 MSengPremium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6
 ·AT&T U-Verse
3 edits | MS Security Bulletins 2003 - Updated 4/13/04 To keep everyone notified of released MS Security Bulletins, this post will be updated as necessary.
Notes:Update Info:Updated MS03-046
Released 11/11/03 Updated 12/10/03
MS03-051 Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 2000 Service Pack 2, Service Pack 3Microsoft Windows XP, Microsoft Windows XP Service Pack 1Microsoft Office XP, Microsoft Office XP Service Release 1
Non Affected Software:
Microsoft Windows Millennium EditionMicrosoft Windows NT Workstation 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows 2000 Service Pack 4Microsoft Windows XP 64-Bit Edition Version 2003Microsoft Windows Server 2003 (Windows SharePoint Services)Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint Services)Microsoft Office System 2003
Affected Components:
Microsoft FrontPage Server Extensions 2000Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000)Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP)Microsoft FrontPage Server Extensions 2002Microsoft SharePoint Team Services 2002 (shipped with Office XP)
Revisions:- V1.0 November 11, 2003: Bulletin published.
- V1.1 November 12, 2003: Updated information on what actions an attacker could take if they were to successfully exploit this vulnerability.
- V1.2 November 14, 2003: Updated information on affected versions of Microsoft Office, updated information in the workarounds section.
- V1.3 November 19, 2003: Updated information on setup switches in the Security Update Information section and corrected text in Severity Rating section for SharePoint Team Services 2002.
- V1.4 December 10, 2003: Updated the FAQ section to reflect a new Windows Update offering on Windows XP
Released 11/11/03
MS03-050 Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527)
Maximum Severity Rating: Important
Affected Software:Microsoft Excel 97Microsoft Excel 2000Microsoft Excel 2002Microsoft Word 97Microsoft Word 98(J)Microsoft Word 2000 and Microsoft Works Suite 2001Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works Suite 2003, and Microsoft Works Suite 2004
Non Affected Software:
Microsoft Office Word 2003Microsoft Office Excel 2003
Released 11/11/03
MS03-049 Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4Microsoft Windows XP, Microsoft Windows XP Service Pack 1Microsoft Windows XP 64-Bit Edition
Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).
Non Affected Software:
Microsoft Windows NT Workstation 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows Millennium EditionMicrosoft Windows XP 64-Bit Edition Version 2003Microsoft Windows Server 2003Microsoft Windows Server 2003 64-Bit Edition
Released 11/11/03
MS03-048 Cumulative Security Update for Internet Explorer (824145)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 98Microsoft Windows 98 Second EditionMicrosoft Windows Millennium EditionMicrosoft Windows NT® Workstation 4.0 Service Pack 6aMicrosoft Windows NT Server 4.0 Service Pack 6aMicrosoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4Microsoft Windows XP, Microsoft Windows XP Service Pack 1Microsoft Windows XP 64-Bit EditionMicrosoft Windows XP 64-Bit Edition Version 2003Microsoft Windows Server® 2003Microsoft Windows Server 2003, 64-Bit Edition
Affected Components:
Internet Explorer 6 Service Pack 1Internet Explorer 6 Service Pack 1 (64-Bit Edition)Internet Explorer 6 Service Pack 1 for Windows Server 2003Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition)Internet Explorer 6Internet Explorer 5.5 Service Pack 2Internet Explorer 5.01 Service Pack 4Internet Explorer 5.01 Service Pack 3Internet Explorer 5.01 Service Pack 2
Released 10/15/03 Updated 10/22/03
MS03-047 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
Maximum Severity Rating: Moderate
Affected Software:Microsoft Exchange Server 5.5, Service Pack 4
Non Affected Software:
Microsoft Exchange 2000 ServerMicrosoft Exchange Server 2003
Revisions:
V1.1 October 21, 2003:- Removed unnecessary information from "Deployment" in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
- Updated product specific information in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
- Updated link in the "Severity Rating" section of "Technical Details".
V2.0 October 22, 2003: Updated to include details of an additional patch for languages available through the Outlook Web Access language pack.
Released 10/15/03 Updated 4/13/04
MS03-046 Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)
Maximum Severity Rating: Critical
Affected Software:Microsoft Exchange Server 5.5, Service Pack 4Microsoft Exchange 2000 Server, Service Pack 3
Non Affected Software:
Microsoft Exchange Server 2003
Revisions:
V1.0 October 15, 2003: First Published.
V1.1 October 22, 2003: Removed unnecessary information from "Deployment" in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
V1.2 November 11, 2003: Corrected file sizes under "Security Patch Information" "Exchange Server 5.5 Service Pack 4". Added information about Exchange 2000 Post-Service Pack 3 (SP3) Rollup Patch.
V2.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Exchange Server 5.0
Released 10/15/03 Updated 1/13/04
MS03-045 Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows NT Workstation 4.0Microsoft Windows NT Server 4.0Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows 2000, Service Pack 2Microsoft Windows 2000 Service Pack 3, Service Pack 4Microsoft Windows XP Gold, Service Pack 1Microsoft Windows XP 64 bit EditionMicrosoft Windows XP 64 bit Edition Version 2003Microsoft Windows Server 2003Microsoft Windows Server 2003 64 bit Edition
Non Affected Software:
Microsoft Windows Millennium Edition
Revisions:
V1.1 (October 17, 2003): Re-issued to advise of a language specific compatibility issue with some third-party software.
V2.0 October 22, 2003: Version changed to reflect the availability of updated patch for specific languages.
V3.0 October 29, 2003: A revised version of the security patch for Windows XP has been released to correct the issue documented by Knowledge Base Article 830846.
V4.0 January 13, 2004: Bulletin updated to reflect the release of updated Windows NT 4.0 Workstation and Server updates for Arabic, Hebrew, and Thai languages only.
Released 10/15/03 Updated 10/22/03
MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows Millennium EditionMicrosoft Windows NT Workstation 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows 2000, Service Pack 2Microsoft Windows 2000, Service Pack 3, Service Pack 4Microsoft Windows XP Gold, Service Pack 1Microsoft Windows XP 64-bit EditionMicrosoft Windows XP 64-bit Edition Version 2003Microsoft Windows Server 2003Microsoft Windows Server 2003 64-bit Edition
Revisions:
V1.1 October 22, 2003: Updated download link for Windows XP 64 bit edition Version 2003.
Released 10/15/03 Updated 11/14/03
MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows NT Workstation 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows 2000, Service Pack 2Microsoft Windows 2000, Service Pack 3, Service Pack 4Microsoft Windows XP Gold, Service Pack 1Microsoft Windows XP 64-bit EditionMicrosoft Windows XP 64-bit Edition Version 2003Microsoft Windows Server 2003Microsoft Windows Server 2003 64-bit Edition
Non Affected Software: Microsoft Windows Millennium Edition
Revisions:
V1.1 October 22, 2003: Updated the security patch supports in the "Security Patch Information" section for Windows Server 2003, Windows XP, and Windows 2000.
V2.0 October 29, 2003: A revised version of the security patch for Windows 2000, Windows XP, and Windows Server 2003 has been released to correct the issue documented by Knowledge Base Article 830846.
V2.1 November 13, 2003: Bulletin updated to reflect correct file versions for Windows XP update.
V2.2 November 14, 2003: Subsequent to the release of this bulletin, it was determined that the update for Windows XP did not properly place the updated file wkssvc.dll into the %systemroot%\system32\dllcache. This problem is unrelated to the security vulnerability discussed in this bulletin. Microsoft recommends that customers who have previously applied the security update reinstall the latest version to insure that their system remains protected in the event that the wkssvc.dll is ever deleted or becomes corrupt. More information on this is available in the FAQ section of this bulletin. Caveats section has been updated to include new information relevant to NT 4.0 clients.
Released 10/15/03 Updated 10/29/03
MS03-042 Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 2000, Service Pack 2Microsoft Windows 2000, Service Pack 3, Service Pack 4
Non Affected Software:Microsoft Windows NT 4.0Microsoft Windows NT Server 4.0, Terminal Server EditionMicrosoft Windows Millennium EditionMicrosoft Windows XPMicrosoft Windows Server 2003
Revisions:
V1.1 October 21, 2003: Updated product specific information in the Security Patch Information section.
V2.0 October 29, 2003: A revised version of the security patch for Windows 2000 has been released to correct the issue documented by Knowledge Base Article 830846.
Released 10/15/03 Updated 10/22/03
MS03-041 Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows NT Workstation 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Service Pack 6aMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6Microsoft Windows 2000, Service Pack 2Microsoft Windows 2000, Service Pack 3, Service Pack 4Microsoft Windows XP Gold, Service Pack 1Microsoft Windows XP 64-bit EditionMicrosoft Windows XP 64-bit Edition Version 2003Microsoft Windows Server 2003Microsoft Windows Server 2003 64-bit Edition
Non Affected Software: Microsoft Windows Millennium Edition
Revisions:
V1.1 October 22, 2003: Updated "File Information" in the "Windows 2000" section of "Security Patch Information."
Released 10/03/03 Revised 10/6/03
MS03-040 Cumulative Patch for Internet Explorer (828750)
Maximum Severity Rating: Critical
Affected Software:Internet Explorer 5.01Internet Explorer 5.5Internet Explorer 6.0Internet Explorer 6.0 for Windows Server 2003
V1.1 (October 6, 2003): Updated Knowledge Base article link, install platforms information, and administrator logon information in the Additional Information section.
Released 9/10/03
MS03-039 Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows NT Workstation 4.0Microsoft Windows NT Server® 4.0Microsoft Windows NT Server 4.0, Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003
Not Affected Software:
Microsoft Windows Millennium Edition
Released 9/3/03 (Revised 9/4/03)
MS03-038 Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)
Maximum Severity Rating: Moderate
Affected Software:Microsoft Access 97Microsoft Access 2000Microsoft Access 2002
Revisions:
V1.1 (September 4, 2003): Updated Download Link.
Released 9/3/03
MS03-037 Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715)
Maximum Severity Rating: Critical
Affected Software:Microsoft Visual Basic for Applications SDK 5.0Microsoft Visual Basic for Applications SDK 6.0Microsoft Visual Basic for Applications SDK 6.2Microsoft Visual Basic for Applications SDK 6.3
Products which Include the Affected Software:
Microsoft Access 97Microsoft Access 2000Microsoft Access 2002Microsoft Excel 97Microsoft Excel 2000Microsoft Excel 2002Microsoft PowerPoint 97Microsoft PowerPoint 2000Microsoft PowerPoint 2002Microsoft Project 2000Microsoft Project 2002Microsoft Publisher 2002Microsoft Visio 2000Microsoft Visio 2002Microsoft Word 97Microsoft Word 98(J)Microsoft Word 2000Microsoft Word 2002Microsoft Works Suite 2001Microsoft Works Suite 2002Microsoft Works Suite 2003Microsoft Business Solutions Great Plains 7.5Microsoft Business Solutions Dynamics 6.0Microsoft Business Solutions Dynamics 7.0Microsoft Business Solutions eEnterprise 6.0Microsoft Business Solutions eEnterprise 7.0Microsoft Business Solutions Solomon 4.5Microsoft Business Solutions Solomon 5.0Microsoft Business Solutions Solomon 5.5
Released 9/3/03 (Revised 9/4/03)
MS03-036 Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103)
Maximum Severity Rating: Important
Affected Software:Microsoft Office 97Microsoft Office 2000Microsoft Office XPMicrosoft Word 98 (J)Microsoft FrontPage 2000Microsoft FrontPage 2002Microsoft Publisher 2000Microsoft Publisher 2002Microsoft Works Suite 2001Microsoft Works Suite 2002Microsoft Works Suite 2003
Revisions:
V1.1 (September 04, 2003): Added link to Office XP Administrative Update.
Released 9/3/03
MS03-035 Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653)
Maximum Severity Rating: Important
Affected Software:Microsoft Word 97Microsoft Word 98 (J)Microsoft Word 2000Microsoft Word 2002Microsoft Works Suite 2001Microsoft Works Suite 2002Microsoft Works Suite 2003
Released 9/3/03
MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105)
Maximum Severity Rating: Low
Affected Software:Microsoft Windows NT 4.0® ServerMicrosoft Windows NT 4.0, Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server™ 2003
Not Affected Software:
Microsoft Windows Millennium Edition
Released 8/20/03
MS03-033 Unchecked Buffer in MDAC Function Could Enable System Compromise (823718)
Maximum Severity Rating: Important
Affected Software:Microsoft Data Access Components 2.5Microsoft Data Access Components 2.6Microsoft Data Access Components 2.7
Released 8/20/03 (Revised 9/4/03)
MS03-032 Cumulative Patch for Internet Explorer (822925)
Maximum Severity Rating: Critical
Affected Software:Microsoft Internet Explorer 5.01Microsoft Internet Explorer 5.5Microsoft Internet Explorer 6.0Microsoft Internet Explorer 6.0 for Windows Server 2003
Revisions:
V1.0 (August 20, 2003): Bulletin Created.
V1.1 (August 25, 2003): Added information regarding ASP.NET related issues with Windows XP patch.
V1.2 (August 28, 2003): Added details to reboot information in Additional Information section.
V1.3 (September 8, 2003): Added information regarding reports that the patch provided does not properly correct the Object Type Vulnerability
Released 7/23/03 Revised 7/24/03)
MS03-031 Cumulative Patch for Microsoft SQL Server (815495)
Maximum Severity Rating: Important
Affected Software:Microsoft SQL Server 7.0Microsoft Data Engine (MSDE) 1.0Microsoft SQL Server 2000Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)Microsoft SQL Server 2000 Desktop Engine (Windows)
Revisions:
V1.1 July 24, 2003: Updated CVE Candidate numbers
Released 7/23/03 (Revised 8/20/03)
MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise (819696)
Maximum Severity Rating: Critical
Subsequent to the original release of this bulletin, customers requested that we support additional versions of DirectX that were not covered by the original patches. This bulletin has been updated to provide information about a new patch, which is intended for customers using Windows 98, Windows 98 SE, Windows Millennium Edition, or Windows 2000 who have upgraded to Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, or 8.1b.
Affected Software:Microsoft DirectX® 5.2 on Windows 98Microsoft DirectX 6.1 on Windows 98 SEMicrosoft DirectX 7.0a on Windows Millennium EditionMicrosoft DirectX 7.0 on Windows 2000Microsoft DirectX 8.1 on Windows XPMicrosoft DirectX 8.1 on Windows Server 2003Microsoft DirectX 9.0a when installed on Windows Millennium EditionMicrosoft DirectX 9.0a when installed on Windows 2000Microsoft DirectX 9.0a when installed on Windows XPMicrosoft DirectX 9.0a when installed on Windows Server 2003 Microsoft Windows NT 4.0 with either Windows Media Player 6.4 or IE6 Service Pack 1 installed. Microsoft Windows NT 4.0, Terminal Server Edition with either WMP 6.4 or IE6 Service Pack 1 installed.
V2.0 (August 20, 2003): Updated to include details of an additional patch for versions of DirectX.
V2.1 (August 20, 2003): Added clarification regarding additional patch in Technical description section.
Released 7/23/03 (Revised 8/13/03)
MS03-029 Flaw in Windows Function Could Allow Denial of Service (823803)
Maximum Severity Rating: Moderate
Affected Software:Microsoft Windows NT 4.0 ServerMicrosoft Windows NT 4.0 Terminal Server Edition
Not Affected Software:
Microsoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003
Why has Microsoft reissued this bulletin?
Subsequent to issuing this security bulletin, Microsoft identified a problem with the security patch which specifically affects systems which have the Remote Access Service (RAS) enabled on them. This causes RAS to fail when the system is rebooted after applying the patch. It does not affect other non-RAS functions, nor is there a problem with the actual fix for the security vulnerability itself. Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patch that corrects the RAS problem.
Released 7/16/03
MS03-028 Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)
Maximum Severity Rating: Important
Affected Software:Microsoft Internet Security and Acceleration (ISA) Server 2000
Released 7/16/03
MS03-027 Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows XP
Not Affected Software Versions:Windows MeWindows NT Server 4.0Windows NT Server, Terminal Services EditionMicrosoft Windows 2000Microsoft Windows Server 2003
Released 7/16/03 Revised 8/15/03
MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Maximum Severity Rating: Critical
Affected Software:Windows NT Server 4.0Windows NT Server, Terminal Services EditionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003
Not Affected Software Versions:Windows Me
Reason for revision:
V1.1 (July 18, 2003): Mitigating factors and Workaround section updated to reflect additional ports.
V1.1 (July 18, 2003): Mitigating factors and Workaround section updated to reflect additional ports.
V1.2 (July 21, 2003): Added Windows XP gold patch verification registry key.
V1.3 (July 27, 2003): Updated Workaround section to include additonal information about how to disable DCOM.
V1.4 (August 12, 2003): Updated to include information about Windows 2000 Service Pack 2 support for this patch and updated bulletin with additional workaround information.
V1.5 (August 14, 2003): Added details for scanner tool.
Released 7/9/03
MS03-025 Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows 2000
Not Affected Software Versions:Windows MeWindows NT Server 4.0Windows NT Server, Terminal Services EditionMicrosoft Windows XPMicrosoft Windows Server 2003
Released 7/9/03
MS03-024 Buffer Overrun in Windows Could Lead to Data Corruption (817606)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows 2000Windows NT Server 4.0Windows NT Server 4.0, Terminal Services EditionMicrosoft Windows XP
Not Affected Software Versions:Microsoft Windows Server 2003
Released 7/9/03
MS03-023 Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 98Microsoft Windows 98 Second EditionMicrosoft Windows MeWindows NT Server 4.0Windows NT 4.0 Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003
Released 6/25/03
MS03-022 Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows 2000
Not Affected Software Versions:Windows NT 4.0Microsoft Windows XPMicrosoft Windows Server 2003
Released 6/25/03
MS03-021 Flaw In Windows Media Player May Allow Media Library Access (819639)
Maximum Severity Rating: Moderate
Affected Software:Microsoft Windows Media Player 9 Series
Not Affected Software Versions:Microsoft Windows Media Player 6.4Microsoft Windows Media Player 7.1Microsoft Windows Media Player for Windows XP (8.0)
Released 6/4/03
MS03-020 Cumulative Patch for Internet Explorer (818529)
Maximum Severity Rating: Critical
Affected Software:Microsoft Internet Explorer 5.01Microsoft Internet Explorer 5.5Microsoft Internet Explorer 6.0Microsoft Internet Explorer 6.0 for Windows Server 2003
Released 5/28/03 Revised 5/30/03
MS03-019 Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service (817772)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows NT 4.0Microsoft Windows 2000
Non Affected Software:Microsoft Windows XPMicrosoft Windows Server 2003
Revisions
V2.0 May 30, 2003: Re-released bulletin with new rating of Important to reflect additional action an attacker could take.
Released 5/28/03
MS03-018 Cumulative Patch for Internet Information Service (811114)
Maximum Severity Rating: Important
Affected Software:Microsoft Internet Information Server 4.0Microsoft Internet Information Services 5.0Microsoft Internet Information Services 5.1
Non Affected Software:Microsoft Internet Information Services 6.0
Released 5/7/03
MS03-017 Flaw in Windows Media Player Skins Downloading could allow Code Execution (817787)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows Media Player 7.1Microsoft Windows Media Player for Windows XP (Version 8.0)
Released 5/1/03
MS03-016 Cumulative Patch for BizTalk Server (815206)
Maximum Severity Rating: Important
Affected Software:Microsoft BizTalk Server 2000Microsoft BizTalk Server 2002
Released 4/23/03
MS03-015 Cumulative Patch for Internet Explorer (813489)
Maximum Severity Rating: Critical
Affected Software:Microsoft Internet Explorer 5.01Microsoft Internet Explorer 5.5Microsoft Internet Explorer 6.0
Released 4/23/03
MS03-014 Cumulative Patch for Outlook Express (330994)
Maximum Severity Rating: Critical
Affected Software:Microsoft Outlook Express 5.5Microsoft Outlook Express 6.0
Released 4/16/03 (Revision 1 4/17/03, Revision 2 4/23/03, Revision 3 5/28/03)
MS03-013 Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows NT 4.0Microsoft Windows NT 4.0 Server, Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XP
REASON FOR UPDATE
Included correct patch supercedence information for Windows 2000.
V1.2 April 23, 2003: Added information regarding performance related issues with Windows XP SP1 patch. See FAQ section for details.
V2.0 Re-issued to advise of availability of revised Windows XP SP1 patch to correct performance issues
Released 4/9/03
MS03-012 Flaw In Winsock Proxy Service And ISA Firewall Service Can Cause Denial Of Service (331066)
Maximum Severity Rating: Important
Affected Software:Microsoft Proxy Server 2.0Microsoft ISA Server
Released 4/9/03
MS03-011 Flaw in Microsoft VM Could Enable System Compromise (816093)
Maximum Severity Rating: Critical
Affected Software:Versions of the Microsoft virtual machine (Microsoft VM) are identified by build numbers, which can be determined using the JVIEW tool as discussed in the FAQ. All builds of the Microsoft VM up to and including build 5.0.3809 are affected by these vulnerabilities.
Released 3/26/03
MS03-010 Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows NT 4Microsoft Windows 2000Microsoft Windows XP
Released 3/18/03
MS03-009 Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065)
Maximum Severity Rating: Moderate
Affected Software:Microsoft ISA Server
Released 3/18/03
MS03-008 Flaw in Windows Script Engine Could Allow Code Execution (814078)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows 98Microsoft Windows 98 Second EditionMicrosoft Windows MeMicrosoft Windows NT 4.0Microsoft Windows NT 4.0 Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XP
Released 03/17/03 (Revision1 3/18/03, Revision 2 4/17/03, Revision 3 5/28/03)
MS03-007 Unchecked Buffer In Windows Component Could Cause Web Server Compromise (815021)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows NT 4.0Microsoft Windows NT 4.0 Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XP
Not Affected Software:Microsoft Windows Server 2003
Why has Microsoft reissued this bulletin?
Microsoft first issued this bulletin on March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being targeted against Windows 2000 servers running IIS. The underlying vulnerability was in a core operating system component, ntdll.dll, but WebDAV was being used as the attack vector. Microsoft responded and issued this bulletin and a patch to protect Windows 2000 customers. Microsoft continued to investigate the issue and determined that the underlying vulnerability in ntdll.dll also existed in Windows NT 4.0. Subsequent to this bulletin first being issued, Microsoft updated the bulletin to provide a fix for the underlying vulnerability in Windows NT 4.0. Further investigations identified that the underlying vulnerability in ntdll.dll also exists in Windows XP and Microsoft has now released a Windows XP patch with this bulletin.
WebDAV is not supported in Windows NT 4.0 and therefore could not be used as an attack vector, and both Windows NT 4.0 and Windows XP do not install IIS by default. However Windows NT 4.0 and Windows XP are still vulnerable to other attacks, in particular in cases where an attacker could log on interactively to the system.
V2.0 (April 23, 2003): Updated to include details of NT 4.0 patch.
V3.0 (May 28, 2003): Updated to include details of Windows XP patch.
V3.1 (May 28, 2003): Updated to include correct Windows NT 4.0 and Windows XP verification keys.
V3.2 (May 28, 2003): Updated frequently asked questions section regarding IIS 5.1
Released 02/26/03
MS03-006 Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows Me
Released 02/05/03
MS03-005 Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation (810577)
Maximum Severity Rating: Important
Affected Software:Microsoft Windows XP
Released 02/05/03 Updated 02/19/02
MS03-004 Cumulative Patch for Internet Explorer (810847)
Maximum Severity Rating: Critical
Affected Software:Internet Explorer 5.01Internet Explorer 5.5Internet Explorer 6.0
REASON FOR UPDATE (#1)
Subsequent to the initial release of this bulletin, a non-security issue was discovered with this patch that could affect some users - primarily consumers - under certain conditions. Specifically, the issue could cause some users to be unable to authenticate to certain Internet web sites such as subscription based sites, or MSN e-mail. This issue has been resolved, and a hot fix (813951) issued to correct it. It is important to note that this hot fix corrects a very specific non-security issue, and that the security patch discussed in this Security Bulletin was, and still is, effective in removing the vulnerabilities discussed later in this bulletin. More information, including details of how to obtain the hot fix are available at: »www.microsoft.com/windows/ie/dow···ault.asp and in the Frequently Asked Questions section of this bulletin.
REASON FOR UPDATE (#2)
Provided further clarification that hot fix 813951 applies to IE 6 only.
Released 01/22/03
MS03-003 Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure (812262)
Maximum Severity Rating: Moderate
Affected Software:Microsoft Outlook 2002
Released 01/22/03
MS03-002 Cumulative Patch for Microsoft Content Management Server (810487)
Maximum Severity Rating: Important
Affected Software:Microsoft Content Management Server 2001
Released 01/22/03
MS03-001 Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)
Maximum Severity Rating: Critical
Affected Software:Microsoft Windows NT 4.0Microsoft Windows NT 4.0, Terminal Server EditionMicrosoft Windows 2000Microsoft Windows XP
--
Who is General Failure and why is he reading my hard disk? |
