ActiveWin.com: Support Center

Security Bulletin Name, Brief Description	ID Number, Date/Link
*SQL Server Text Formatting Functions Contain unchecked Buffers:* SQL Server 7.0 and 2000 provide a number of functions that enable database queries to generate text messages. In some cases, the functions create a text message and store it in a variable; in others, the functions directly display the message. Two vulnerabilities associated with these functions have been discovered.	(MS01-060)
	December 20, 2001
*Unchecked Buffer in Universal Plug and Play can Lead to System Compromise:* The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.	(MS01-059)
	December 20, 2001
*Cumulative Patch for IE:* This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6. In addition, it eliminates three newly discovered vulnerabilities.	(MS01-058)
	December 13, 2001
*Specially Formed Script in HMTL Mail can Execute in Exchange 5.5 OWA:* Outlook Web Access (OWA) is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser. A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer (IE). If an HTML message that contains specially formatted script is opened in OWA, the script executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the message in OWA, the script would then execute. While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.	(MS01-057)
	December 06, 2001
*Windows Media Player .ASF Processor Contains Unchecked Buffer:* One of the streaming media formats supported by Windows Media Player is Advanced Streaming Format (ASF). A security vulnerability occurs in Windows Media Player 6.4 because the code that processes ASF files contains an unchecked buffer. By creating a specially malformed ASF file and inducing a user to play it, an attacker could overrun the buffer, with either of two results: in the simplest case, Windows Media Player 6.4 would fail; in the more complex case, code chosen by the attacker could be made to run on the user's computer, with the privileges of the user. The scope of this vulnerability is rather limited. It affects only Windows Media Player 6.4, and can only be exploited by the user opening and deliberately playing an ASF file. There is no capability to exploit this vulnerability via email or a web page.	(MS01-056)
	November 19, 2001
*Cookie Data in IE Can Be Exposed or Altered Through Script Injection:* Web sites use cookies as a way to store information on a user's local system. Most often, this information is used for customizing and retaining a site's setting for a user across multiple sessions. By design each site should maintain its own cookies on a user's machine and be able to access only those cookies. A vulnerability exists because it is possible to craft a URL that can allow sites to gain unauthorized access to user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, it is also possible that personal information could be exposed.	(MS01-055)
	November 8, 2001
*Invalid Universal Plug and Play Request can Disrupt System Operation:* The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. A vulnerability results because the UPnP service does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak. Each time a Windows XP system received such a request, a small amount of system memory would become unavailable; if repeated many times, it could deplete system resources to the point where performance slowed or stopped altogether.	(MS01-054)
	November 1, 2001
*Downloaded Applications Can Execute on Mac IE 5.1 for OS X:* The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files. A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. A user would first have to choose to download a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types.	(MS01-053)
	October 23, 2001
*Invalid RDP Data can Cause Terminal Service Failure:* On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted. We recommend that customers who installed the original version of the Windows 2000 patch install the updated version. The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server.	(MS01-052)
	October 22, 2001
*Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone:* This patch eliminates three vulnerabilities affecting Internet Explorer. The first involves how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6	(MS01-051)
	October 10, 2001
*Malformed Excel or PowerPoint Document Can Bypass Macro Security:* Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking. A malicious attacker could attempt to exploit this vulnerability by crafting a specially formed Excel or PowerPoint document with macro code that would run automatically when the user opened it. The attacker could carry out this attack by hosting the malicious file on a web site, a file share, or by sending it through email.	(MS01-050)
	October 04, 2001
*Deeply-nested OWA Request Can Consume Server CPU Availability:* A security vulnerability exists in Exchange 2000 Outlook Web Access, because it will accept and process a request for an item in an authenticated user's mailbox without verifying first that the folder structure is valid. An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox. Exploiting the vulnerability wouldn't necessarily affect the OWA server itself. The effect of the vulnerability would be to cause the process servicing the attacker's mailbox to consume most or all of the CPU availability on the server it was running on. In may cases, this process would run on the OWA server, and thus the effects would be seen there. However, if the process servicing the attacker's mailbox ran on a back-end server, the effect of exploiting the vulnerability would be seen there. In any event, the affected server would resume normal service once the request was handled.	(MS01-049)
	September 27, 2001
*Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail:* The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. The Windows NT 4.0 endpoint mapper contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server.	(MS01-048)
	September 10, 2001
*OWA Function Allows Unauthenticated User to Enumerate Global Address List:* Among the functions Outlook Web Access (OWA) in Exchange 5.5 offers is the ability to search the global address list (GAL). By design, this is an authenticated function, implemented as a two-tier architecture - a front tier that provides a user interface and a back-end tier that actually performs the search. However, only the front tier actually checks authentication. An attacker who sent a properly formatted request to the back-end function that actually performs the search could enumerate the GAL without authenticating.	(MS01-047)
	September 06, 2001
*Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart:* Microsoft Windows 2000 provides support for infrared-based connectivity. This support is provided through protocols developed by the Infrared Data Association (IRDA). Because of this, they are often called IRDA devices. These devices can be used to share files and printers with other IRDA-device capable systems. The software which handles IRDA devices in Windows 2000 contains an unchecked buffer in the code which handles certain IRDA packets.	(MS01-046)
	August 21, 2001
*ISA Server H.323 Gatekeeper Service Contains Memory Leak:* This bulletin discusses three security vulnerabilities that are unrelated except in the sense that both affect ISA Server 2000: A denial of service vulnerability involving the H.323 Gatekeeper Service. A denial of service vulnerability in the in the Proxy service. A cross-site scripting vulnerability affecting the error page that ISA Server 2000 generates in response to a failed request for a web page.	(MS01-045)
	August 16, 2001
Five vulnerabilities resulting in either denial of service or privilege elevation: This patch is a cumulative patch that includes the functionality of all security patches released to date for IIS 5.0, and all patches released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.	(MS01-044)
	August 15, 2001
NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak: The NNTP (Network News Transport Protocol) service in Windows NT 4.0 and Windows 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by rebooting.	(MS01-043)
	August 14, 2001
Windows Media Player .NSC Processor Contains Unchecked Buffer: Windows Media Player provides support for audio and video streaming. Streaming media channels can be configured by using Windows Media Station (.NSC) files. An unchecked buffer exists in the functionality used to process Windows Media Station files. This unchecked buffer could potentially allow an attacker to run code of his choice on the machine of another user. The attacker could either send a specially malformed file to another user and entice her to run or preview it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. The code could take any action on the machine that the legitimate user himself could take.	(MS01-042)
	July 26, 2001
Malformed RPC Request Can Cause Service Failure: Several of the RPC servers associated with system services in Microsoft Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server.	(MS01-041)
	July 26, 2001
Invalid RDP Data Can Cause Memory Leak in Terminal Services: The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server Edition contains a memory leak in one of the functions that processes incoming Remote Data Protocol data via port 3389. Each time an RDP packet containing a specific type of malformation is processed, the memory leak depletes overall server memory by a small amount. If an attacker sent a sufficiently large quantity of such data to an affected machine, he could deplete the machine's memory to the point where response time would be slowed or the machine's ability to respond would be stopped altogether. All system services would be affected, including but not limited to terminal services. Normal operation could be restored by rebooting the machine.	(MS01-040)
	July 25, 2001
Services for Unix 2.0 Telnet and NFS Services Contain Memory Leaks: Among the components provided by Services for Unix (SFU) 2.0 are services that implement the NFS (Network File System) and Telnet protocols. Both services contain memory leaks that could be triggered by a user request. An attacker who repeatedly sent such a request could deplete the kernel memory on the server to the point where performance slowed and the system could potentially fail.	(MS01-039)
	July 24, 2001
Outlook View Control Exposes Unsafe Functionality: The Microsoft Outlook View Control is an ActiveX control that allows Outlook mail folders to be viewed via web pages. The control should only allow passive operations such as viewing mail or calendar data. In reality, though, it exposes a function that could allow the web page to manipulate Outlook data. This could enable an attacker to delete mail, change calendar information, or take virtually any other action through Outlook including running arbitrary code on the user's machine. Hostile web sites would pose the greatest threat with respect to this vulnerability. If a user could be enticed into visiting a web page controlled by an attacker, script or HTML on the page could invoke the control when the page was opened. The script or HTML could then use the control to take whatever action the attacker desired on the user's Outlook data.	(MS01-038)
	July 12, 2001
Authentication Error in SMTP Service Could Allow Mail Relaying: An SMTP service installs by default as part of Windows 2000 server products, and can be selected for installation on Windows 2000 Professional. A vulnerability results because of a flaw in the authentication process used by the service. The vulnerability could allow an unauthorized user to successfully authenticate to the service using incorrect credentials. An attacker who exploited the vulnerability could gain user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server.	(MS01-037)
	July 05, 2001
Function Exposed via LDAP over SSL Could Enable Passwords to be Changed: This vulnerability involves an LDAP function that is only available if the LDAP server has been configured to support LDAP over SSL sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request; however, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password -- when this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password. An attacker could change another user's password for either of two purposes: to cause a denial of service by preventing the other user from logging on, or in order to log into the user's account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator's password and logged into the administrator's account. By design, the function affected can be called by any user who can connect to the LDAP server, including users who connect via anonymous sessions. As a result, any user who could establish a connection with an affected server could exploit the vulnerability.	(MS01-036)
	June 26, 2001
FrontPage Server Extension Sub-Component Contains Unchecked Buffer: FrontPage Server Extensions ship as part of IIS 4.0 and 5.0, and facilitate the development of Web sites and Web-based applications. FrontPage Server Extensions includes an additional, optional sub-component called Visual Studio RAD (Remote Application Deployment) Support. This sub-component allows Visual InterDev 6.0 users to register and unregister COM objects on an IIS 4.0 or 5.0 Server. This sub-component contains an unchecked buffer in a section that processes input information. An attacker could exploit this vulnerability against any server with this sub-component installed by establishing a web session on with the server and passing a specially malformed packet to the server component. The attacker could use that packet to thereby load code of his choice for execution on the server. An attack that exploits this vulnerability would execute in the IUSR_machinename context (see Q142868). However, it is possible under certain circumstances to execute code in the SYSTEM context. It is important to note that this feature is not installed by default with FPSE. It is also not installed by default on either of IIS 4.0 or 5.0. Also, when the feature is selected during installation, a warning message is raised alerting the administrator that this feature should not be installed on production machines, especially if the production machine has Internet access. This is because this feature is only intended for facilitating internal development. The administrator must acknowledge the warning to successfully install the feature.	(MS01-035)
	June 21, 2001
Malformed Word Document Could Enable Macro to Run Automatically: Word, like other members of the Office product family, provides a security mechanism that requires the user's approval to run macros. By design, any time a document is opened Word scans it for macros. If any are found, they are handled in accordance with user's selected security settings. By default in Word 2000 and 2002, only macros that are signed by a trusted party are enabled; all others are disabled. In Word 97, if the document contains macros, the user is prompted regarding whether to enable them or disable them. A vulnerability results because it is possible to modify a Word document in such a way as to prevent the security scanner from recognizing an embedded macro while still allowing it to execute. Exploiting the vulnerability would enable an attacker to cause a macro to run automatically when such a document was opened. Such a macro would be able to take any action that the user herself could take. This could include disabling the user's Word security settings so that subsequently-opened Word documents would no longer be checked for macros.	(MS01-034)
	June 21, 2001
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise: As part of its installation process, IIS installs several ISAPI extensions -- .dlls that provide extended functionality. Among these is idq.dll, which is a component of Index Server (known in Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files). A security vulnerability results because idq.dll contains an unchecked buffer in a section of code that handles input URLs. An attacker who could establish a web session with a server on which idq.dll is installed could conduct a buffer overrun attack and execute code on the web server. Idq.dll runs in the System context, so exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it.	(MS01-033)
	June 18, 2001
SQL Query Method Enables Cached Administrator Connection to be Reused: When a client connection to a SQL Server is terminated, it remains cached for a short period of time for performance reasons. One SQL query method contains a flaw that has the effect of making it possible for one user's query to reuse a cached connection that belonged to the sa account. Exploiting this vulnerability would enable an attacker to execute the query using the administrator's security context. This would give her the ability to take any desired action on the database; moreover, it would give her the ability to run extended stored procedures, thereby giving her the opportunity to run code of her choice and assume de facto control of the server itself.	(MS01-032)
	June 12, 2001
Predictable Name Pipes Could Enable Privilege Elevation via Telnet: This bulletin discusses a total of seven vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure.	(MS01-031)
	June 07, 2001
Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script: OWA is a service of Exchange 2000 Server that allows users to use a web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user's Exchange mailbox.	(MS01-030)
	June 06, 2001
Windows Media Player .ASX Processor Contains Unchecked Buffer: This bulletin discusses two security vulnerabilities that are related to each other only by the fact that they affect Windows Media Player. We packaged them in a single patch for customers using Windows Media Player 6.4 to make it more convenient for customers to apply. For customers using Windows Media Player 7, both security vulnerabilities are addressed by upgrading to Windows Media Player 7.1.	(MS01-029)
	May 23, 2001
RTF document linked to template can run macros without warning: Word, like other members of the Office product family, provides a security mechanism that requires user's approval to run macros. By design, anytime a document is opened the user would be notified if the document contains macros. In addition, this mechanism checks secondary documents that the original document links to, such as templates, and warn if any of those contain macros. This feature works by scanning the document or template for the presence of macros, alerting the user of their presence, and then asking the user if he wants to allow the macros to run. By embedding a macro in a template, and providing another user with an RTF document that links to it, an attacker could cause a macro to run automatically when the RTF document was opened. The macro would be able to take any action that the user herself could take. This could include disabling the user's Word security settings so that subsequently-opened Word documents would no longer be checked for macros.	(MS01-028)
	May 21, 2001
Flaws in Web Server Certificate Validation Could Enable Spoofing: A patch is available to eliminate two newly discovered vulnerabilities affecting Internet Explorer, both of which could enable an attacker to spoof trusted web sites. The first vulnerability involves how digital certificates from web servers are validated. When CRL checking for such certificates is enabled, it could be possible for any or all of the following checks to no longer be performed.	(MS01-027)
	May 16, 2001
Superfluous Decoding Operation Could Allow Command Execution via IIS: This patch is a cumulative patch that includes the functionality of all security patches released to date for IIS 5.0, and all patches released for IIS 4.0 since Windows NT(r) 4.0 Service Pack 5. A complete listing of the patches superseded by this patch is provided in the web-hosted security bulletin, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.	(MS01-026)
	May 14, 2001
Index Server 2.0, Indexing Service for Windows 2000: The patches provided in the bulletin address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker's choice could be made to run on the server, in the Local System security context.	(MS01-025)
	May 10, 2001
Malformed Request to Domain Controller can Cause Memory Exhaustion: A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.	(MS01-024)
	May 8, 2001
Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server: A security vulnerability results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.	(MS01-023)
	May 1, 2001
WebDAV Service Provider Can Allow Scripts to Levy Requests as User: The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by a script running in the user's browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.	(MS01-022)
	April 18, 2001
Invalid Web Request Can Cause Access Violation in ISA Server Web Proxy Service: The ISA Server Web Proxy service does not correctly handle web requests that contain a particular type of malformed argument. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted.	(MS01-021)
	April 16, 2001
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment: Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.	(MS01-020)
	March 30, 2001
Passwords for Compressed Folders are Recoverable: Plus! 98, an optional package that extends Windows 98 and Windows 98 Second Edition, introduced a data compression feature called Compressed Folders that was also included in Windows Me. For interoperability with leading third-party compression tools, it provides a password protection option for folders that have been compressed. However, due to a flaw in the package's implementation, the passwords used to protect the folders are recorded in a file on the user's system. If an attacker gained access to an affected machine on which password-protected folders were stored, she could learn the passwords and access the files.	(MS01-019)
	March 28, 2001
Visual Studio VB-TSQL Object Contains Unchecked Buffer: The VB-TSQL debugger object that ships with Visual Studio 6.0 Enterprise Edition has an unchecked buffer in the code that processes parameters for one of the object's methods. Theobject can, by design, be programmatically accessed remotely. If the object were to be referenced by a program that contained specially malformed data within the parameter, eitherof two outcomes would result. In the less serious case, the attacker could cause the object to fail on the hosting machine. In the more serious case, the attacker could exploit the buffer overrun to run code of the attacker's choice on the hosting machine.	(MS01-018)
	March 27, 2001
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard: VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.	(MS01-017)
	March 22, 2001
Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources: WebDAV is an extension to the HTTP protocol that allows remote authoring and management of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all WebDAV requests, then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such requests were directed at an affected server, it would consume all CPU availability on the server.	(MS01-016)
	March 08, 2001
IE can Divulge Location of Cached Content: The IE security architecture provides a caching mechanism that is used to store content that needs to be downloaded and processed on the user's local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security architecture to access the information. This ensures that the uses of the information can be properly restricted.	(MS01-015) version 2.0
	Updated April 20,2001
Malformed URL can cause Service Failure in IIS 5.0 and Exchange 2000:IIS 5.0 contains a flaw affecting the way that an URL is handled if it has a specific construction and its length is within a very narrow range of values. If such an URL were repeatedly sent to an affected system, a confluence of events could cause a memory allocation error that would result in the failure of the IIS service.	(MS01-014)
	March 01, 2001
Windows 2000 Event Viewer Contains Unchecked Buffer: The Windows 2000 event viewer snap-in has an unchecked buffer in a section of the code that displays the detailed view of event records. If the event viewer attempted to display an event record that contained specially malformed data in one of the fields, either of two outcomes would result. In the less serious case, the event viewer would fail. In the more serious case, code of the attacker's choice could be made to run via a buffer overrun.	(MS01-013)
	February 26, 2001
Outlook, Outlook Express VCard Handler Contains Unchecked Buffer: Outlook Express provides several components that are used both by it and Outlook, if Outlook is installed on the machine. One such component, used to process vCards, contains an unchecked buffer.	(MS01-012)
	February 22, 2001
Malformed Request to Domain Controller can Cause Denial of Service: A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a flaw affecting how it processes a certain type of invalid service request. Specifically, the service should handle the request at issue here by determining that it is invalid and simply dropping it; in fact, the service performs some resource-intensive processing and then sends a response.	(MS01-011)
	February 20, 2001
Patch Available for "Windows Media Player Skins File Download" Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows Media™ Player 7. This vulnerability could potentially enable a malicious user to cause a program of his choice to run on another user’s computer.	(MS01-010)
	February 14, 2001
Patch Available for “Malformed PPTP Packet Stream” Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT® 4.0 servers that provide secure remote sessions. The vulnerability could allow an attacker to prevent an affected machine from providing useful service.	(MS01-009)
	February 13, 2001
Patch Available for "NTLMSSP Privilege Elevation" Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0. The vulnerability could allow a locally logged on user to grant herself administrator level privileges.	(MS01-008)
	February 07, 2001
*Patch Available for “Network DDE Agent Request” Vulnerability:* Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® 2000. The vulnerability could, under certain conditions, allow an attacker to gain complete control over an affected machine.	(MS01-007)
	February 05, 2001
Patch Available for Invalid RDP Data” Vulnerability: Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 terminal servers. The vulnerability could allow an attacker to cause an affected server to fail.	(MS01-006)
	January 31, 2001
Tool and Patch Available to correct Hotfix Packaging Anomalies: Microsoft has released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English language versions of Microsoft® Windows 2000. Under certain circumstances, these anomalies could cause the removal of some hotfixes, which could include some security patches, from a Windows 2000 system.	(MS01-005)
	January 30, 2001
Patch Available for New Variant of “File Fragment Reading via .HTR” Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Service. The vulnerability could allow enable an attacker, under very unusual conditions, to read fragments of files from a web server.	(MS01-004)
	January 29, 2001
Patch Available for "Winsock Mutex" Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0. The vulnerability could allow a malicious user to run a special program to disable an affected computer’s network functionality.	(MS01-003)
	January 24, 2001
*Patch Available for “PowerPoint File Parsing” Vulnerability*: Microsoft released the original version of this bulletin, to advise customers of the availability of a patch that eliminates a security vulnerability in Microsoft® PowerPoint 2000. The vulnerability could allow a user to construct a PowerPoint file that, when opened, could potentially run code on the reader’s system.	(MS01-002)
	January 22, 2001
Patch Available for "Web Client NTLM Authentication" Vulnerability: Microsoft has released a patch that eliminates a security vulnerability in a component that ships with Microsoft® Office 2000, Windows 2000, and Windows Me. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user when requesting an Office document from a web server.	(MS01-001)
	January 11, 2001