THIS UPDATE COURTESY OF jbMSFT MICROSOFT [MVP]

Microsoft Security Bulletin(s) for 6/14/05

June 14, 2005
Today Microsoft released the following Security Bulletin(s).

Note: www.Microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx

Critical Bulletins:

Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx

Vulnerability in HTML Help Could Allow Remote Code Execution [896358]
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx

Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx

Important Bulletins:

Vulnerability in Web Client Service Could Allow Remote Code Execution (896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx

Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx

Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx


Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution [898458]
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx

Moderate Bulletins:

Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx

Vulnerability in Telnet Client Could Allow Information Disclosure [896428]
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx

Cumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx

Re-Released Bulletins:

SQL Server Installation Process May Leave Passwords on System [Q263968]
http://www.microsoft.com/technet/security/Bulletin/ms02-035.mspx

ASP.NET Path Validation Vulnerability [887219]
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx

Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety [1-866-727-2338] International customers should contact their local subsidiary.

Screen shot of todays updates on my system

Microsoft Security Bulletin MS05-019
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)

Issued: April 12, 2005
Updated: June 14, 2005
Version: 2.0
http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx

Microsoft Security Bulletin Advance Notification

The next Security Bulletin Advance Notification is scheduled for July 7, and will outline information for the July 12, 2005 security bulletin release.

Software update 898461 installs a permanent copy of the Package Installer for Windows version 6.1.22.4
View products that this article applies to.
APPLIES TO
• Microsoft Windows XP Home Edition SP1
• Microsoft Windows XP Home Edition SP2
• Microsoft Windows XP Professional SP1
• Microsoft Windows XP Professional SP2
• Microsoft Windows XP Service Pack 1
• Microsoft Windows XP Service Pack 2

INTRODUCTION
The Package Installer for Windows is used to install software updates for Microsoft Windows operating systems and for other Microsoft products. Software update 898461 installs a permanent copy of the Package Installer for Windows version 6.1.22.4 on the computer so that subsequent software updates can have a significantly smaller download size.


MORE INFORMATION
New features in the Package Installer for Windows version 6.1.22.4
Currently, the files for the Package Installer for Windows are downloaded every time that you use the Windows Update site or Automatic Updates to update the computer. This redundant download can be avoided if the installer files are made resident on the computer, because subsequent updates can use the resident files. Software update 898461 installs the files for the Package Installer for Windows version 6.1.22.4 on the computer.

Note This change in behavior applies only to express installation packages that are downloaded from the Windows Update site or through Automatic Updates for Microsoft Windows XP. Downloads from the Windows Update Catalog site are not affected.


Update information
The files for the Package Installer for Windows are installed in the following folder:
%windir%\System32\PreInstall\WinSE\WXP_%lcid%_v1
Note The placeholder %windir% represents the location of the Windows system directory. The placeholder %lcid% represents the language identifier for the operating system that the computer is running. For more information about language identifiers, visit the following Microsoft Web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/intl/nls_8xo3.asp


The following files are installed in this folder:• Update.exe.ref
• Updspapi.dll.ref
• Spuninst.exe.ref
• Spcustom.dll.ref
• Spmsg.dll.ref
• Spupdsvc.exe.ref

Effect on future updates
Software update 898461 will at first be offered as a critical update. However, this software update will become mandatory shortly.

As soon as software update 898461 becomes mandatory, no future updates that are available from the Windows Update Web site or through Automatic Updates will include the Package Installer for Windows. Instead, these updates will use the permanent copy of the Package Installer for Windows that software update 898461 installs.

Software updates that were released before the release of software update 898461 will not be modified and will continue to be offered as is. Updates that are available from the Windows Update Catalog site will also continue to contain the installer and therefore will not depend on the presence of software update 898461 on the system.
Download information
The following file is available for download from the Microsoft Download Center:
Download the 898461 package now. Release Date: Jun. 28, 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=50C334E1-9A67-4B99-A65A-069B79267856&displaylang=en

Microsoft Security Bulletin MS05-009
Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)

Issued: February 8, 2005
Updated: July 6, 2005
Version: 2.4

Summary
Who should read this document: Customers who use Microsoft Windows Media Player, Windows Messenger and MSN Messenger

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: Starting February 10, 2005, the MSN Messenger service will notify customers running a vulnerable version of MSN Messenger that there is an upgrade available. Customers that have accepted this upgrade and have applied the update will be protected from this vulnerability. Customers that have not accepted this upgrade may not be allowed to connect to the MSN Messenger service with a vulnerable version of the client. Clients may be upgraded immediately by installing the update available at the download location provided in the “Affected Software” section below.

Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Windows Media Player 9 Series (when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003) – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyId=A52279DC-3B6C-4720-8192-45657EDBB14F


Microsoft Windows Messenger version 5.0 (standalone version that can be installed on all supported operating systems) – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774


• Microsoft MSN Messenger 6.1 – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyId=EBE898D8-FE1C-4A5E-993C-5FAB3E62C925


Microsoft MSN Messenger 6.2 – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyId=EBE898D8-FE1C-4A5E-993C-5FAB3E62C925


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.


Non-Affected Software:

• Windows Media Player 6.4

• Windows Media Player 7.1

• Windows Media Player for Windows XP (8.0)

• Windows Media Player 9 Series for Windows XP Service Pack 2

• Windows Media Player 10

• Windows Messenger 5.1

• MSN Messenger for Mac


Tested Microsoft Windows Components:

Affected Components:

• Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1) – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyId=F37B36AE-D8C0-46B5-B8BA-200466817CC8

Microsoft Windows Messenger version 4.7.0.3000 (when running on Windows XP Service Pack 2) – Download the update
http://www.microsoft.com/downloads/details.aspx?FamilyId=1DCC9628-E2D0-496F-B4F2-3AFEFA0A0156





Microsoft Security Bulletin MS05-029
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)

Issued: June 14, 2005
Updated: July 6, 2005
Version: 1.1

Summary
Who should read this document: System administrators who have servers that are running Outlook Web Access for Microsoft Exchange Server 5.5

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity

Security Update Replacement: None

Caveats: None

Version Requirements for Dependent Components for This Update:
For this update to be installed successfully, the Microsoft Outlook Web Access server must have one of the following installed:

• Internet Explorer 5.01 Service Pack 3 installed when using Windows 2000 Service Pack 3

• Internet Explorer 5.01 Service Pack 4 installed when using Windows 2000 Service Pack 4

• Internet Explorer 6 Service Pack 1 installed when using other supported operating systems


Version Recommendations for Dependent Components on the Outlook Web Access Server:
The following versions are recommended for dependent components on the Outlook Web Access server:

• Microsoft Internet Information Services (IIS):

• IIS 5.0 on Windows 2000 Service Pack 3 or later


• Microsoft Internet Explorer:

• Internet Explorer 6.0 Service Pack 1



Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Exchange Server 5.5 Service Pack 4 - Download the update
http://www.microsoft.com/downloads/details.aspx?familyid=08435B77-9F3A-40F5-B13A-A7019CB1C244

Non-Affected Software:

• Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004.

• Microsoft Exchange Server 2003

• Microsoft Exchange Server 2003 Service Pack 1