----------------------------------------------------------------- Title: Unchecked Buffer in MDAC Function Could Enable System Compromise (823718) Date: 20 August 2003 Software: - Microsoft Data Access Components 2.5 - Microsoft Data Access Components 2.6 - Microsoft Data Access Components 2.7 Impact: Run code of the attacker's choice Max Risk: Important Bulletin: MS03-033 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-033.asp http://www.microsoft.com/security/security_bulletins/ms03-033.asp ----------------------------------------------------------------- Risk Rating: ============ - Important Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/ms03-033.asp http://www.microsoft.com/security/security_bulletins/ms03-033.asp for information on obtaining this patch.
----------------------------------------------------------------- Title: Cumulative Patch for Internet Explorer (822925) Date: 20 August 2003 Software: - Microsoft Internet Explorer 5.01 - Microsoft Internet Explorer 5.5 - Microsoft Internet Explorer 6.0 - Microsoft Internet Explorer 6.0 for Windows Server 2003 Impact: Run code of the attacker's choice Max Risk: Critical Bulletin: MS03-032 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp http://www.microsoft.com/security/security_bulletins/ms03-032.asp ----------------------------------------------------------------- Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/ms03-032.asp http://www.microsoft.com/security/security_bulletins/ms03-032.asp for information on obtaining this patch.
---------------------------------------------------------------------- Title: Unchecked Buffer in DirectX Could Enable System Compromise (819696) Released: 23 July 2003 Revised: 20 August 2003 (version 2.0) Software: Microsoft DirectX(r) 5.2 on Windows 98 Microsoft DirectX 6.1 on Windows 98 SE Microsoft DirectX 7.1 on Windows Millennium Edition Microsoft DirectX 7.0 on Windows 2000 Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, and 8.1b when installed on Windows 98, Windows 98 SE, Windows Millennium Edition or Windows 2000 Microsoft DirectX 8.1 on Windows XP or Windows Server 2003 Microsoft DirectX 9.0a when installed on Windows 98, Windows 98 SE, Windows Millennium Edition (Windows Me), Windows 2000, Windows XP, or Windows Server 2003 Microsoft Windows NT 4.0 Server with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed. Microsoft Windows NT 4.0, Terminal Server Edition with either Windows Media Player 6.4 or Internet Explorer 6 Service Pack 1 installed. Impact: Allow an attacker to execute code on a user's system Max Risk: Critical Bulletin: MS03-030 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS03-030.asp http://www.microsoft.com/security/security_bulletins/MS03-030.asp ---------------------------------------------------------------------- Reason for Revision: ==================== Subsequent to the original release of this bulletin, customers requested that we support additional versions of DirectX that were not covered by the original patches. This bulletin has been updated to provide information about this new patch. Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/MS03-030.asp http://www.microsoft.com/security/security_bulletins/MS03-30.asp for information on obtaining this patch.
---------------------------------------------------------------------- Title: Unchecked Buffer in MDAC Function Could Enable System Compromise (Q326573) Released: 31 July 2003 Revised: 20 August 2003 (version 2.0) Software: Microsoft Data Access Components 2.5 Microsoft Data Access Components 2.6 Microsoft Data Access Components 2.7 Impact: Run code of the attacker's choice. Max Risk: Critical Bulletin: MS02-040 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-040.asp http://www.microsoft.com/security/security_bulletins/MS02-040.asp ---------------------------------------------------------------------- Reason for Revision: ==================== Subsequent to the release of this bulletin, it was determined that the vulnerability addressed is not with the OpenRowSet command (which is a Microsoft SQL Server command) but rather that the vulnerability is with the underlying MDAC component Open Database Connectivity (ODBC), which is present in all versions of Windows. Additionally, the original patch released with this did not install correctly on some systems because of a flaw in the way that Microsoft Windows Installer updated the System File Protection cache. The bulletin has been updated to include this additional information and to direct users to an updated patch. Note: The patch for this security bulletin has been superceded by the patch in MS03-033. Customers who are seeking the patch for MS02-040 should instead install the patch for MS03-033. Risk Rating: ============ - Critical Patch Availability: =================== A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms02-040.asp http://www.microsoft.com/security/security_bulletins/MS02-040.asp for information on obtaining this patch. Please note that this patch is superceded by the patch available with http://www.microsoft.com/technet/security/bulletin/ms03-033.asp
LOL, I wouldn't panic. I was just informing those who aren't subscribed to the Security Bulletin mailing list of 4 emails that came in today. I found 2 new critical updates on WU because of them - I may have already been patched against whatever exploits they were warning against in the other 2 emails. If no one objects, I'll keep updating this thread with the emails as I receive them - they're good for informing people when a new update has been released for their OS - I had one about the RPC exploit Blaster attacked on the 16th of July and got my home PC patched almost immediately. edit: PS - Of course you could just keep visiting WindowsUpdate once a week (at least!), sign up to the mailing lists yourself, or just bury your head in the sand and hope you'll be safe from all the evil/nasty people out there. PPS - Before anyone complains about my 4 posts in a row - I wanted to merge the emails into 2 posts, but they were just too long for the message length limit - and I really don't care about my postcount. I've got more than enough for an avatar and a custom user-title, I have no need to inflate it on purpose.
HERE HERE! but I think updating this thread would be a good idea. Some people don't want to leave for a week and come back to find their inboxes full of mail from microsoft, I'm sure Would help if they would just give a basic rundown though. Who reads the whole thing? The jist is, "We screwed up, here's the fix." A list of OSes effected and linkage would be plenty. "Microsoft we spend more money on our writers than our programmers, and you wonder why our OS looks like swiss cheese to hackers!"
Um what the hell is wrong with the windows update site? http://windowsupdate.microsoft.com just gives you a page about how windowsupdates supports windows users. No actual useful info at all. Is this because it's now running through linux or because these new exploits have already been, um, exploited? edit: Nevermind, it's working now - got scared for a second there.
Good point. I've updated the posts so far to reflect only the most important info - what's affected and where to get the patches.
---------------------------------------------------------------------- Title: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715) Date: 03 September 2003 Affected Software: Microsoft Visual Basic for Applications SDK 5.0 Microsoft Visual Basic for Applications SDK 6.0 Microsoft Visual Basic for Applications SDK 6.2 Microsoft Visual Basic for Applications SDK 6.3 Products which include the affected software: Microsoft Access 97 Microsoft Access 2000 Microsoft Access 2002 Microsoft Excel 97 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft PowerPoint 97 Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Project 2000 Microsoft Project 2002 Microsoft Publisher 2002 Microsoft Visio 2000 Microsoft Visio 2002 Microsoft Word 97 Microsoft Word 98(J) Microsoft Word 2000 Microsoft Word 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Microsoft Business Solutions Great Plains 7.5 Microsoft Business Solutions Dynamics 6.0 Microsoft Business Solutions Dynamics 7.0 Microsoft Business Solutions eEnterprise 6.0 Microsoft Business Solutions eEnterprise 7.0 Microsoft Business Solutions Solomon 4.5 Microsoft Business Solutions Solomon 5.0 Microsoft Business Solutions Solomon 5.5 Impact: Run code of attackers choice Max Risk: Critical Bulletin: MS03-037 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-037.asp http://www.microsoft.com/security/security_bulletins/ms03-037.asp ---------------------------------------------------------------------- Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-037.asp http://www.microsoft.com/security/security_bulletins/ms03-037.asp for information on obtaining this patch.
---------------------------------------------------------------------- Title: Flaw in NetBIOS Could Lead to Information Disclosure (824105) Date: 03 September 2003 Software: - Microsoft Windows NT 4.0 Server - Microsoft Windows NT 4.0, Terminal Server Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows Server 2003 Impact: Information Disclosure Max Risk: Low Bulletin: MS03-034 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-034.asp http://www.microsoft.com/security/security_bulletins/ms03-034.asp ---------------------------------------------------------------------- Risk Rating: ============ - Low Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-034.asp http://www.microsoft.com/security/security_bulletins/ms03-034.asp for information on obtaining this patch.
------------------------------------------------------------------- Title: Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653) Date: September 3, 2003 Software: Microsoft Word 97 Microsoft Word 98 (J) Microsoft Word 2000 Microsoft Word 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Impact: Run macros without warning Max Risk: Important Bulletin: MS03-035 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-035.asp http://www.microsoft.com/security/security_bulletins/MS03-035.asp ------------------------------------------------------------------- Risk Rating: ============ -Important Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/MS03-035.asp http://www.microsoft.com/security/security_bulletins/MS03-035.asp for information on obtaining this patch.
-------------------------------------------------------------------- Title: Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104) Date: September 3, 2003 Software: Microsoft Access 97 Microsoft Access 2000 Microsoft Access 2002 Impact: Elevation of Privilege Max Risk: Moderate Bulletin: MS03-038 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-038.asp http://www.microsoft.com/security/security_bulletins/MS03-038.asp -------------------------------------------------------------------- Risk Rating: ============ -Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/MS03-038.asp http://www.microsoft.com/security/security_bulletins/MS03- 038.asp for information on obtaining this patch.
---------------------------------------------------------------------- Title: Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103) Date: 03 September 2003 Software: Microsoft Office 97 Microsoft Office 2000 Microsoft Office XP Microsoft Word 98 (J) Microsoft FrontPage 2000 Microsoft FrontPage 2002 Microsoft Publisher 2000 Microsoft Publisher 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Impact: Run code of attacker's choice Max Risk: Important Bulletin: MS03-036 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-036.asp http://www.microsoft.com/security/security_bulletins/ms03-036.asp ---------------------------------------------------------------------- Risk Rating: ============ - Important Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-036.asp http://www.microsoft.com/security/security_bulletins/ms03-036.asp for information on obtaining this patch. 5 reports in a day? Geez!!
The microsoft bods obviously had a lot of time on thier hands so decided to look for potential security threats
I FULLY agree. I just wish that more of the developers would get off their high horse and realize that if they want Linux to compete on the desktop, they have to start developing apps, software install routines and so on targeting people who don't want to go into a console, untar an app, make sure the libraries needed are installed, config, make and make install their app. I'm only 1 piece of software away from being able to switch totally to Linux... If Macromedia released a working port of Dreamweaver, I'd be a happy happy man! /me kicks the thread back on topic. Sorry about the little rant there...
