Hash: SHA1
Technical Cyber Security Alert TA05-165A
Microsoft Windows and Internet Explorer Vulnerabilities
Original release date: June 14, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
For more complete information, refer to the Microsoft Security
Bulletin Summary for June, 2005.
Overview
Microsoft has released updates that address critical vulnerabilities
in Windows and Internet Explorer. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service.
I. Description
Microsoft Security Bulletins for June, 2005 address a number of
vulnerabilities in Windows, Internet Explorer, Outlook Express,
Outlook Web Access, ISA Server, the Step-by-Step Interactive Training
engine, and telnet. Further information about the more serious
vulnerabilities is available in the following Vulnerability Notes:
VU#189754 - Microsoft Internet Explorer buffer overflow in PNG image
rendering component
A buffer overflow in the PNG image rendering component of Microsoft
Internet Explorer may allow a remote attacker to execute code on a
vulnerable system.
(CAN-2005-1211)
VU#489397 - Microsoft Server Message Block vulnerable to buffer
overflow
Microsoft Server Message Block (SMB) is vulnerable to a buffer
handling flaw when processing incoming SMB packets that may lead to
remote code execution.
(CAN-2005-1206)
VU#851869 - Microsoft HTML Help input validation error
Microsoft HTML Help fails to properly validate input data, allowing a
remote attacker to execute arbitrary code.
(CAN-2005-1208)
II. Impact
Exploitation of the most serious of these vulnerabilities could allow
a remote, unauthenticated attacker to execute arbitrary code with
SYSTEM privileges. This would allow an attacker to take complete
control of a vulnerable system. An attacker could also execute
arbitrary code with user privileges, or cause a denial of service.
III. Solution
Apply updates
Microsoft has provided the patches for these vulnerabilities in the
Security Bulletins and on Windows Update.
Workarounds
Please see the individual vulnerability notes for workarounds.
Appendix A. References
* Microsoft Security Bulletin Summary for June, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx>
* US-CERT Vulnerability Note VU#189754 -
<http://www.kb.cert.org/vuls/id/189754>
* US-CERT Vulnerability Note VU#489397 -
<http://www.kb.cert.org/vuls/id/489397>
* US-CERT Vulnerability Note VU#851869 -
<http://www.kb.cert.org/vuls/id/851869>
* CAN-2005-1211 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1222>
* CAN-2005-1206 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1206>
* CAN-2005-1208 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1208>
* Microsoft Windows Update - <http://windowsupdate.microsoft.com/>
_________________________________________________________________
Feedback can be directed to the US-CERT Technical Staff
_________________________________________________________________
Revision History
June 14, 2005: Initial release
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA05-165A.html>
Produced 2005 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
|
