 SE, 
Me	Windows NT 4.0	Windows 2000	Windows XP	Windows Server 
2003

showHelp Vulnerability - CAN-2003-1041


Remote Code Execution


Not Critical


Important


Important


Important


Important

HTML Help Vulnerability - CAN-2004-0201


Remote Code Execution


Critical


Critical


Critical


Critical


Critical

Aggregate Severity of All Vulnerabilities





Critical


Critical


Critical


Critical


Critical

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

Does this update contain any other changes?
Yes. In addition to the changes that are listed in the Vulnerability 
Details section of this bulletin, this update includes the following 
change. After applying this update only files that have the extension 
".chm" can be used as compiled HTML Help files. Applications that use 
other extensions for compiled HTML Help files will no longer display 
content using HTML Help. For more information, see Knowledge Base article 
840315.

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 
have reached the end of their life cycles as previously documented, and 
Microsoft extended this support to June 30, 2004. However, the end-of-life 
for the extended support period occurred very recently. In this case, the 
majority of the steps that are required to address this vulnerability were 
completed before June 30, 2004. Therefore, we have decided to release 
security updates for these operating system versions as part of this 
security bulletin. We do not anticipate doing this for future 
vulnerabilities affecting these operating system versions, but we reserve 
the right to produce updates and to make these updates available when 
necessary.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product 
Life Cycle, visit the following Microsoft Support Lifecycle Web site. For 
more information about the extended security update support period for 
these operating system versions, visit the following Microsoft Product 
Support Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 
must contact their Microsoft account team representative, their Technical 
Account Manager, or the appropriate Microsoft partner representative for 
custom support options. Customers without an Alliance, Premier, or 
Authorized Contract can contact their local Microsoft sales office. For 
contact information, visit the Microsoft Worldwide Information Web site, 
select the country, and then click Go to see a list of phone numbers. When 
you call, ask to speak with the local Premier Support sales manager.

For more information, see the Windows Operating System FAQ.

Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the 
modifications that are required to address these issues are located in the 
same file. Instead of having to install several updates that are almost 
the same, customers can install only this update.

How does the extended support for Windows 98, Windows 98 Second Edition, 
and Windows Millennium Edition affect the release of security updates for 
these operating systems?
Microsoft will only release security updates for critical security issues. 
Non-critical security issues are not offered during this support period. 
For more information about the Microsoft Support Lifecycle policies for 
these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Note Critical security updates for these platforms may not be available 
concurrently with the other security updates provided as part of this 
security bulletin. They will be made available as soon as possible 
following the release. When these security updates are available, you will 
be able to download them only from the Windows Update Web site

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition 
critically affected by any of the vulnerabilities that are addressed in 
this security bulletin?
Yes. Security updates will be made available as soon as possible following 
the release. When these security updates are available, you will be able 
to download them only from the Windows Update Web site.

Is Windows NT 4.0 Service Pack 6a affected by the vulnerability that is 
addressed in this security bulletin?
By default, this operating system does not natively provide a version of 
the vulnerable component and is not affected. However, the vulnerable 
component is installed on this operating system when you install Internet 
Explorer 5.5 Service Pack 2 or Internet Explorer 6 Service Pack 1. If you 
use this version of Internet Explorer on this operating system, you should 
install the provided security update for Windows NT 4.0.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
Yes. MBSA will determine if this update is required. For more information 
about MBSA, visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 
1.1.1 and earlier versions is no longer being updated with new security 
bulletin data. Therefore, scans that are performed after that date with 
MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 
1.2 because it provides more accurate security update detection and 
supports additional products. Users can download MBSA 1.2 from the MBSA 
Web site. For more information about MBSA support, visit the following 
Microsoft Baseline Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
Yes. SMS can help detect and deploy this security update. For information 
about SMS, visit the SMS Web site
Top of section

Vulnerability Details

showHelp Vulnerability - CAN-2003-1041:

A remote code execution vulnerability exists in the processing of a 
specially crafted showHelp URL. The vulnerability could allow malicious 
code to run in the Local Machine security zone in Internet Explorer, which 
could allow an attacker to take complete control of an affected system.

Mitigating Factors for showHelp Vulnerability - CAN-2003-1041:


To exploit this vulnerability an attacker would have to use a specially 
crafted file that is at a known location on the target system.


In a Web-based attack scenario, an attacker would have to host a Web site 
that contains a Web page that is used to exploit this vulnerability. An 
attacker would have no way to force users to visit a malicious Web site. 
Instead, an attacker would have to persuade them to visit the Web site, 
typically by getting them to click a link that takes them to the 
attacker's site. After they click the link, they would be prompted to 
perform several actions. An attack could only occur after they performed 
these actions.


An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.


By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML 
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and 
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the 
Outlook E-mail Security Update has been installed. The Restricted sites 
zone helps reduce attacks that could attempt to exploit this 
vulnerability.

The risk of attack from the HTML e-mail vector can be significantly 
reduced if you meet all the following conditions:


Apply the update that is included with Microsoft Security Bulletin 
MS03-040 or a later Cumulative Security Update for Internet Explorer.


Use Internet Explorer 6 or later.


Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook 
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later 
in its default configuration.
Top of section

Workarounds for showHelp Vulnerability - CAN-2003-1041:

Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
below.


Strengthen the security settings for the Local Machine zone in Internet 
Explorer

Because this vulnerability permits an attacker to run HTML code in the 
Local Machine security zone, users can reduce the impact of this 
vulnerability by restricting the default settings in this zone. For more 
information about these settings, and for more information about the 
potential impacts of changing these default settings, see Microsoft 
Knowledge Base Article 833633.

Warning: Microsoft recommends that customers consider these changes to 
Internet Explorer security settings as a last resort only. If you make 
these changes, you may lose some functionality for some Windows programs 
and components. Before you make these changes in a production environment, 
test the changes extensively to verify that mission-critical programs 
continue to work correctly for all users.
~U

Unregister HTML Help

To unregister the HTML Help protocol, follow these steps:

1.


Click Start, click Run, type "regsvr32 /u %windir%\system32\itss.dll" 
(without the quotation marks), and then click OK.

Note On Windows 98 and Windows Me, replace "system32" with "system" in 
this command.

2.


A dialog box appears to confirm that the unregistration process has 
succeeded. Click OK to close the dialog box.

Impact of Workaround: All HTML Help functionality will be unavailable. 
This will affect the online Help in Windows or any application that uses 
HTML Help functionality.


Read e-mail messages in plain text format if you are using Outlook 2002 or 
later, or Outlook Express 6 SP1 or later, to help protect yourself from 
the HTML e-mail attack vector.

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or 
later and Microsoft Outlook Express 6 users who have applied Internet 
Explorer 6 Service Pack 1 can enable this setting and view e-mail messages 
that are not digitally signed or e-mail messages that are not encrypted in 
plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not 
affected by the setting and may be read in their original formats. For 
more information about enabling this setting in Outlook 2002, see 
Microsoft Knowledge Base Article 307594.

For information about this setting in Outlook Express 6, see Microsoft 
Knowledge Base Article 291387.

Impact of Workaround: E-mail messages that are viewed in plain text format 
will not contain pictures, specialized fonts, animations, or other rich 
content. In addition:


The changes are applied to the preview pane and to open messages.


Pictures become attachments so that they are not lost.


Because the message is still in Rich Text or HTML format in the store, the 
object model (custom code solutions) may behave unexpectedly.
Top of section

FAQ for showHelp Vulnerability - CAN-2003-1041:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. An 
attacker could then install programs; viewing, changing, or deleting data; 
or creating new accounts with full privileges. Users whose accounts are 
configured to have fewer privileges on the system would be at less risk 
than users who operate with administrative privileges. In order to exploit 
this vulnerability an attacker would have to make use of a specially 
crafted file that is at a known location on the target system.

What causes the vulnerability?
The HTML Help protocol does not correctly validate .chm files.

What is the HTML protocol?
The HTML protocol is used to open compiled HTML Help files. For more 
information about this protocol, visit the following Web site.

What is HTML Help?
Microsoft HTML Help is the standard help system for the Windows platform. 
Authors can use HTML Help to create online Help files for a software 
application or to create content for a multimedia title or for a Web site. 
For more information about how to create online Help files, visit the 
following Web site.

What is showHelp?
The showHelp method is used to display an HTML page that contains help 
content. For more information about the showHelp method, visit the 
following Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run 
malicious code in the Local Machine security zone in Internet Explorer. By 
running malicious code in the Local Machine zone, an attacker could gain 
complete control over an affected system. An attacker could take any 
action on the system, including installing programs, viewing data, 
changing data, deleting data, or creating new accounts that have full 
administrative credentials. For more information about URL security zones, 
visit the following Web site.

What are Internet Explorer security zones?
Internet Explorer security zones are part of a system that divides online 
content into categories or zones that are based on the trustworthiness of 
the content. Specific Web domains can be assigned to a zone, depending on 
how much trust is placed in the content of each domain. The zone then 
restricts the capabilities of the Web content, based on the zone's policy. 
By default, most Internet domains are treated as part of the Internet 
zone. By default, the policy of the Internet zone prevents scripts and 
other active code from accessing resources on the local system.

Who could exploit the vulnerability?
Any anonymous user could attempt to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker would have to host a Web site and then persuade a user to view 
that Web site.

An attacker could also create an HTML e-mail message that contains a 
specially crafted link, and then persuade a user to view the HTML e-mail 
message and then click the link.

What systems are primarily at risk from the vulnerability?
Any system where Internet Explorer and mail clients are actively used is 
primarily at risk from this vulnerability.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition 
critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition and Windows Millennium 
Edition do contain the affected component, the vulnerability is not 
critical. For more information about severity ratings, visit the following 
Web site.

Could the vulnerability be exploited over the Internet?
Yes. An attacker may be able to exploit this vulnerability over the 
Internet.

What does the update do?
The update removes the vulnerability by making sure that the HTML Help 
protocol only opens valid .chm files.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned 
Common Vulnerability and Exposure number CAN-2003-1041.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received 
information that this vulnerability was being exploited.

Does applying this security update help protect customers from the code 
that has been published publicly that attempts to exploit this 
vulnerability?
Yes. This security update addresses the vulnerability that is currently 
being exploited. The vulnerability that has been addressed has been 
assigned the Common Vulnerability and Exposure number CAN-2003-1041.
Top of section
Top of section

HTML Help Vulnerability ~V CAN-2004-0201

A remote code execution vulnerability exists in HTML Help that could allow 
remote code execution on an affected system. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. An 
attacker could then install programs; view, change, or delete data; or 
create new accounts with full privileges. Users whose accounts are 
configured to have fewer privileges on the system would be at less risk 
than users who operate with administrative privileges

Mitigating Factors for HTML Help Vulnerability - CAN-2004-0201:


In a Web-based attack scenario, an attacker would have to host a Web site 
that contains a Web page that is used to exploit this vulnerability. An 
attacker would have no way to force users to visit a malicious Web site. 
Instead, an attacker would have to persuade them to visit the Web site, 
typically by getting them to click a link that takes them to the 
attacker's site.


An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.
Top of section

Workarounds for HTML Help Vulnerability - CAN-2004-0201:

Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
below.


Unregister HTML Help

To unregister the HTML Help protocol, follow these steps:

1.


Click Start, click Run, type "regsvr32 /u %windir%\system32\itss.dll" 
(without the quotation marks), and then click OK.

Note On Windows 98 and Windows Me, replace "system32" with "system" in 
this command.

2.


A dialog box appears to confirm that the unregistration process has 
succeeded. Click OK to close the dialog box.

Impact of Workaround: All HTML Help functionality will be unavailable. 
This will affect the online Help in Windows or in any application that use 
HTML Help functionality.


Read e-mail messages in plain text format if you are using Outlook 2002 or 
later, or Outlook Express 6 SP1 or later, to help protect yourself from 
the HTML e-mail attack vector.

Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or 
later and Microsoft Outlook Express 6 users who have applied Internet 
Explorer 6 Service Pack 1 can enable this setting and view e-mail messages 
that are not digitally signed or e-mail messages that are not encrypted in 
plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not 
affected by the setting and may be read in their original formats. For 
more information about enabling this setting in Outlook 2002, see 
Microsoft Knowledge Base Article 307594.

For information about this setting in Outlook Express 6, see Microsoft 
Knowledge Base Article 291387.

Impact of Workaround: E-mail messages that are viewed in plain text format 
will not contain pictures, specialized fonts, animations, or other rich 
content. In addition:


The changes are applied to the preview pane and to open messages.


Pictures become attachments so that they are not lost.


Because the message is still in Rich Text or HTML format in the store, the 
object model (custom code solutions) may behave unexpectedly.
Top of section

FAQ for HTML Help Vulnerability - CAN-2004-0201:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. An 
attacker could then install programs; view, change, or delete data; or 
create new accounts with full privileges. Users whose accounts are 
configured to have fewer privileges on the system would be at less risk 
than users who operate with administrative privileges.

What causes the vulnerability?
The vulnerability occurs because HTML Help does not completely validate 
input data.

What is HTML Help?
Microsoft HTML Help is the standard help system for the Windows platform. 
Authors can use HTML Help to create online Help files for a software 
application or to create content for a multimedia title or for a Web site. 
For more information about how to create online Help files, visit the 
following Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.

Who could exploit the vulnerability?
Any anonymous user could attempt to exploit this vulnerability.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious 
Web site and then persuade a user to view that Web site. An attacker could 
also create an HTML e-mail message that contains a specially crafted link, 
and then persuade a user to view the HTML e-mail message and then click 
the link.

What systems are primarily at risk from the vulnerability?
Any system where Internet Explorer and mail clients are actively used is 
primarily at risk from this vulnerability.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition 
critically affected by this vulnerability?
Yes. Updates will be made available as soon as possible following the 
release. When these security updates are available, you will be able to 
download them only from the Windows Update Web site

Could the vulnerability be exploited over the Internet?
Yes. An attacker may be able to exploit this vulnerability over the 
Internet.

What does the update do?
The update removes the vulnerability by modifying the way that HTML Help 
validates the contents of a Help file.

How does this vulnerability relate to the Help and SupportCenter issues 
that are addressed by MS04-011 and MS04-015?
They are not related. Both the previous vulnerabilities were in the Help 
and Support Center. However, this update corrects a new vulnerability in 
HTML Help.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, 
click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites
This security update requires a release version of Windows Server 2003.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows Server 2003 Service 
Pack 1.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb840315-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb840315-x86-enu /norestart

For information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control 
Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB840315$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard 
Edition, Windows Server 2003 Web Edition, and Windows Server 2003 
Datacenter Edition:

Date         Time   Version       Size       File name   Folder
- -------------------------------------------------------------------------
23-Jun-2004  00:03  5.2.3790.185  123,392    Itss.dll    RTMGDR
23-Jun-2004  00:12  5.2.3790.185  123,392    Itss.dll    RTMQFE

Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 
64-Bit Datacenter Edition:

Date         Time   Version       Size     File name    Platform  Folder
- -------------------------------------------------------------------------
23-Jun-2004  00:05  5.2.3790.185  361,472  Itss.dll     IA64      RTMGDR
23-Jun-2004  00:03  5.2.3790.185  123,392  Witss.dll    X86       RTMGDR
23-Jun-2004  00:12  5.2.3790.185  361,472  Itss.dll     IA64      RTMQFE
23-Jun-2004  00:12  5.2.3790.185  123,392  Witss.dll    X86       RTMQFE

Note When you install this security update on Windows Server 2003 or on 
Windows XP 64-Bit Edition Version 2003, the installer checks to see if any 
of the files that are being updated on your system have previously been 
updated by a Microsoft hotfix. If you have previously installed a hotfix 
to update one of these files, the installer copies the RTMQFE files to 
your system. Otherwise, the installer copies the RTMGDR files to your 
system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.
~U

Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 
2003\SP1\KB840315\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly if an administrator 
or an OEM integrates or slipstreams the 840315 security update into the 
Windows installation source files.
Top of section


Windows XP (all versions)

Note For Windows XP 64-Bit Edition Version 2003, this security update is 
the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites
This security update requires the release version of Windows XP or Windows 
XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge 
Base Article 322389.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows XP Service Pack 2.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows XP:

Windowsxp-kb840315-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows XP:

Windowsxp-kb840315-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe is located in the 
%Windir%\$NTUninstallKB840315$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition 
Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet 
PC Edition, and Windows XP Media Center Edition:

Date         Time   Version        Size       File name     Folder
- -------------------------------------------------------------------
23-Jun-2004  00:43  5.2.3790.185   123,392    Itss.dll      RTMQFE
23-Jun-2004  00:43  5.2.3790.185   123,392    Itss.dll      SP1QFE

Windows XP 64-Bit Edition Service Pack 1:

Date         Time   Version        Size       File name   Platform  Folder
- --------------------------------------------------------------------------
23-Jun-2004  00:49  5.2.3790.185   361,472    Itss.dll    IA64      SP1QFE
23-Jun-2004  00:43  5.2.3790.185   123,392    Witss.dll   X86       SPIQFE

Windows XP 64-Bit Edition Version 2003:

Date         Time   Version      Size         File name  Platform  Folder
- -------------------------------------------------------------------------
23-Jun-2004  00:05  5.2.3790.185 361,472      Itss.dll   IA64      RTMGDR
23-Jun-2004  00:03  5.2.3790.185 123,392      Witss.dll  X86       RTMGDR
23-Jun-2004  00:12  5.2.3790.185 361,472      Itss.dll   IA64      RTMQFE
23-Jun-2004  00:12  5.2.3790.185 123,392      Witss.dll  X86       RTMQFE

Notes The Windows XP and Windows XP 64-Bit Edition Version 2003 versions 
of this security update are packaged as dual-mode packages, which contain 
files for both the original version of Windows XP and Windows XP Service 
Pack 1 (SP1). For more information about dual-mode packages, see Microsoft 
Knowledge Base Article 328848.

When you install the Windows XP 64-Bit Edition Version 2003 security 
update, the installer checks to see if any of the files that are being 
updated on your system have previously been updated by a Microsoft hotfix. 
If you have previously installed a hotfix to update one of these files, 
the installer copies the RTMQFE files to your system. Otherwise, the 
installer copies the RTMGDR files to your system. For more information, 
see Microsoft Knowledge Base Article 824994.

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry keys.

For Windows XP Home Edition, Windows XP Professional, Windows XP Home 
Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 
64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows 
XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
XP\SP2\KB840315\Filelist

For Windows XP 64-Bit Edition Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 
2003\SP1\KB840315\Filelist

Note These registry keys may not contain a complete list of installed 
files. Also, these registry keys may not be created correctly if an 
administrator or an OEM integrates or slipstreams the 840315 security 
update into the Windows installation source files.
Top of section


Windows 2000 (all versions)

Prerequisites
For Windows 2000, this security update requires Service Pack 2 (SP2), 
Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb840315-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb840315-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB840315$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about how to verify an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 
Service Pack 4:

Date         Time   Version        Size     File name
- ------------------------------------------------------
22-Jun-2004  22:42  5.2.3790.185   123,392  Itss.dll

Verifying Update Installation


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
2000\SP5\KB840315\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 840315 security update into the 
Windows installation source files.
Top of section


Windows NT 4.0 (all versions)

Prerequisites
This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 
4.0 Terminal Server Edition Service Pack 6 (SP6) with Internet Explorer 6 
Service Pack 1 installed.

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the following Microsoft Support Lifecycle 
Web site.

For more information about obtaining the latest service pack, see 
Microsoft Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

    /q: Specifies quiet mode, or suppresses prompts, when files are being 
extracted. This switch does not suppress prompts when Windows Update Setup 
is running.

    /q:u : Specifies user-quiet mode, which presents some dialog boxes to 
the user.

    /q:a : Specifies administrator-quiet mode, which does not present any 
dialog boxes to the user.

    /c:<UNC location> Specifies the path and name of the Setup .inf or .exe 
file.

    /r:n : Never restarts the computer after installation.

    /r:a : Always restarts the computer after installation.

    /r:s : Restarts the computer after installation without prompting the 
user.

    /T:<directory path: Specifies the target folder for extracting files.

Note You can combine these switches into one command. For more information 
about the supported installation switches, see Microsoft Knowledge Base 
Article 197147.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt:

Windowsnt4-kb840315-x86-enu /q:a

To install the security update without forcing the system to restart, use 
the following command at a command prompt:

Windowsnt4-kb840315-x86-enu /r:n

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the needed services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add/Remove Programs tool in 
Control Panel.

Or

Click Start, click Run, type "RunDll32 advpack.dll,LaunchINFSectionEx 
%Windir%\$NTUninstallQ840315$\840315UP.INF,updfiles,,64" (without the 
quotation marks), and then click OK.

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about how to verify an installation.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date         Time   Version        Size     File name
- ------------------------------------------------------
22-Jun-2004 18:11  5.2.3790.185   123,392  Itss.dll

Windows NT Server 4.0 Terminal Server Edition:

Date         Time   Version         Size     File name
- -------------------------------------------------------
22-Jun-2004  18:11  5.2.3790.185    123,392  Itss.dll

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Hotfix\Q840315

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 840315 security update into the 
Windows installation source files.
Top of section
Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect 
customers:


Brett Moore of Security-Assessment.com for reporting the HTML Help 
Vulnerability (CAN-2004-0201).

Obtaining Other Security Updates:

Updates for other security issues are available from the following 
locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge 
for support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security 
updates to Windows 2000 and Windows Server 2003-based servers, and to 
desktop systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to 
perform controlled deployment of these updates throughout the enterprise 
with minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 
2003 Security Patch Management Web site. SMS 2.0 users can also use 
Software Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin 
update detection and deployment. Some software updates may not be detected 
by these tools. Administrators can use the inventory capabilities of the 
SMS in these cases to target updates to specific systems. For more 
information about this procedure, see the following Web site. Some 
security updates require administrative rights following a restart of the 
system. Administrators can use the Elevated Rights Deployment Tool 
(available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 
Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as 
is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRhu+kli63F4U8VAQFWAwP+MbTZNOr6kjT2j9Kvk16jiBAlNf96CMY0
s2vD5fr7Hn0fsrzuJHQZCmn6EKNouavC/TTIvj2yRsgP33rPcgXkrwwJmE5guSHN
Qmgmlxu/9I+taobMt6fzStfVv0gp1UORlbLrojUFFwEAEIZfCPs5uGZuPRfzS2kv
FRrsFknZY/0=
=kvFR
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Wed Jul 14 10:42:44 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 14 Jul 2004 10:42:44 -0300
Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Windows Shell (839645)
Message-ID: <20040714134244.GG46533@unicamp.br>

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject:  CAIS-Alerta: Vulnerabilidade no Windows Shell (839645)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jul 2004 19:31:50 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft, intitulado 
"Microsoft Security Bulletin MS04-024: Vulnerability in Windows Shell 
Could Allow Remote Code Execution (839645)", que trata de uma 
vulnerabilidade presente no Shell de aplicativos do Windows, que pode ser 
explorada remotamente permitindo a execucao de codigo arbritario.

Esta vulnerabilidade esta sendo explorada ativamente pelo trojan 
Download.Ject, que vem agindo ha alguns dias na rede. Para explorar esta 
vulnerabilidade, um atacante precisaria criar uma pagina web ou email HTML 
com um link especialmente criado, e convencer o usuario a clicar nesse 
link.


Sistemas afetados:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
. Microsoft Windows NT Workstation e Server 4.0 Service Pack 6a com Active 
Desktop
. Microsoft Windows 2000 Service Pack 2
. Microsoft Windows 2000 Service Pack 3
. Microsoft Windows 2000 Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
. Microsoft Windows 98
. Microsoft Windows 98 Second Edition (SE)
. Microsoft Windows Millennium Edition (Me)


Correcoes disponiveis:

A correcao consiste na aplicacao dos correspondentes patches recomendados
pela Microsoft e disponiveis em:

. Microsoft Windows NT Workstation 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=53F0C9C1-D72F-48E8-8F70-B29A70A618E2&displaylang=en

. Microsoft Windows NT Server 4.0 Service Pack 6a
  http://www.microsoft.com/downloads/details.aspx?FamilyId=58906E66-064C-4358-9BF9-BC67B1F57BC5&displaylang=en

. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
  http://www.microsoft.com/downloads/details.aspx?FamilyId=34035CE3-1998-4693-8330-C4515A13407D&displaylang=en

. Microsoft Windows NT Workstation e Server 4.0 Service Pack 6a com Active 
Desktop
  http://www.microsoft.com/downloads/details.aspx?FamilyId=87096271-9716-4a46-93f3-d41fcbdf989a&displaylang=en

. Microsoft Windows 2000 Service Pack 2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=397BE12B-A026-41A6-8E98-B4027BC6A110&displaylang=en

. Microsoft Windows 2000 Service Pack 3
  http://www.microsoft.com/downloads/details.aspx?FamilyId=397BE12B-A026-41A6-8E98-B4027BC6A110&displaylang=en

. Microsoft Windows 2000 Service Pack 4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=397BE12B-A026-41A6-8E98-B4027BC6A110&displaylang=en

. Microsoft Windows XP
  http://www.microsoft.com/downloads/details.aspx?FamilyId=C3365B8E-666B-4C82-A9ED-FC0F84F107BA&displaylang=en

. Microsoft Windows XP Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=C3365B8E-666B-4C82-A9ED-FC0F84F107BA&displaylang=en

. Microsoft Windows XP 64-Bit Edition Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=3FEE07F5-9E31-481E-9F89-2549F51147AF&displaylang=en

. Microsoft Windows XP 64-Bit Edition Version 2003
  http://www.microsoft.com/downloads/details.aspx?FamilyId=79CCA663-5B72-4345-A3EE-404B466731BC&displaylang=en

. Microsoft Windows Server 2003
  http://www.microsoft.com/downloads/details.aspx?FamilyId=41C7BB26-3500-4492-A447-33440C404E4F&displaylang=en

. Microsoft Windows Server 2003 64-Bit Edition
  http://www.microsoft.com/downloads/details.aspx?FamilyId=79CCA663-5B72-4345-A3EE-404B466731BC&displaylang=en

. Microsoft Windows 98, 98 Second Edition (SE) e Millennium Edition (Me)
  Ver a secao FAQ no alerta original da Microsoft para saber mais sobre 
  estes sistemas operacionais.


Mais informacoes:

. Microsoft Security Bulletin MS04-024
  http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

. Microsoft Brasil - Security
  http://www.microsoft.com/brasil/security

. Technet Brasil - Central de Seguranca
  http://www.technetbrasil.com.br/seguranca


Identificador CVE: CAN-2004-0420 (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.

Os alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################


Microsoft Security Bulletin MS04-024
Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)

Issued: July 13, 2004
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest 
opportunity.

Security Update Replacement: This update replaces MS03-027 on Windows XP. 
This update does not replace MS03-027 on Windows NT 4.0, on Windows 2000, 
or on Windows Server 2003.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:


Microsoft Windows NT Workstation 4.0 Service Pack 6a Download the 
update


Microsoft Windows NT Server 4.0 Service Pack 6a Download the update


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 
Download the update


Microsoft Windows NT Workstation 4.0 Service Pack 6a and NT Server 4.0 
Service Pack 6a with Active Desktop  Download the update


Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 
3, Microsoft Windows 2000 Service Pack 4  Download the update


Microsoft Windows XP and Microsoft Windows XP Service Pack 1  Download 
the update


Microsoft Windows XP 64-Bit Edition Service Pack 1  Download the update


Microsoft Windows XP 64-Bit Edition Version 2003  Download the update


Microsoft Windows Server 2003  Download the update


Microsoft Windows Server 2003 64-Bit Edition  Download the update


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (Me)  Review the FAQ section of this 
bulletin for details about these operating systems.

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support 
or may not be affected. To determine the support lifecycle for your 
product and version, visit the following Microsoft Support Lifecycle Web 
site.
Top of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, publicly reported vulnerability. 
A remote code execution vulnerability exists in the way that the Windows 
Shell launches applications.

If a user is logged on with administrative privileges, an attacker who 
successfully exploited this vulnerability could take complete control of 
an affected system, including installing programs; viewing, changing, or 
deleting data; or creating new accounts with full privileges. However, 
significant user interaction is required to exploit this vulnerability. 
Users whose accounts are configured to have fewer privileges on the system 
would be at less risk than users who operate with administrative 
privileges.

We recommend that customers consider applying the security update.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers	Impact of Vulnerability	Windows 98, 98 SE, 
Me	Windows NT 4.0	Windows 2000	Windows XP	Windows Server 
2003

Windows Shell Vulnerability - CAN-2004-0420


Remote Code Execution


Not Critical


Important


Important


Important


Important

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them.
Top of section

Frequently asked questions (FAQ) related to this security update

I'm still using Microsoft Windows NT 4.0 Workstation Service Pack 6a or 
Windows 2000 Service Pack 2, but extended security update support ended on 
June 30, 2004. However, this bulletin has a security update for these 
operating system versions. Why is that?
Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 
have reached the end of their life cycles as previously documented, and 
Microsoft extended this support to June 30, 2004. However, the end-of-life 
for the extended support period occurred very recently. In this case, the 
majority of the steps that are required to address this vulnerability were 
completed before June 30, 2004. Therefore, we have decided to release 
security updates for these operating system versions as part of this 
security bulletin. We do not anticipate doing this for future 
vulnerabilities affecting these operating system versions, but we reserve 
the right to produce updates and to make these updates available when 
necessary.

It should be a priority for customers who have these operating system 
versions to migrate to supported versions to prevent potential exposure to 
future vulnerabilities. For more information about the Windows Product 
Life Cycle, visit the following Microsoft Support Lifecycle Web site. For 
more information about the extended security update support period for 
these operating system versions, visit the following Microsoft Product 
Support Services Web site.

Customers who require additional support for Windows NT Workstation 4.0 
SP6a must contact their Microsoft account team representative, their 
Technical Account Manager, or the appropriate Microsoft partner 
representative for custom support options. Customers without an Alliance, 
Premier, or Authorized Contract can contact their local Microsoft sales 
office. For contact information, visit the Microsoft Worldwide Information 
Web site, select the country, and then click Go to see a list of phone 
numbers. When you call, ask to speak with the local Premier Support sales 
manager.

For more information, see the Windows Operating System FAQ.

What updates does this release replace?
This security update replaces several prior security bulletins. The 
security bulletin IDs and operating systems that are affected are listed 
in the table below.
Bulletin ID	Windows NT 4.0	Windows 2000	Windows XP	Windows 
Server 2003

MS03-027


Not Replaced


Not Replaced


Replaced


Not Replaced

Does this update contain any other changes to functionality?
Yes. In addition to the changes that are listed in the Vulnerability 
Details section of this bulletin, this update includes the following 
changes in functionality:


This update refines a change made in Internet Explorer 6 Service Pack 1, 
which prevents Web pages that are loaded while a user is in the Internet 
zone from navigating to the Local Machine zone. This change was introduced 
to mitigate the effects of potential new cross domain vulnerabilities. The 
changes introduced in this update are additional enhancements of the 
Internet Explorer 6 Service Pack 1 restrictions.


Microsoft has also made another defense in depth change which limits the 
functionality of the Shell Automation Service ActiveX control 
(shell.application). This feature has been modified to provide greater 
security and to prevent potential malicious use. Microsoft considers this 
to be a defense in depth measure that we are taking to provide additional 
protection against malicious use.

How does the extended support for Windows 98, Windows 98 Second Edition, 
and Windows Millennium Edition affect the release of security updates for 
these operating systems?
Microsoft will only release security updates for critical security issues. 
Non-critical security issues are not offered during this support period. 
For more information about the Microsoft Support Lifecycle policies for 
these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition 
critically affected by any of the vulnerabilities that are addressed in 
this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, 
on Windows 98 Second Edition, or on Windows Millennium Edition.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if 
this update is required?
MBSA will determine if this update is required for Windows 2000 (all 
versions), Windows XP (all versions), and Windows 2003 (all versions). 
MBSA does not currently support the full detection of this update for the 
Windows NT 4.0 product (all versions). For more information about MBSA, 
visit the MBSA Web site.

Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 
1.1.1 and earlier versions is no longer being updated with new security 
bulletin data. Therefore, scans that are performed after that date with 
MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 
1.2 because it provides more accurate security update detection and 
supports additional products. Users can download MBSA 1.2 from the MBSA 
Web site. For more information about MBSA support, visit the following 
Microsoft Baseline Security Analyzer 1.2 Q&A Web site.

Can I use Systems Management Server (SMS) to determine if this update is 
required?
SMS uses MBSA for detection. SMS can help detect and deploy this security 
update for Windows 2000 (all versions), Windows XP (all versions), and 
Windows 2003 (all versions). This update is not detected by MBSA for the 
Windows NT 4.0 product (all versions). However, the file and registry key 
information that is available in this bulletin can be used to write 
specific file and registry key collection queries in SMS to detect 
vulnerable computers. For information about how to deploy updates not 
supported by MBSA with SMS, please review Knowledge Base article 867832. 
For information about SMS, visit the SMS Web site.

What component installs the Shell-Integrated Browser (Active Desktop) on 
my Windows NT 4.0 system?
Microsoft Internet Explorer 4.0 can install this component. If you have 
Internet Explorer 4.0 installed on your system, you might have the 
Shell-Integrated Browser.

How do I know if I have Active Desktop installed on my Windows NT 4.0 
system?
Microsoft Knowledgebase Article 216840 contains information on how to 
determine if you have Active Desktop installed on your system.

Why is there no update available for Microsoft Windows NT Server 4.0 
Terminal Server Edition with Active Desktop?
Active Desktop is not supported on Microsoft Windows NT Server 4.0 
Terminal Server Edition. For more information see Microsoft Knowledge Base 
Article 186498.
Top of section

Vulnerability Details

Windows Shell Vulnerability - CAN-2004-0420:

A remote code execution vulnerability exists in the way that the Windows 
Shell launches applications. An attacker could exploit the vulnerability 
if a user visited a malicious Web site. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. However, 
user interaction is required to exploit this vulnerability.

Mitigating Factors for Windows Shell Vulnerability - CAN-2004-0420:


In a Web-based attack scenario, an attacker would have to host a Web site 
that contains a Web page that is used to exploit this vulnerability. An 
attacker would have no way to force users to visit a malicious Web site. 
Instead, an attacker would have to persuade them to visit the Web site, 
typically by getting them to click a link that takes them to the 
attacker's site.


An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.
Top of section

Workarounds for Windows Shell Vulnerability - CAN-2004-0420:

None
Top of section

FAQ for Windows Shell Vulnerability - CAN-2004-0420:

What is the scope of the vulnerability?
This is remote code execution vulnerability. If a user is logged on with 
administrative privileges, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system, including 
installing programs; viewing, changing, or deleting data; or creating new 
accounts with full privileges. However, user interaction is required to 
exploit this vulnerability. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.

What causes the vulnerability?
The Windows Shell application programming interface (API) supports the 
ability to associate a class identifier (CLSID) with a file type. An 
attacker could use a CLSID instead of the valid extension for a file type 
that could help persuade a user to run a malicious program.

What is Windows Shell application programming interface?
Windows Shell APIs are the programming interfaces that support extensions 
of the system~Rs operational environment. For more information about the 
Windows Shell application programming interface, visit the following Web 
site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the 
same privileges as the user. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who 
operate with administrative privileges.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious 
Web site and then persuade a user to view that Web site. An attacker could 
also create an HTML e-mail message that has a specially crafted link, and 
then persuade a user to view the HTML e-mail message and then click the 
malicious link.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only 
at risk if users who do not have sufficient administrative credentials are 
given the ability to log on to servers and to run programs. However, best 
practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition 
critically affected by this vulnerability?
No. Although Windows Millennium Edition does contain the affected 
component, the vulnerability is not critical. For more information about 
severity ratings, visit the following Web site.

What does the update do?
The update removes the ability to use a CLSID as a file type within 
Windows Shell.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned 
Common Vulnerability and Exposure number CAN-2004-0420.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published 
publicly but had not received any information indicating that this 
vulnerability had been publicly used to attack customers when this 
security bulletin was originally issued.

Does applying this security update help protect customers from the code 
that has been published publicly that attempts to exploit this 
vulnerability?
Yes. This security update addresses the vulnerability that is currently 
being exploited. The vulnerability that has been addressed has been 
assigned the Common Vulnerability and Exposure number CAN-2004-0420.

Are there any other steps I should take in addition to applying this patch 
to help protect my computer?
Yes. In addition to applying this security update, it is recommended that 
users also install the ADODB.stream update that is referenced in Knowledge 
Base Article 870669. This update is available from Windows Update and from 
the Microsoft Download Center for all supported versions of Windows. While 
not a security patch, this update contains a change to the behavior of a 
Data Access component in Windows to help protect against attacks that are 
made by using Internet Explorer.

Specifically, it disables the ability for the ADODB.Stream object ability 
to function within Internet Explorer.
Top of section
Top of section
Top of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, 
click the appropriate link:

Windows Server 2003 (all versions)

Prerequisites
This security update requires a release version of Windows Server 2003.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows Server 2003 Service 
Pack 1.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb839645-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb839645-x86-enu /norestart

For information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control 
Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB839645$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard 
Edition, Windows Server 2003 Web Edition, and Windows Server 2003 
Datacenter Edition:

Date         Time   Version      Size       File name    Folder
- -------------------------------------------------------------------------
17-Apr-2004  01:41  6.0.3790.162  8,168,960  Shell32.dll  RTMGDR
17-Apr-2004  02:10  6.0.3790.163  8,168,960  Shell32.dll  RTMQFE

Windows Server 2003 64-Bit Enterprise Edition and Windows Server 2003 
64-Bit Datacenter Edition:

Date         Time  Version      Size       File name    Platform Folder
- -------------------------------------------------------------------------
13-May-2004  00:09 6.0.3790.168 12,954,112 Shell32.dll  IA-64     Rtmgdr
13-May-2004  00:07 6.0.3790.168 8,168,960  Wshell32.dll x86 
Rtmgdr\Wow
12-May-2004  23:29 6.0.3790.169 12,955,136 Shell32.dll  IA-64     Rtmqfe
12-May-2004  23:29 6.0.3790.169 8,168,960  Wshell32.dll x86 
Rtmqfe\Wow

Note When you install this security update on Windows Server 2003 or on 
Windows XP 64-Bit Edition Version 2003, the installer checks to see if any 
of the files that are being updated on your system have previously been 
updated by a Microsoft hotfix. If you have previously installed a hotfix 
to update one of these files, the installer copies the RTMQFE files to 
your system. Otherwise, the installer copies the RTMGDR files to your 
system. For more information, see Microsoft Knowledge Base Article 824994.

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 
2003\SP1\KB839645\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly if an administrator 
or an OEM integrates or slipstreams the 839645 security update into the 
Windows installation source files.
Top of section


Windows XP (all versions)

Note For Windows XP 64-Bit Edition Version 2003, this security update is 
the same as the Windows Server 2003 64-Bit Edition security update.

Prerequisites
This security update requires the release version of Windows XP or Windows 
XP Service Pack 1 (SP1). For more information, see Microsoft Knowledge 
Base Article 322389.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows XP Service Pack 2.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows XP:

Windowsxp-kb839645-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows XP:

Windowsxp-kb839645-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe is located in the 
%Windir%\$NTUninstallKB839645$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Home Edition 
Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet 
PC Edition, and Windows XP Media Center Edition:

Date         Time   Version        Size       File name     Folder
- -------------------------------------------------------------------
17-Apr-2004  18:42  6.0.2600.148   8,226,304  Shell32.dll   RTMQFE
17-Apr-2004  00:56  6.0.2800.1515  82,432     Fldrclnr.dll  SP1QFE
17-Apr-2004  00:56  6.0.2800.1517  8,349,184  Shell32.dll   SP1QFE
17-Apr-2004  00:56  5.1.2600.1515  676,864    Sxs.dll       SP1QFE
11-Apr-2004  04:04  5.1.2600.1515  593,408    Xpsp2res.dll  SP1QFE
17-Apr-2004  00:56  6.0.2800.1515  921,600    Comctl32.dll  SP1QFE

Windows XP 64-Bit Edition Service Pack 1:

Date         Time   Version        Size       File name     Platform
- ------------------------------------------------------------------------
11-Apr-2004  02:18  6.0.2800.1515  2,639,360  Comctl32.dll  IA-64 
sp1\Asms\60\Msft\Windows\Common\Controls
17-Apr-2004  00:47                 1,813      Controls.man 
sp1\Asms\60\Msft\Windows\Common\Controls
17-Apr-2004  00:47                 623        Comctl.man 
sp1\Asms\60\Policy\60\Comctl
17-Apr-2004  00:46  6.0.2800.1515  130,560    Fldrclnr.dll  IA-64 
sp1\Sp1qfe
10-Jun-2004  19:58  6.0.2800.1556  14,386,176 Shell32.dll   IA-64 
sp1\Sp1qfe
17-Apr-2004  00:46  5.1.2600.1515  2,018,816  Sxs.dll       IA-64 
sp1\Sp1qfe
11-Apr-2004  03:33  5.1.2600.1515  592,896    Xpsp2res.dll  IA-64 
sp1\Sp1qfe
17-Apr-2004  00:56  6.0.2800.1515  82,432     Wfldrclnr.dll x86 Sp1qfe\Wow
10-Jun-2004  19:51  6.0.2800.1556  8,350,720  Wshell32.dll  x86 Sp1qfe\Wow
17-Apr-2004  00:56  5.1.2600.1515  676,864    Wsxs.dll      x86 Sp1qfe\Wow
11-Apr-2004  04:04  5.1.2600.1515  593,408    Wxpsp2res.dll x86 Sp1qfe\Wow

Windows XP 64-Bit Edition Version 2003:

Date         Time  Version      Size       File name    Platform Folder
- -------------------------------------------------------------------------
13-May-2004  00:09 6.0.3790.168 12,954,112 Shell32.dll  IA-64    Rtmgdr
13-May-2004  00:07 6.0.3790.168 8,168,960  Wshell32.dll x86 
Rtmgdr\Wow
12-May-2004  23:29 6.0.3790.169 12,955,136 Shell32.dll  IA-64    Rtmqfe
12-May-2004  23:29 6.0.3790.169 8,168,960  Wshell32.dll x86 
Rtmqfe\Wow

Notes The Windows XP and Windows XP 64-Bit Edition Version 2003 versions 
of this security update are packaged as dual-mode packages, which contain 
files for both the original version of Windows XP and Windows XP Service 
Pack 1 (SP1). For more information about dual-mode packages, see Microsoft 
Knowledge Base Article 328848.

When you install the Windows XP 64-Bit Edition Version 2003 security 
update, the installer checks to see if any of the files that are being 
updated on your system have previously been updated by a Microsoft hotfix. 
If you have previously installed a hotfix to update one of these files, 
the installer copies the RTMQFE files to your system. Otherwise, the 
installer copies the RTMGDR files to your system. For more information, 
see Microsoft Knowledge Base Article 824994.

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry keys.

For Windows XP Home Edition, Windows XP Professional, Windows XP Home 
Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP 
64-Bit Edition Service Pack 1, Windows XP Tablet PC Edition, and Windows 
XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
XP\SP2\KB839645\Filelist

For Windows XP 64-Bit Edition Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 
2003\SP1\KB839645\Filelist

Note These registry keys may not contain a complete list of installed 
files. Also, these registry keys may not be created correctly if an 
administrator or an OEM integrates or slipstreams the 839645 security 
update into the Windows installation source files.
Top of section


Windows 2000 (all versions)

Prerequisites
For Windows 2000, this security update requires Service Pack 2 (SP2), 
Service Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:
The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

       /help                 Displays the command line options

Setup Modes

       /quiet                Quiet mode (no user interaction or display)

       /passive            Unattended mode (progress bar only)

       /uninstall          Uninstalls the package

Restart Options

       /norestart          Do not restart when installation is complete

       /forcerestart      Restart after installation

Special Options

       /l                        Lists installed Windows hotfixes or update 
packages

       /o                       Overwrite OEM files without prompting

       /n                       Do not backup files needed for uninstall

       /f                        Force other programs to close when the 
computer shuts down

       /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward 
compatibility, the security update also supports the setup switches that 
the previous version of the setup utility uses. For more information about 
the supported installation switches, see Microsoft Knowledge Base Article 
262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb839645-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb839645-x86-enu /norestart

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove this 
security update. The Spuninst.exe utility is located in the 
%Windir%\$NTUninstallKB839645$\Spuninst folder. The Spuninst.exe utility 
supports the following setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about how to verify an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 
Service Pack 4:

Date         Time   Version         Size       File name
- ---------------------------------------------------------
14-Apr-2004  16:36  5.0.3900.6922   2,358,544  Shell32.dll
05-Feb-2004  20:18  5.0.2195.6896   5,869,056  Sp3res.dll

Verifying Update Installation


Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you 
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. 
This tool allows administrators to scan local and remote systems for 
missing security updates and for common security misconfigurations. For 
more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 
2000\SP5\KB839645\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 839645 security update into the 
Windows installation source files.
Top of section


Windows NT 4.0 (without Active Desktop)

Prerequisites
This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 
4.0 Terminal Server Edition Service Pack 6 (SP6).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the following Microsoft Support Lifecycle 
Web site.

For more information about obtaining the latest service pack, see 
Microsoft Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

    /y: Perform removal (only with /m or /q )

    /f: Force programs to quit during the shutdown process

    /n: Do not create an Uninstall folder

    /z: Do not restart when the update completes

    /q: Use Quiet or Unattended mode with no user interface (this switch is 
a superset of /m )

    /m: Use Unattended mode with a user interface

    /l: List the installed hotfixes

    /x: Extract the files without running Setup

Note You can combine these switches into one command. For more information 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb839645-x86-enu /q

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb839645-x86-enu /q

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb839645-x86-enu /q

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb839645-x86-enu /z

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb839645-x86-enu /z

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb839645-x86-enu /z

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the needed services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add/Remove Programs tool in 
Control Panel.

System administrators can also use the Hotfix.exe utility to remove this 
security update. The Hotfix.exe utility is located in the 
%Windir%\$NTUninstallKB839645$ folder. The Hotfix.exe utility supports the 
following setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a 
superset of the /m switch)

/m: Use Unattended mode with a user interface

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. See the Verifying Update Installation section for details 
about how to verify an installation.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date         Time   Version        Size       File name
- ------------------------------------------------------
06-Apr-2004  14:02  4.0.1381.7266  1,281,808  Shell32.dll

Windows NT Server 4.0 Terminal Server Edition:

Date         Time   Version         Size      File name
- -------------------------------------------------------
06-Apr-2004  14:06  4.0.1381.33563  1,301,264 Shell32.dll

Verifying Update Installation


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Hotfix\KB839645\File 1

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 839645 security update into the 
Windows installation source files.
Top of section


Windows NT 4.0 (with Active Desktop)

Prerequisites

This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a) with Active Desktop.

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the following Microsoft Support Lifecycle 
Web site.

For more information about how to determine if you have Active Desktop 
installed, see Microsoft Knowledge Base Article 216840.

For more information about obtaining the latest service pack, see 
Microsoft Knowledge Base Article 152734.

The security update supports the following setup switches:

    /Q Specifies quiet mode, or suppresses prompts, when files are being 
extracted.

    /Q:U Specifies user-quiet mode, which presents some dialog boxes to the 
user.

    /Q:A Specifies administrator-quiet mode, which does not present any 
dialog boxes to the user.

    /T: <full path> Specifies the target folder for extracting files.

    /C Extracts the files without installing them. If /T: path is not 
specified, you are prompted for a target folder.

    /C: <Cmd> Override Install Command defined by author. Specifies the 
path and name of the setup .inf or .exe file.

    /R:N Never restarts the computer after installation.

    /R:I Prompts the user to restart the computer if a restart is required, 
except when used with /Q:A.

    /R:A Always restarts the computer after installation.

    /R:S Restarts the computer after installation without prompting the 
user.

    /N:V No version checking - Install the program over any previous 
version.

Note These switches do not necessarily work with all updates. If a switch 
is not available that functionality is necessary for the correct 
installation of the update. Also, the use of the /N:V switch is 
unsupported and may result in an unbootable system. If the installation is 
unsuccessful, you should consult your support professional to understand 
why it failed to install.

For additional information about the supported setup switches, see 
Microsoft Knowledge Base Article 197147.

Deployment Information

For example, to install the update without any user intervention and not 
force the system to restart, run the following command:

    IE-KB839645-WindowsNT4sp6-x86-ENU.exe

For information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirements

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this update, use the Add or Remove Programs tool (or the 
Add/Remove Programs tool) in Control Panel. Click Internet Explorer 
Q839645, and then click Change/Remove (or click Add/Remove).

System administrators can use the Ieuninst.exe utility to remove this 
update. This security update installs the Ieuninst.exe utility in the 
%Windir% folder. This utility supports the following setup switches:

    /?: Show the list of supported switches

    /z: Do not restart when the installation is complete

    /q: Use Quiet mode (no user interaction)

For example, to remove this update quietly, use the following command:

    c:\windows\ieuninst /q c:\windows\inf\q839645.inf

Note This command assumes that Windows is installed in the C:\Windows 
folder.

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Date         Time   Version         Size       File name
- --------------------------------------------------------
03-Mar-2003  17:24  6.0.2800.1172   33,792     Ieuninst.exe
09-Oct-2003  17:04  6.0.2800.1271   27,136     Ieupdate.exe
03-Jun-2004  17:21                  5,629      Q839645.inf
03-Jun-2004  17:21                  5,711      Q839645_d.inf
11-May-2004  18:26  4.72.3841.1100  1,770,720  Shell32.dll

Verifying Update Installation


File Version Verification

Note Because there are several versions of Microsoft Windows, the 
following steps may be different on your computer. If they are, see your 
product documentation to complete these steps.

1.


Click Start, and then click Search.

2.


In the Search Results pane, click All files and folders under Search 
Companion.

3.


In the All or part of the file name box, type a file name from the 
appropriate file information table, and then click Search.

4.


In the list of files, right-click a file name from the appropriate file 
information table, and then click Properties.

Note Depending on the version of the operating system or programs 
installed, some of the files that are listed in the file information table 
may not be installed.

5.


On the Version tab, determine the version of the file that is installed on 
your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.


Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed 
Components\{7ac88637-e78a-4036-a333-f65808b791bc}

Note Confirm that the IsInstalled DWORD value with a data value of 1 
appears in the registry key.


Program Version Verification

Confirm that Q839645 is listed in the Update Versions field in the About 
Internet Explorer dialog box
Top of section

Top of section

Obtaining Other Security Updates:

Updates for other security issues are available from the following 
locations:


Security updates are available from the Microsoft Download Center: You can 
find them most easily by doing a keyword search for "security_patch".


Updates for consumer platforms are available from the Windows Update Web 
site.

Support:


Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge 
for support calls that are associated with security updates.


International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.

Security Resources:


The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products.


Microsoft Software Update Services


Microsoft Baseline Security Analyzer (MBSA)


Windows Update


Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.


Office Update

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security 
updates to Windows 2000 and Windows Server 2003-based servers, and to 
desktop systems that are running Windows 2000 Professional or Windows XP 
Professional.

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators can 
identify Windows-based systems that require security updates and to 
perform controlled deployment of these updates throughout the enterprise 
with minimal disruption to end users. For more information about how 
administrators can use SMS 2003 to deploy security updates, see the SMS 
2003 Security Patch Management Web site. SMS 2.0 users can also use 
Software Updates Service Feature Pack to help deploy security updates. For 
information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin 
update detection and deployment. Some software updates may not be detected 
by these tools. Administrators can use the inventory capabilities of the 
SMS in these cases to target updates to specific systems. For more 
information about this procedure, see the following Web site. Some 
security updates require administrative rights following a restart of the 
system. Administrators can use the Elevated Rights Deployment Tool 
(available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 
Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as 
is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions:


V1.0 (July 13, 2004): Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQPRi4ukli63F4U8VAQGIYwP+LXOG5Tfk8btYu+k4lwlj6w4+FzhaCN46
HETZorMIPMr2Hoa6sKc34qXbdX4cIckI6GNZORgV5s8eeVVZOxrJkpLz1nS2X63A
JAPWUMCqwG3BjtN+/4GDVJd3NiVbWseknDi1tq7zQxFGrroSQncZnW4icJdDbjNS
2vxJIbGxSy4=
=VAbv
-----END PGP SIGNATURE-----


----- End forwarded message -----


From security em unicamp.br  Fri Jul 16 14:57:08 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Fri, 16 Jul 2004 14:57:08 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040716175708.GA50426@unicamp.br>


Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------
15/07/2004 - CLA-2004:846
Assunto: Correções para vulnerabilidades do kernel.
http://www.security.unicamp.br/docs/bugs/2005/07/v46.txt


Bugzilla Security Advisory:
---------------------------
10/07/2004
Assunto: Database Password Compromise, Privilege escalation, Information Leak,
Cross-site scripting vulnerability, User Password embedded in URL, 
Remote SQL injection vulnerability. 
http://www.security.unicamp.br/docs/bugs/2005/07/v26.txt


CAIS-Alerta
-----------
13/07/2004
Assunto: Vulnerabilidade no Windows Shell (839645). 
http://www.security.unicamp.br/docs/bugs/2005/07/v36.txt

13/07/2004
Assunto: Vulnerabilidade no HTML Help. 
http://www.security.unicamp.br/docs/bugs/2005/07/v35.txt

13/07/2004
Assunto: Vulnerabilidade no Agendador de Tarefas (841873). 
http://www.security.unicamp.br/docs/bugs/2004/07/v34.txt

13/07/2004
Assunto: Update de seguranca para o IIS 4.0 (841373) 
http://www.security.unicamp.br/docs/bugs/2004/07/v33.txt

13/07/2004
Assunto: Vulnerabilidade no subsistema POSIX do Windows (841872). 
http://www.security.unicamp.br/docs/bugs/2004/07/v32.txt

13/07/2004
Assunto: Vulnerabilidade no Utility Manager (842526). 
http://www.security.unicamp.br/docs/bugs/2004/07/v31.txt

13/07/2004
Assunto: Patch Acumulativo para o Outlook Express (823353). 
http://www.security.unicamp.br/docs/bugs/2004/07/v30.txt

05/07/2004
Assunto: Atualizacao no IE para desabilitar controle ActiveX ADODB.Stream.
http://www.security.unicamp.br/docs/bugs/2004/07/v12.txt


Debian Security Advisory
------------------------
03/07/2004 - DSA 527-1
Assunto: vulnerabilidade de seguranca no pacote pavuk.
http://www.security.unicamp.br/docs/bugs/2004/07/v9.txt

03/07/2004 - DSA 526-1
Assunto: vulnerabilidade de seguranca no pacote webmin.
http://www.security.unicamp.br/docs/bugs/2004/07/v8.txt


Fedora Update Notification
--------------------------
14/07/2004 - FEDORA-2004-220
Assunto: Fedora Core 2: ethereal. 
http://www.security.unicamp.br/docs/bugs/2004/07/v39.txt

14/07/2004 - FEDORA-2004-219
Assunto: Fedora Core 1: ethereal. 
http://www.security.unicamp.br/docs/bugs/2004/07/v38.txt

09/07/2004 - FEDORA-2004-214
Assunto: Fedora Core 2: ppp. 
http://www.security.unicamp.br/docs/bugs/2004/07/v24.txt

08/07/2004 - FEDORA-2004-208
Assunto: Fedora Core 2: im-sdk.
http://www.security.unicamp.br/docs/bugs/2004/07/v22.txt

06/07/2004 - FEDORA-2004-198
Assunto: Fedora Core 2: xorg-x11. 
http://www.security.unicamp.br/docs/bugs/2004/07/v15.txt


FreeBSD Security Advisory
-------------------------
01/07/2004 - FreeBSD-SA-04:13
Assunto: Linux binary compatibility mode input validation error.
http://www.security.unicamp.br/docs/bugs/2004/07/v4.txt


Gentoo Linux Security Advisory
------------------------------
15/07/2004 - GLSA 200407-13
Assunto: PHP: Multiple security vulnerabilities. 
http://www.security.unicamp.br/docs/bugs/2004/07/v45.txt

14/07/2004 - GLSA 200407-11
Assunto: wv: Buffer overflow vulnerability.
http://www.security.unicamp.br/docs/bugs/2004/07/v37.txt

12/07/2004 - GLSA 200407-10
Assunto: rsync: Directory traversal in rsync daemon. 
http://www.security.unicamp.br/docs/bugs/2004/07/v28.txt

11/07/2004 - GLSA 200407-09
Assunto: MoinMoin: Group ACL bypass. 
http://www.security.unicamp.br/docs/bugs/2004/07/v27.txt

09/07/2004 - GLSA 200407-08
Assunto: Ethereal: Multiple security problems. 
http://www.security.unicamp.br/docs/bugs/2004/07/v23.txt

08/07/2004 - GLSA 200407-07
Assunto: Shorewall : Insecure temp file handling. 
http://www.security.unicamp.br/docs/bugs/2004/07/v19.txt

08/07/2004 - GLSA 200407-06
Assunto: libpng: Buffer overflow on row buffers. 
http://www.security.unicamp.br/docs/bugs/2004/07/v18.txt

05/07/2004 - GLSA 200407-05
Assunto: XFree86, X.org: XDM ignores requestPort setting. 
http://www.security.unicamp.br/docs/bugs/2004/07/v13.txt

04/07/2004 - GLSA 200407-04
Assunto: Pure-FTPd: Potential DoS when maximum connections is reached.
http://www.security.unicamp.br/docs/bugs/2004/07/v11.txt

04/07/2004 - GLSA 200407-03
Assunto:  Apache 2: Remote denial of service attack. 
http://www.security.unicamp.br/docs/bugs/2004/07/v10.txt

01/07/2004 - GLSA 200407-01
Assunto: Esearch: Insecure temp file handling.
http://www.security.unicamp.br/docs/bugs/2004/07/v5.txt


HP Security Bulletin
--------------------
13/07/2004 - HPSBOV01056_1
Assunto: SSRT4741 Rev.1 DCE for HP OpenVMS Potential RPC Buffer 
Overrun Attack. 
http://www.security.unicamp.br/docs/bugs/2004/07/v40.txt

02/07/2004 - HPSBTU01043
Assunto: SSRT4718 rev.0 HP Tru64 UNIX NTP Integer Overflow.
http://www.security.unicamp.br/docs/bugs/2004/07/v17.txt


Mandrake Linux Security Update Advisory
---------------------------------------
14/07/2004 - MDKSA-2004:070
Assunto: vulnerabilidade de seguranca no pacote freeswan.
http://www.security.unicamp.br/docs/bugs/2004/07/v44.txt

14/07/2004 - MDKSA-2004:069
Assunto: vulnerabilidade de seguranca no pacote ipsec-tools.
http://www.security.unicamp.br/docs/bugs/2004/07/v43.txt

14/07/2004 - MDKSA-2004:068
Assunto: vulnerabilidade de seguranca no pacote php.
http://www.security.unicamp.br/docs/bugs/2004/07/v42.txt

09/07/2004 - MDKSA-2004:067
Assunto: vulnerabilidade de seguranca no pacote ethereal.
http://www.security.unicamp.br/docs/bugs/2004/07/v25.txt

06/07/2004 - MDKSA-2004:066
Assunto: vulnerabilidade de seguranca no kernel.
http://www.security.unicamp.br/docs/bugs/2004/07/v16.txt


Microsoft Security Bulletins
----------------------------
13/07/2004
Assunto: Microsoft Security Bulletin Summary for July 2004.
http://www.security.unicamp.br/docs/bugs/2004/07/v29.txt


Mozilla Security Advisory:
----------------------------
08/07/2004 - Windows shell: scheme exposed in Mozilla 
http://www.security.unicamp.br/docs/bugs/2004/07/v21.txt


OpenPKG Security Advisory 
-------------------------
08/07/2004 - OpenPKG-SA-2004.031
Assunto: vulnerabilidade de seguranca no pacote dhcpd.
http://www.security.unicamp.br/docs/bugs/2004/07/v20.txt

06/07/2004 - OpenPKG-SA-2004.030
Assunto: vulnerabilidade de seguranca no pacote png.
http://www.security.unicamp.br/docs/bugs/2004/07/v14.txt


SUSE Security Announcement:
---------------------------
16/07/2004 - SUSE-SA:2004:021
Assunto: vulnerabilidade de seguranca nos pacotes php4/mod_php4. 
http://www.security.unicamp.br/docs/bugs/2004/07/v47.txt

02/07/2004 - SUSE-SA:2004:020
Assunto: vulnerabilidade de seguranca no kernel.
http://www.security.unicamp.br/docs/bugs/2004/07/v6.txt


US-CERT Technical Cyber Security Alert
--------------------------------------
14/07/2004 - TA04-196A
Assunto: Multiple Vulnerabilities in Microsoft Windows Components and 
Outlook Express. 
http://www.security.unicamp.br/docs/bugs/2004/07/v41.txt

02/07/2004
Assunto: Internet Explorer Update to Disable ADODB.Stream ActiveX Control.
http://www.security.unicamp.br/docs/bugs/2004/07/v7.txt


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Mon Jul 19 16:26:33 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Mon, 19 Jul 2004 16:26:33 -0300
Subject: [SECURITY-L] Encontrada falha grave no kernel do Linux
Message-ID: <20040719192633.GA1085@unicamp.br>

From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] Encontrada falha grave no kernel do Linux
To: seguranca em pangeia.com.br
Date: Fri, 16 Jul 2004 16:57:51 -0300

[http://idgnow.uol.com.br/AdPortalv5/SegurancaInterna.aspx?GUID=77CF3DAB-395C-461F-9135-A8BA8ED021B3&ChannelID=21080105] 
                                                                            
  Encontrada falha grave no kernel do Linux                                 
  Sexta-feira, 16 julho de 2004 - 11:56                                     
  IDG Now!                                                                  
                                                                            
  A Gentoo anunciou na quarta-feira (14/07) a descoberta de outra falha     
  grave no kernel do Linux. A vulnerabilidade, considerada de alto risco,   
  permite que um usuário malicioso provoque um ataque remoto de negação de  
  serviço (DoS, em inglês) em todas as versões da série 2.6 do kernel.      
                                                                            
  A falha pode ser explorada por um usuário mal intencionado ao mandar um   
  pacote TCP com falhas propositais, podendo colocar o kernel afetado em um 
  loop infinito. O kernel em loop consome todos os recursos de              
  processamento da máquina, provocando um congelamento das demais tarefas.  
                                                                            
  O kernel do Linux é responsável por gerenciar os aspectos fundamentais de 
  um sistema GNU/Linux, provendo uma interface para aplicações de sistema   
  bem como uma estrutura essencial de acesso a periféricos e hardwares.     
                                                                            
  A Gentoo afirma que 14 versões do Kernel são vulneráveis, e recomenda     
  atualização urgente dos sistemas                                          
                                                                            
                                                                            
                                                                            
                                                                            

----- End forwarded message -----


From security em unicamp.br  Tue Jul 20 15:50:23 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Tue, 20 Jul 2004 15:50:23 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040720185023.GA2952@unicamp.br>


Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------
16/07/2004 - CLA-2004:848
Assunto: Vulnerabilidade na ACL do Webmin. 
http://www.security.unicamp.br/docs/bugs/2004/07/v52.txt

16/07/2004 - CLA-2004:847
Assunto: Vulnerabilidade de execução remota de código arbitrário e outras
no pacote php4. 
http://www.security.unicamp.br/docs/bugs/2004/07/v50.txt


CAIS-Alerta
-----------
19/07/2004
Assunto: Multiplas Vulnerabilidades em componentes do MS Windows e MS 
Outlook Express (TA04-196A). 
http://www.security.unicamp.br/docs/bugs/2004/07/v56.txt 


Debian Security Advisory
------------------------
17/07/2004 - DSA 530-1
Assunto: vulnerabilidade de seguranca no pacote l2tpd. 
http://www.security.unicamp.br/docs/bugs/2004/07/v54.txt 

17/07/2004 - DSA 529-1
Assunto: vulnerabilidade de seguranca no pacote netkit-telnet-ssl. 
http://www.security.unicamp.br/docs/bugs/2004/07/v55.txt 

17/07/2004 - DSA 528-1
Assunto: vulnerabilidade de seguranca no pacote ethereal. 
http://www.security.unicamp.br/docs/bugs/2004/07/v53.txt 


Fedora Update Notification
--------------------------
19/07/2004 - FEDORA-2004-204
Assunto: Fedora Core 2: httpd 
http://www.security.unicamp.br/docs/bugs/2004/07/v58.txt 

19/07/2004 - FEDORA-2004-203
Assunto: Fedora Core 1: httpd. 
http://www.security.unicamp.br/docs/bugs/2004/07/v57.txt 


Gentoo Linux Security Advisory
------------------------------
14/07/2004 - GLSA 200407-12
Assunto: Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling.
http://www.security.unicamp.br/docs/bugs/2004/07/v48.txt 


HP Security Bulletin
--------------------
16/07/2004 - HPSBUX01059
Assunto: SSRT4704 rev.0 HP-UX wu-ftpd local unauthorized access. 
http://www.security.unicamp.br/docs/bugs/2004/07/v49.txt 


OpenPKG Security Advisory 
-------------------------
16/07/2004 - OpenPKG-SA-2004.032
Assunto: vulnerabilidade de seguranca no pacote apache. 
http://www.security.unicamp.br/docs/bugs/2004/07/v51.txt 

--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Wed Jul 21 14:47:15 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 21 Jul 2004 14:47:15 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040721174715.GA5280@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Fedora Legacy Update Advisory
-----------------------------
19/07/2004 - FLSA:1734
Assunto: Updated mailman resolves security vulnerability. 
http://www.security.unicamp.br/docs/bugs/2004/07/v62.txt

19/07/2004 - FLSA:1324
Assunto: Updated libxml2 resolves security vulnerability. 
http://www.security.unicamp.br/docs/bugs/2004/07/v61.txt


Gentoo Linux Security Advisory
------------------------------
20/07/2004 - GLSA 200407-15
Assunto: Opera: Multiple spoofing vulnerabilities. 
http://www.security.unicamp.br/docs/bugs/2004/07/v63.txt

19/07/2004 - GLSA 200407-14
Assunto: Unreal Tournament 2003/2004: Buffer overflow in 'secure' queries. 
http://www.security.unicamp.br/docs/bugs/2004/07/v59.txt


SCO Security Advisory
---------------------
14/07/2004 - SCOSA-2004.7
Assunto: OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows 
and other security issues.
http://www.security.unicamp.br/docs/bugs/2004/07/v60.txt


Slackware Security Advisory
---------------------------
20/07/2004 - SSA:2004-202-01
Assunto: vulnerabilidade de seguranca no pacote PHP.
http://www.security.unicamp.br/docs/bugs/2004/07/v64.txt


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Thu Jul 22 14:46:50 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 22 Jul 2004 14:46:50 -0300
Subject: [SECURITY-L] Security Release - Samba 3.0.5 and 2.2.10
Message-ID: <20040722174649.GD10065@unicamp.br>

----- Forwarded message from "Gerald (Jerry) Carter" <jerry em samba.org> -----

From: "Gerald (Jerry) Carter" <jerry em samba.org>
Subject: Security Release - Samba 3.0.5 and 2.2.10
To: bugtraq em securityfocus.com
Date: Thu, 22 Jul 2004 06:14:37 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Summary:       Potential Buffer Overruns in Samba 3.0 and Samba 2.2
CVE ID:        CAN-2004-0600, CAN-2004-0686
~               (http://cve.mitre.org/)

- -------------
CAN-2004-0600
- -------------

Affected Versions:      >= v3.0.2

The internal routine used by the Samba Web Administration
Tool (SWAT v3.0.2 and later) to decode the base64 data
during HTTP basic authentication is subject to a buffer
overrun caused by an invalid base64 character.  It is
recommended that all Samba v3.0.2 or later installations
running SWAT either (a) upgrade to v3.0.5, or (b) disable
the swat administration service as a temporary workaround.

This same code is used internally to decode the
sambaMungedDial attribute value when using the ldapsam
passdb backend. While we do not believe that the base64
decoding routines used by the ldapsam passdb backend can
be exploited, sites using an LDAP directory service with
Samba are strongly encouraged to verify that the DIT only
allows write access to sambaSamAccount attributes by a
sufficiently authorized user.

The Samba Team would like to heartily thank Evgeny Demidov
for analyzing and reporting this bug.


- -------------
CAN-2004-0686
- -------------

Affected Versions:      >= v2.2.9, >= v3.0.0


A buffer overrun has been located in the code used to support
the 'mangling method = hash' smb.conf option.  Please be aware
that the default setting for this parameter in Samba 3 is
'mangling method = hash2' and therefore not vulnerable.

Affected Samba installations can avoid this possible security
bug by using the hash2 mangling method.  Server installations
requiring the hash mangling method are encouraged to upgrade
to Samba 3.0.5 (or 2.2.10).

~              --------------------------------------


Samba 3.0.5 and 2.2.10 are identical to the previous release
in each respective series with the exception of fixing these
issues. Samba 3.0.5rc1 has been removed from the download area
on Samba.org and 3.0.6rc2 will be available later this week.


The source code can be downloaded from :

~  http://download.samba.org/samba/ftp/

The uncompressed tarball and patch file have been signed
using GnuPG.  The Samba public key is available at

~  http://download.samba.org/samba/ftp/samba-pubkey.asc

Binary packages are available at

~  http://download.samba.org/samba/ftp/Binary_Packages/

The release notes are also available on-line at

~  http://www.samba.org/samba/whatsnew/samba-3.0.5.html
~  http://www.samba.org/samba/whatsnew/samba-2.2.10.html

Our code, Our bugs, Our responsibility.
(Samba Bugzilla -- https://bugzilla.samba.org/)


~                                  -- The Samba Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA/6GdIR7qMdg1EfYRAhGYAJ9wsFUb4+1Nu3shPQn12O5tXQAe1ACgvs6a
HxsnDPYXoL+q5UoYb6/2iJA=
=YCOV
-----END PGP SIGNATURE-----

----- End forwarded message -----


From security em unicamp.br  Thu Jul 22 15:51:26 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 22 Jul 2004 15:51:26 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040722185126.GE10065@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------
22/07/2004 - CLA-2004:851
Assunto: Múltiplos buffer overruns em potencial no samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v69.txt 


Debian Security Advisory
------------------------
20/07/2004 - DSA 531-1
Assunto: vulnerabilidade de seguranca no pacote php4.
http://www.security.unicamp.br/docs/bugs/2004/07/v65.txt 


Gentoo Linux Security Advisory
------------------------------
22/07/2004 - GLSA 200407-17
Assunto: l2tpd: Buffer overflow.
http://www.security.unicamp.br/docs/bugs/2004/07/v68.txt
 

OpenPKG Security Advisory 
-------------------------
22/07/2004 - OpenPKG-SA-2004.033
Assunto: vulnerabilidade de seguranca no pacote samba.
http://www.security.unicamp.br/docs/bugs/2004/07/v66.txt

Samba Security Release:
------------------------
22/07/2004
Assunto: Potential Buffer Overruns in Samba 3.0 and Samba 2.2. 
http://www.security.unicamp.br/docs/bugs/2004/07/v67.txt


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Tue Jul 27 15:32:45 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Tue, 27 Jul 2004 15:32:45 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040727183245.GC675@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------


Debian Security Advisory
------------------------
22/07/2004 - DSA 534-1
Assunto: vulnerabilidade de seguranca no pacote mailreader. 
http://www.security.unicamp.br/docs/bugs/2004/07/v73.txt

22/07/2004 - DSA 533-1
Assunto: vulnerabilidade de seguranca no pacote courier. 
http://www.security.unicamp.br/docs/bugs/2004/07/v74.txt


Fedora Update Notification
--------------------------
23/07/2004 - FEDORA-2004-223
Assunto: Fedora Core 2: php. 
http://www.security.unicamp.br/docs/bugs/2004/07/v82.txt

23/07/2004 - FEDORA-2004-222
Assunto: Fedora Core 1: php. 
http://www.security.unicamp.br/docs/bugs/2004/07/v81.txt

23/07/2004 - FEDORA-2004-231
Assunto: Fedora Core 2: subversion. 
http://www.security.unicamp.br/docs/bugs/2004/07/v80.txt

23/07/2004 - FEDORA-2004-225
Assunto: Fedora Core 2: abiword.
http://www.security.unicamp.br/docs/bugs/2004/07/v76.txt

23/07/2004 - FEDORA-2004-224
Assunto: Fedora Core 1: abiword. 
http://www.security.unicamp.br/docs/bugs/2004/07/v75.txt


Gentoo Linux Security Advisory
------------------------------
26/07/2004 - GLSA 200407-20
Assunto: Subversion: Vulnerability in mod_authz_svn.
http://www.security.unicamp.br/docs/bugs/2004/07/v88.txt

26/07/2004 - GLSA 200407-19
Assunto: Pavuk: Digest authentication helper buffer overflow. 
http://www.security.unicamp.br/docs/bugs/2004/07/v86.txt


HP Security Bulletin
--------------------
26/07/2004 - HPSBUX01062
Assunto: HP-UX CIFS Server potential remote root access. 
http://www.security.unicamp.br/docs/bugs/2004/07/v90.txt

23/07/2004 - HPSBUX01061
Assunto: SSRT4773 rev.0 HP-UX xfs and stmkfont remote unauthorized access. 
http://www.security.unicamp.br/docs/bugs/2004/07/v83.txt


Mandrakelinux Security Update Advisory
--------------------------------------
22/07/2004 - MDKSA-2004:071
Assunto: vulnerabilidade de seguranca no pacote samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v72.txt


Netwosix Linux Security Advisory
--------------------------------
23/07/2004 - #2004-0016
Assunto: vulnerabilidade de seguranca no pacote ethereal. 
http://www.security.unicamp.br/docs/bugs/2004/07/v79.txt

23/07/2004 - #2004-0015
Assunto: vulnerabilidade de seguranca no pacote samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v78.txt


OpenPKG Security Advisory 
-------------------------
22/07/2004 - OpenPKG-SA-2004.034
Assunto: vulnerabilidade de seguranca no pacote php, apache [with_mod_php=yes].
http://www.security.unicamp.br/docs/bugs/2004/07/v70.txt


SCO Security Advisory
---------------------
20/07/2004 - SCOSA-2004.8
Assunto: OpenServer 5.0.7 : Mozilla Multiple issues. 
http://www.security.unicamp.br/docs/bugs/2004/07/v71.txt


Slackware Security Advisory
---------------------------
26/07/2004 - SSA:2004-208-01
Assunto: vulnerabilidade de seguranca no pacote samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v89.txt

25/07/2004 - SSA:2004-207-02
Assunto: vulnerabilidade de seguranca no pacote mod_ssl. 
http://www.security.unicamp.br/docs/bugs/2004/07/v85.txt

25/07/2004 - SSA:2004-207-01
Assunto: vulnerabilidade de seguranca no pacote samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v84.txt


SUSE Security Announcement
--------------------------
23/07/2004 - SUSE-SA:2004:022
Assunto: vulnerabilidade de seguranca no pacote samba.
http://www.security.unicamp.br/docs/bugs/2004/07/v77.txt


Trustix Secure Linux Security Advisory
--------------------------------------
26/07/2004 - #2004-0039
Assunto: vulnerabilidade de seguranca nos pacotes apache, mod_php4, samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v87.txt


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Thu Jul 29 14:44:10 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 29 Jul 2004 14:44:10 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040729174410.GD3752@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------
28/07/2004 - CLA-2004:852
Assunto: Correções para vulnerabilidades do kernel. 
http://www.security.unicamp.br/docs/bugs/2004/07/v96.txt 


Debian Security Advisory
------------------------
27/07/2004 - DSA 532-2
Assunto: vulnerabilidade de seguranca no pacote libapache-mod-ssl.
http://www.security.unicamp.br/docs/bugs/2004/07/v91.txt 


Fedora Update Notification
--------------------------
28/07/2004 - FEDORA-2004-244
Assunto: Fedora Core 2: sox. 
http://www.security.unicamp.br/docs/bugs/2004/07/v98.txt 

28/07/2004 - FEDORA-2004-235
Assunto: Fedora Core 1: sox. 
http://www.security.unicamp.br/docs/bugs/2004/07/v97.txt 


Mandrakelinux Security Update Advisory 
--------------------------------------
27/07/2004 - MDKSA-2004:075
Assunto: vulnerabilidade de seguranca no pacote mod_ssl.
http://www.security.unicamp.br/docs/bugs/2004/07/v95.txt 

27/07/2004 - MDKSA-2004:074 
Assunto: vulnerabilidade de seguranca no pacote webmin.
http://www.security.unicamp.br/docs/bugs/2004/07/v94.txt 

27/07/2004 - MDKSA-2004:073 
Assunto: vulnerabilidade de seguranca no pacote XFree86.
http://www.security.unicamp.br/docs/bugs/2004/07/v93.txt 

27/07/2004 - MDKSA-2004:072
Assunto: vulnerabilidade de seguranca no pacote postgresql.
http://www.security.unicamp.br/docs/bugs/2004/07/v92.txt 


SCO Security Advisory
---------------------
28/07/2004 - SCOSA-2004.9
Assunto: UnixWare 7.1.3up : tcpdump several vulnerabilities in tcpdump. 
http://www.security.unicamp.br/docs/bugs/2004/07/v99.txt 


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br


From security em unicamp.br  Fri Jul 30 15:22:07 2004
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Fri, 30 Jul 2004 15:22:07 -0300
Subject: [SECURITY-L] Vulnerabilidades de seguranca
Message-ID: <20040730182206.GB5679@unicamp.br>

Srs. Usuarios,

Atualizamos o site do CSIRT (Computer Security Incident Response Team) 
da Unicamp com os seguintes boletins de vulnerabilidades:


Anúncio de Segurança do Conectiva Linux
---------------------------------------
30/07/2004 - CLA-2004:854
Assunto: Múltiplos buffer overruns em potencial no pacote samba. 
http://www.security.unicamp.br/docs/bugs/2004/07/v104.txt 


Gentoo Linux Security Advisory
------------------------------
29/07/2004 - ERRATA UPDATE - GLSA 200407-21:02
Assunto: Samba: Multiple buffer overflows. 
http://www.security.unicamp.br/docs/bugs/2004/07/v103.txt 

29/07/2004 - GLSA 200407-21
Assunto: Samba: Multiple buffer overflows. 
http://www.security.unicamp.br/docs/bugs/2004/07/v102.txt 


Mandrakelinux Security Update Advisory 
--------------------------------------
28/07/2004 - MDKSA-2004:076
Assunto: vulnerabilidade de seguranca no pacote sox. 
http://www.security.unicamp.br/docs/bugs/2004/07/v101.txt 


SCO Security Advisory
---------------------
28/07/2004 - SCOSA-2004.11
Assunto: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail.
http://www.security.unicamp.br/docs/bugs/2004/07/v100.txt 


--
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - UNICAMP
mailto:security em unicamp.br
http://www.security.unicamp.br