11/11/03 microsoft releases security patches

Discussion in 'other software & services' started by bigc73542, Nov 11, 2003.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    http://www.eweek.com/ microsoft Issues Security Patches
    By Dennis Fisher
    November 11, 2003


    Microsoft Corp. on Tuesday issued patches for several severe security flaws in Windows, Internet Explorer, FrontPage Server Extensions and some Office applications, many of which allow for remote code execution.

    Hardest hit in this month's batch of patches is IE, which contains five newly discovered vulnerabilities. Three of the flaws are related to the cross-domain security model in the browser. This mechanism is meant to prevent windows in different domains from sharing information. However, these weaknesses allow an attacker to run script in the browser's My Computer zone, which typically does not carry the same level of security as the Internet zone might.

    In order to exploit this flaw, the attacker would either need to entice the user into visiting a malicious Web site or opening an HTML mail message containing the attack code. This would let the attacker access data from other Web sites that the user has visited and read files on the user's machine, Microsoft said in its bulletin.

    Another flaw in IE concerns the manner in which the browser passes zone data to XML objects. Like the other three vulnerabilities, this one also can be exploited via Web sites and HTML mail messages. However, the attack also requires that users agree to download an HTML file, which would let the attacker read local files on the user's machine, if he knows the exact location of the files.

    The final weakness in IE affects drag-and-drop operations during dynamic HTML events. If a user clicked on a link supplied by an attacker, the attacker could save a file on a user's machine in an arbitrary location. All of these flaws affect IE 5.01, 5.5 and 6, including IE 6, Service Pack 1.

    The batch of patches also addresses a buffer overrun flaw in Windows 2000 and XP that could allow an attacker to run arbitrary code on remote machines. The vulnerability is in the Workstation service in Windows and a successful exploitation would give the attacker complete control of the compromised PC, Microsoft said.

    Windows XP users who have installed the patch for MS03-043 are already protected against this vulnerability, but all Windows 2000 users would still need to apply this latest patch.

    Microsoft also issued patches for security flaws in Word 97, 98, 2000 and 2002 and Excel 97, 2000 and 2002. The Excel issue relates to the way that the application checks spreadsheets before reading macros. An attacker could write a malicious macro and embed it in an Excel spreadsheet, which if opened by the user, would bypass the macro security settings and execute automatically. The macro would then be able to take any action on the user's PC.

    The weakness in Word results because the application incorrectly checks the length of macros embedded in Word documents. An attacker could exploit this by creating a malicious document that would overflow a data value in Word and execute arbitrary code.

    There are also two new vulnerabilities in Microsoft's FrontPage Server Extensions. The flaws affect 2000, 2002 and SharePoint Team Services 2002.

    The first flaw is a buffer overrun in the remote debug function. An exploitation of this flaw would let an attacker run code with Local System privileges. The second vulnerability is a denial-of-service condition in the SmartHTML interpreter in FrontPage Server Extensions.

    The patches are at Microsoft's Security and Privacy Page.
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    Monthly Microsoft Security Advisories (3 critical, 1 important)

    :( FYI...more detail and links:

    - Rated Critical:
    MS03-048 Cumulative Security Update for Internet Explorer
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-048.asp
    MS03-049 Buffer Overrun in the Workstation Service
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-049.asp
    MS03-051 Buffer Overrun in FrontPage Server Extensions Could Allow Code Execution
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-051.asp


    - Rated Important:
    MS03-050 Vulnerability in Word and Excel Could Allow Arbitrary Code to Run
    http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-050.asp


    LWM - Fixed the link to MS03-051 (it was pointing at MS03-050 also).
     
  3. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    Attack code surfaces for latest Windows hole

    :( FYI...

    Attack code surfaces for latest Windows holes
    http://www.infoworld.com/article/03/11/17/HNattackcode_1.html
    November 17, 2003
    "...Computer code that exploits a critical new software vulnerability in the Windows XP and Windows 2000 operating systems is circulating on the Internet, according to security experts...The Workstation Service vulnerability was disclosed by Microsoft Corp. in Security Bulletin MS03-049, which was released on November 11. The service is turned "on" by default in Windows 2000 and Windows XP systems and allows computers on a network to connect to file servers and network printers.."
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    i hav downloaded and installed MS03 -048 and 049 i hav one question .. i use win2k pro service pack 4 but use office XP .. so shud i need 050 and 051??
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    i am still waiting eagerly.... :doubt:
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    MS03-050 depends only upon the version of Office you run not Windows, so I would say you should install that patch.

    MS03-051 says that it is not needed for users of MS Microsoft Windows 2000 at Service Pack 4 level. So, you won't need that one.
     
  7. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    ya i kno MS03 -050 depends upon office version ..its given that u need for word 2000 excel 2000 but i hav office XP not office 2000
    so thats y i asked do i need 050 too?
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Office XP is the same as the Office 2002 set of products. In MS03-050, if you follow the links next to any of the Office 2002 products you'll see they lead to patch filenames that start with "officexp..."

    Microsoft just got carried away with naming things "XP" a little while back. :rolleyes: So, yes you should use MS03-050.
     
  9. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    i ran office update in my computer.. it said i dont need those security patches as those are for office service pack 2... they recommended me office service pack 1 update and another security patch .. one more thing i installed IE patch given above all the files are extracted and copied in windows folder.. and the add remove program shows internet explorer q824145 ... is that all rite and completely installed?
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    You need to look at this... I have Office XP and am currently at SP-2, with some extra patches. If you haven't applied any of the SPs for Office XP, you should do that first, then try to get the latest patch. (That patch is not telling you that you don't need it, it's telling you that you are behind on the service packs for Office XP.)

    Can you go into MS Word and go to the "Help" menu, choose "About Microsoft Word", and tell us what it says. See image (below) from my system...

    It sounds like it is. When you install that type of patch it will replace Windows files and it will appear in Add/Remove Programs.
     

    Attached Files:

  11. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Microsoft word 2002 (10.2627.2625)
    version 10 build 2627
    can u plz send me the office service pack.exe coz its really to big a file 40 MB approx to download now and then again service pack 2... anyway whatever u say i will do :)
     
  12. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    WaterMark ?? u thr
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hey subratam,

    Listen, try to be patient. :D There is no need to reply to your own threads to bump them. Sometimes it takes time for people to get back online...

    Now, what do you mean "send me the office service pack"? I'm afraid we don't have any way to do that. But, you've said you leave your PC on 24 hours a day. Just start one of the downloads tonight when you are done and let it come down while you are asleep. 2-3 hours on dialup would do it, I should think. Even if you have to take a few nights to get all the files... Try for SP1 tonight. It appears to be 17,901 KB.
     
  14. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    i apologise first but i wasnt intending to bump my posts i had to go off for sometime so i thought i wud put the latest informations from my side... :doubt:
    water you are a cool man... you remembered .. i leave my computer 24 hrs :p ya mostly i do.. i was just enquiring if thrs any provision for gettin .exe direct ..its ok.. i have already started downloading :) hey water i am gettin PC-Cillin 2004 internet security... can you give your opinion about that.. just what you think about it..
    i stay awake most of nites ;) and get messages from TDS-3 (working late night... good morning i will have bacons for breakfast :p )
    it feels nice being part of wilders... you all are friends first than anything else :)
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    subratam,

    Would you mind opening new threads on the right forums? This one belongs in the "other antiviruses" forum for example.

    We'd like to keep all organized and structured ;)

    thanks in advance,

    paul
     
  16. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    wilders,
    i admit its for other forum... i was just asking for a opinion... anyway i will abide by the rules wat u said :)
    thx for kind advice
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks ;)

    regards,

    paul
     
Loading...
Thread Status:
Not open for further replies.