ActiveWin.com: Support Center

Security Bulletin Name, Brief Description	ID Number, Date/Link
Unchecked Buffer in Windows Shell Could Enable System Compromise: The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications. An unchecked buffer exists in one of the functions used by the Windows Shell to extract custom attribute information from audio files. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw.	(MS02-072)
	December 18, 2002
Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation: Windows messages provide a way for interactive processes to react to user events (e.g., keystrokes or mouse movements) and communicate with other interactive processes. One such message, WM_TIMER, is sent at the expiration of a timer, and can be used to cause a process to execute a timer callback function. A security vulnerability results because it's possible for one process in the interactive desktop to use a WM_TIMER message to cause another process to execute a callback function at the address of its choice, even if the second process did not set a timer. If that second process had higher privileges than the first, this would provide the first process with a way of exercising them. By default, several of the processes running in the interactive desktop do so with LocalSystem privileges. As a result, an attacker who had the ability to log onto a system interactively could potentially run a program that would levy a WM_TIMER request upon such a process, causing it to take any action the attacker specified. This would give the attacker complete control over the system.	(MS02-071)
	December 12, 2002
Flaw in SMB Signing Could Enable Group Policy to be Modified: Server Message Block (SMB) is a protocol natively supported by all versions of Windows. Although nominally a file-sharing protocol, it is used for other purposes as well, the most important of which is disseminating group policy information from domain controllers to newly logged on systems. Beginning with Windows 2000, it is possible to improve the integrity of SMB sessions by digitally signing all packets in a session. Windows 2000 and Windows XP can be configured to always sign, never sign, or sign only if the other party requires it. A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes.	(MS02-070)
	December 12, 2002
Flaw in Microsoft VM Could Enable System Compromise: The Microsoft VM is a virtual machine for the Win32(r) operating environment. The Microsoft VM shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. A new version of the Microsoft VM is available, which includes all previously released fixes for the VM, as well as fixes for eight newly reported security issues. The attack vectors for all of the new issues would likely be the same. An attacker would create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail.	(MS02-069)
	December 12, 2002
Cumulative Patch for Internet Explorer: This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user's local system.	(MS02-068)
	December 04, 2002
E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail: Microsoft Outlook provides users with the ability to work with e-mail, contacts, tasks, and appointments. Outlook e-mail handling includes receiving, displaying, creating, editing, sending, and organizing e-mail messages. When working with received e-mail messages, Outlook processes information contained in the header of the e-mail which carries information about where the e-mail came from, its destination, and attributes of the message. A vulnerability exists in Outlook 2002 in its processing of e-mail header information. An attacker who successfully exploited the vulnerability could send a specially malformed e-mail to a user of Outlook 2002 that would cause the Outlook client to fail under certain circumstances. The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server. The e-mail message could be deleted by an e-mail administrator, or by the user via another e-mail client such as Outlook Web Access or Outlook Express, after which point the Outlook 2002 client would again function normally.	(MS02-067)
	December 04, 2002
Cumulative Patch for Internet Explorer: This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: A buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened. To the best of Microsoft’s knowledge, this vulnerability could only be used to cause Internet Explorer to fail. The effect of exploiting the vulnerability against Internet Explorer would be relatively minor – the user would only need to restart the browser to restore normal operation. However, a number of other Microsoft products – notably, most Microsoft Office products and Microsoft Index Server – rely on Internet Explorer to render PNG files, and exploiting the vulnerability against such an application would cause them to fail as well. Because of this, Microsoft recommends that customers install this patch regardless of whether they are using Internet Explorer as their primary web browser.	(MS02-066)
	November 20, 2002
Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution: Microsoft Data Access Components (MDAC) is a collection of components used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems: It is included by default as part of Windows XP, Windows 2000, and Windows Millennium. It is available for download as a stand-alone technology in its own right It is either included in or installed by a number of other products and technologies. For instance, MDAC is included in the Windows NT® 4.0 Option Pack, and some MDAC components are present as part of Internet Explorer even if MDAC itself is not installed.	(MS02-065)
	November 20, 2002
Windows 2000 Default Permissions Could Allow Trojan Horse Program: On Windows 2000, the default permissions provide the Everyone group with Full access (Everyone:F) on the system root folder (typically, C:\). In most cases, the system root is not in the search path. However, under certain conditions - for instance, during logon or when applications are invoked directly from the Windows desktop via Start \| Run - it can be. This situation gives rise to a scenario that could enable an attacker to mount a Trojan horse attack against other users of the same system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program. The Trojan horse program would execute with the user's own privileges, thereby enabling it to take any action that the user could take. The simplest attack scenario would be one in which the attacker knew that a particular system program was invoked by a logon script. In that case, the attacker could create a Trojan horse with the same name as the system program, which would then be executed by the logon script the next time someone logged onto the system. Other scenarios almost certainly would require significantly greater user interaction - for instance, convincing a user to start a particular program via Start \| Run - and would necessitate the use of social engineering.	(MS02-064)
	October 31, 2002
Unchecked Buffer in PPTP Implementation Could Enable Denial of Service Attacks: Windows 2000 and Windows XP natively support Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking technology that is implemented as part of Remote Access Services (RAS). PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME. A security vulnerability results in the Windows 2000 and Windows XP implementations because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system. The vulnerability could be exploited against any server that offers PPTP. If a workstation had been configured to operate as a RAS server offering PPTP services, it could likewise be attacked. Workstations acting as PPTP clients could only be attacked during active PPTP sessions. Normal operation on any attacked system could be restored by restarting the system.	(MS02-063)
	October 31, 2002
Cumulative Patch for Internet Information Service: This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.	(MS02-062)
	October 31, 2002
Elevation of Privilege in SQL Server Web Tasks: SQL Server 7.0 and 2000 provide stored procedures which is a coll- ection of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks. An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account.	(MS02-061)
	October 16, 2002
Flaw in Windows XP Help and Support Center Could Enable File Deletion: Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. A security vulnerability is present in the Windows XP version of Help and Support Center, and results because a file intended only for use by the system is instead available for use by any web page. The purpose of the file is to enable anonymous upload of hardware information, with the user's permission, so that Microsoft can evaluate which devices users are not currently finding device drivers for. This information is then used to work with hardware vendors and device teams to improve the quality and quantity of drivers available in Windows. By design, after attempting to upload an XML file containing the hardware information, the system deletes it. An attacker could exploit the vulnerability by constructing a web page that, when opened, would call the errant function and supply the name of an existing file or folder as the argument. The attempt to upload the file or folder would fail, but the file nevertheless would be deleted. The page could be hosted on a web site in order to attack users visiting the site, or could be sent as an HTML mail in order to attack the recipient when it was opened.	(MS02-060)
	October 16, 2002
Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure: Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet. A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.	(MS02-059)
	October 16, 2002
Unchecked Buffer in Outlook Express S/MIME Parsing Could Enable System Compromise: To allow for verification of the authenticity of mail messages, Microsoft Outlook Express supports digital signing of messages through S/MIME. A buffer overrun vulnerability lies in the code that generates the warning message when a particular error condition associated with digital signatures occurs. By creating a digitally signed email and editing it to introduce specific data, then sending it to another user, an attacker could cause either of two effects to occur if the recipient opened or previewed it. In the less serious case, the attacker could cause the mail client to fail. If this happened, the recipient could resume normal operation by restarting the mail client and deleting the offending mail. In the more serious case, the attacker could cause the mail client to run code of their choice on the user’s machine. Such code could take any desired action, limited only by the permissions of the recipient on the machine. This vulnerability could only affect messages that are signed using S/MIME and sent to an Outlook Express user. Users of Microsoft Outlook products are not affected by this vulnerability.	(MS02-058)
	October 12, 2002
Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution: All three vulnerabilities discussed in this bulletin involve the inclusion of the Sun RPC library in Microsoft’s Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the Sun RPC library from the Interix SDK need to evaluate three vulnerabilities.	(MS02-057)
	October 2, 2002
Cumulative Patch for SQL Server: This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, and Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In addition, it eliminates four newly discovered vulnerabilities.	(MS02-056)
	October 02, 2002
Unchecked Buffer in Windows Help Facility Could Enable Code Execution: The HTML Help facility in Windows includes an ActiveX control that provides much of its functionality. One of the functions exposed via the control contains an unchecked buffer, which could be exploited by a web page hosted on an attacker’s site or sent to a user as an HTML mail. An attacker who successfully exploited the vulnerability would be able to run code in the security context of the user, thereby gaining the same privileges as the user on the system. A second vulnerability exists because of flaws associated with the handling of compiled HTML Help (.chm) files that contain shortcuts. Because shortcuts allow HTML Help files to take any desired action on the system, only trusted HTML Help files should be allowed to use them. Two flaws allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security Zone in the case where a web page or HTML mail delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone – the one associated with the web page or HTML mail that delivered it – the HTML Help facility incorrectly handles it in the Local Computer Zone, thereby considering it trusted and allowing it to use shortcuts. This error is compounded by the fact that the HTML Help facility doesn’t consider what folder the content resides in. Were it to do so, it could recover from the first flaw, as content within the Temporary Internet Folder is clearly not trusted, regardless of the Security Zone it renders in.	(MS02-055)
	October 02, 2002
Unchecked Buffer in File Decompression Functions Could Lead to Code Execution: Zipped files (files having a .zip extension) provide a means to store information in a way that uses less space on a hard disk. This is accomplished by compressing the files that are put into in the zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows XP, the Compressed Folders feature allows zipped files to be treated as folders. The Compressed Folders feature can be used to create, add files to, and extract files from zipped files. Two vulnerabilities exist in the Compressed Folders function.	(MS02-054)
	October 02, 2002
Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution: The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server Extensions (FPSE) and Microsoft SharePoint Team Services, and provides support for web forms and other FrontPage-based dynamic content. The interpreter contains a flaw that could be exposed when processing a request for a particular type of web file, if the request had certain specific characteristics. This flaw affects the two versions of FrontPage Server Extensions differently. On FrontPage Server Extensions 2000, such a request would cause the interpreter to consume most or all CPU availability until the web service was restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected web server. On FrontPage Server Extensions 2002 and SharePoint Team Services 2002, the same type of request could cause a buffer overrun, potentially allowing an attacker to run code of his choice.	(MS02-053)
	September 25, 2002
*Flaw in Microsoft VM JDBC Classes Could Allow Code Execution:* The Microsoft VM is a virtual machine for the Win32® operating environment. The Microsoft VM shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. It also was available for some time as a separate download. A new patch for the Microsoft VM is available, which eliminates three security vulnerabilities. The attack vectors for all of them would likely be the same. An attacker would likely create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail.	(MS02-052)
	September 18, 2002
Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure: The Remote Data Protocol (RDP) provides the means by which Windows systems can provide remote terminal sessions to clients. The protocol transmits information regarding a terminal sessions' keyboard, mouse and video to the remote client, and is used by Terminal Services in Windows NT 4.0 and Windows 2000, and by Remote Desktop in Windows XP. Two security vulnerabilities, both of which are eliminated by this patch, have been discovered in various RDP implementations. The first involves how session encryption is implemented in certain versions of RDP. All RDP implementations allow the data in an RDP session to be encrypted. However, in the versions in Windows 2000 and Windows XP, the checksums of the plaintext session data are sent without being encrypted themselves. An attacker who was able to eavesdrop on and record an RDP session could conduct a straightforward cryptanalytic attack against the checksums and recover the session traffic. The second involves how the RDP implementation in Windows XP handles data packets that are malformed in a particular way. Upon receiving such packets, the Remote Desktop service would fail, and with it would fail the operating system. It would not be necessary for an attacker to authenticate to an affected system in order to deliver packets of this type to an affected system.	(MS02-051)
	September 18, 2002
Certificate Validation Flaw Could Enable Identity Spoofing: The vulnerability could enable an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation. Because CryptoAPI is used by a wide range of applications, this could enable a variety of identity spoofing attacks. These are discussed in detail in the FAQ.	(MS02-050)
	September 04, 2002
Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning: In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page – for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened. Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability – because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute. The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 – or had installed a product that includes the Visual FoxPro 6.0 runtime – and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user’s security context.	(MS02-049)
	September 04, 2002
Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates: The control contains a flaw that could enable a web page, through an extremely complex process, to invoke the control in a way that would delete certificates on a user’s system. An attacker who successfully exploited the vulnerability could corrupt trusted root certificates, EFS encryption certificates, email signing certificates, and any other certificates on the system, thereby preventing the user from using these features. An attack could be carried out through either of two scenarios. The attacker could create a web page the that exploits the vulnerability, and host it on a web site in order to attack users who visited the site. The attacker also could send the page as an HTML mail in order to attack the recipient.	(MS02-048)
	August 28, 2002
*Cumulative Patch for Internet Explorer:* This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, the patch sets the Kill Bit on the MSN Chat ActiveX control discussed in Microsoft Security Bulletin MS02-022 as well as the TSAC ActiveX control discussed in Microsoft Security Bulletin MS02-046.	(MS02-047)
	August 22, 2002
Buffer Overrun in TSAC ActiveX Control Could Allow Code Execution: The TSAC control does not come installed as part of any Windows client system. Instead, clients obtain the control from web servers that offer terminal services. The configuration process that enables an IIS server to provide terminal services involves installing on the server a cabinet file containing the control. The server then delivers the cabinet file to any client system that needs it, and the client installs the control via the cabinet file. A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker could gain the ability to run code in the security context of the currently logged on user. This would enable the attacker to take any desired action on the user’s system. The attacker could mount an attack by either hosting a web page that exploits the vulnerability against any user who visits it, or by sending an HTML mail to another user.	(MS02-046)
	August 22, 2002
Unchecked Buffer in Network Share Provider Can Lead to Denial of Service: SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.	(MS02-045)
	August 22, 2002
Unsafe Functions in Office Web Components: The Office Web Components (OWC) contain several ActiveX controls that give users limited functionality of Microsoft Office in a web browser without requiring that the user install the full Microsoft Office application. This allows users to utilize Microsoft Office applications in situations where installation of the full application is infeasible or undesirable. The control contains three security vulnerabilities, each of which could be exploited either via a web site or an HTML mail. The vulnerabilities result because of implementation errors in the following methods and functions the controls expose: 1.) Host(). This function, by design, provides the caller with access to applications’ object models on the user’s system. By using the Host() function, an attacker could, for instance, open an Office application on the user’s system and invoke commands there that would execute operating system commands as the user. 2.) LoadText(). This method allows a web page to load text into a browser window. The method does check that the source of the text is in the same domain as the window, and in theory should restrict the page to only loading text that it hosts itself. However, it is possible to circumvent this restriction by specifying a text source located within the web page’s domain, and then setting up a server-side redirect of that text to a file on the user’s system. This would provide an attacker with a way to read any desired file on the user’s system. 3.) Copy()/Paste(). These methods allow text to be copied and pasted. A security vulnerability results because the method does not respect the “disallow paste via script” security setting in IE. Thus, even if this setting had been selected, a web page could continue to access the copy buffer, and read any text that the user had copied or cut from within other applications.	(MS02-044)
	August 21, 2002
Cumulative Patch for SQL Server: This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and SQL Server 2000. In addition, it eliminates a newly discovered vulnerability. SQL Server 7.0 and SQL Server 2000 provide for extended stored procedures, which are external routines written in programming languages such as C or C#. These procedures appear as normal stored procedures to users and can be invoked and executed just like normal stored procedures. By default, SQL Server 7.0 and SQL Server 2000 ship with a number of extended stored procedures which are used for various helper functions. Some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account have a flaw in common – namely, they have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges. An attacker could exploit this vulnerability in one of two ways. The attacker could attempt to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.	(MS02-043)
	August 14, 2002
Flaw in Network Connection Manager Could Enable Privilege Elevation: The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established. By design, this handler routine should run in the security context of the user. However, a flaw could make it possible for an unprivileged user to cause the handler routine to run in the security context of LocalSystem, though a very complex process. An attacker who exploited this flaw could specify code of his or her choice as the handler, then establish a network connection in order to cause that code to be invoked by the NCM. The code would then run with full system privileges.	(MS02-042)
	August 14, 2002
Unchecked Buffer in Content Management Server Could Enable Server Compromise: Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise Server product that simplifies developing and managing e-business web sites. Microsoft has learned of three security vulnerabilities affecting it: 1.) A buffer overrun in a low-level function that performs user authentication. At least one web page included with MCMS 2001 passes inputs directly to the function, thereby potentially providing a way for an attacker to overrun the buffer. The result of exploiting the vulnerability would be to either cause MCMS to fail, or run code in the context of the MCMS service (which runs as Local System). 2.) A vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server. The first flaw lies in how the function authenticates requests, and would allow any user to submit an upload request. The second results because it is possible to override the upload location; where the function should upload files to a folder that only privileged users can access, it can be overridden to upload it to a temporary folder that does allow unprivileged users to call it. By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed. 3.) A SQL injection vulnerability affecting a function that services requests for image files and other resources. Exploiting the vulnerability could enable an attacker to run SQL commands on the server, which would not only allow data in the MCMS database to be added, changed or deleted, but also would enable the attacker to run operating system commands on the server.	(MS02-041)
	July 31, 2002
Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise: The Microsoft Data Access Components (MDAC) provide a number of supporting technologies for accessing and using databases. Included among these functions is the underlying support for the T-SQL OpenRowSet command. A security vulnerability results because the MDAC functions underlying OpenRowSet contain an unchecked buffer. An attacker who submitted a database query containing a specially malformed parameter within a call to OpenRowSet could overrun the buffer, either for the purpose of causing the SQL Server to fail or causing the SQL Server service to take actions dictated by the attacker. In order to exploit the vulnerability, the attacker would need the ability to load and execute a database query on the server. This is strongly discouraged by best practices, and servers that have been configured to prevent this (e.g., through the use of the DisallowAdhocAccess registry setting, as discussed in the FAQ) would not be at risk from the vulnerability. Under default conditions, the system-level privileges gained through a successful attack would be those of a Domain User. Even though MDAC ships as part of all versions of Windows, the vulnerability can only be exploited on SQL Servers. Customers who are not using SQL Server do not need to take action, despite the fact that MDAC may be installed on their systems..	(MS02-040)
	July 31, 2002
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution: There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service. The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably.	(MS02-039)
	July 24, 2002
Unchecked Buffer in SQL Server 2000 Utilities Could Allow Code Execution: This patch eliminates two newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000. A buffer overrun vulnerability that occurs in several Database Consistency Checkers (DBCCs) that ship as part of SQL Server 2000. DBCCs are command console utilities that allow maintenance and other operations to be performed on a SQL Server. While many of these are executable only by sysadmin, some are executable by members of the db_owner and db_ddladmin roles as well. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server. A SQL injection vulnerability that occurs in two stored procedures used in database replication. One of these can only be run by users who have been assigned the db_owner role; the other, due to a permissions error, could be run by any user who could log onto the server interactively. Exploiting the vulnerability could enable an attacker to run operating system commands on the server, but is subject to significant mitigating factors as discussed below.	(MS02-038)
	July 24, 2002
Server Response To SMTP Client EHLO Command Results In Buffer Overrun: A security vulnerability results because of an unchecked buffer in the IMC code that generates the response to the EHLO protocol command. If the total length of the message exceeds a particular value, the data would overrun the buffer. If the buffer were overrun with random data, it would result in the failure of the IMC. If, however, the buffer were overrun with carefully chosen data, it could be possible for the attacker to run code in the security context of the IMC, which runs as Exchange5.5 Service Account. It is important to note that the attacker could not simply send data to the IMC in order to overrun the buffer. Instead, the attacker would need to create a set of conditions that would cause the IMC to overrun its own buffer when it generated the EHLO response. Specifically, the attacker would need to ensure that a reverse DNS lookup would not only succeed, but would provide an FQDN whose length was sufficient to result in the buffer overrun.	(MS02-037)
	July 24, 2002
Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation: A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories.	(MS02-036)
	July 24, 2002
SQL Server Installation Process May Leave Passwords on System: When installing SQL Server 7.0 (including MSDE 1.0), SQL Server 2000, or a service pack for SQL Server 7.0 or SQL Server 2000, the information provided for the install process is collected and stored in a setup file called setup.iss. The setup.iss file can then be used to automate the installation of additional SQL Server systems. SQL Server 2000 also includes the ability to record an unattended install to the setup.iss file without having to actually perform an installation. The administrator setting up the SQL Server can supply a password to the installation routine under the following circumstances: - If the SQL Server is being set up in "Mixed Mode", a password for the SQL Server administrator (the "sa" account) must be supplied. - Whether in Mixed Mode or Windows Authentication Mode, a User ID and password can optionally be supplied for the purpose of starting up SQL Server service accounts.	(MS02-035)
	July 11, 2002
Cumulative Patch for SQL Server: This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE): - - A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL server runs as. - - A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself. - - A privilege elevation vulnerability that results because of in- correct permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to success- fully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system.	(MS02-034)
	July 11, 2002
Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server: Commerce Server 2000 and Commerce Server 2002 are web server products for building e-commerce sites. These products provides tools and features that simplify developing and deploying e-commerce solutions, and provide tools that let the site administrator analyze the usage of their e-commerce site. Four vulnerabilities exist in the Commerce Server products: - A vulnerability that results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provided specially malformed data to certain calls exposed by the Profile Service could cause the Commerce Server process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. - A buffer overrun vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who provided specially malformed data as input to the OWC package installer could cause the process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. - A vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who invoked the OWC package installer in a particular manner could cause commands to be run on the Commerce Server according to the privileges associated with the attacker's log on credentials. This vulnerability only affects Commerce Server 2000. - A new variant of the ISAPI Filter vulnerability discussed in Microsoft Security Bulletin MS02-010. This variant affects both Commerce Server 2000 and Commerce Server 2002.	(MS02-033)
	June 26, 2002
Cumulative Patch for Windows Media Player: This is a cumulative patch that includes the functionality of all previously released patches for Windows Media Player 6.4, 7.1 and Windows Media Player for Windows XP. In addition, it eliminates the following three newly discovered vulnerabilities one of which is rated as critical severity, one of which is rated moderate severity, and the last of which is rated low severity: - An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity. - A privilege elevation vulnerability that could enable an attacker who can physically logon locally to a Windows 2000 machine and run a program to obtain the same rights as the operating system. - A script execution vulnerability related that could run a script of an attacker's choice as if the user had chosen to run it after playing a specially formed media file and then viewing a specially constructed web page. This particular vulnerability has specific timing requirements that makes attempts to exploit vulnerability difficult and is rated as low severity. It also introduces a configuration change relating to file extensions associated with Windows Media Player. Finally, it introduces a new, optional, security configuration feature for users or organizations that want to take extra precautions beyond applying IE patch MS02-023 and want to disable scripting functionality in the Windows Media Player for versions 7.x or higher.	(MS02-032)
	June 26, 2002
Cumulative Patches for Excel and Word for Windows: This is a set of cumulative patches that, when applied, applies all previously released fixes for these products. In addition, these patches eliminate four newly discovered vulnerabilities all of which could enable an attacker to run Macro code on a user's machine. The attacker's macro code could take any actions on the system that the user was able to. - An Excel macro execution vulnerability that relates to how inline macros that are associated with objects are handled. This vulnerability could enable macros to execute and bypass the Macro Security Model when the user clicked on an object in a workbook. - An Excel macro execution vulnerability that relates to how macros are handled in workbooks when those workbooks are opened via a hyperlink on a drawing shape. It is possible for macros in a workbook so invoked to run automatically. - An HTML script execution vulnerability that can occur when an Excel workbook with an XSL Stylesheet that contains HTML scripting is opened. The script within the XSL stylesheet could be run in the local computer zone. - A new variant of the "Word Mail Merge" vulnerability first addressed in MS00-071. This new variant could enable an attacker's macro code to run automatically if the user had Microsoft Access present on the system and chose to open a mail merge document that had been saved in HTML format.	(MS02-031)
	June 19, 2002
Unchecked Buffer in SQLXML Could Lead to Code Execution: Two vulnerabilities exist in SQLXML. 1. An unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. 2. A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the user’s computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone.	(MS02-030)
	June 12, 2002
Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution: A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data,then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.	(MS02-029)
	June 12, 2002
Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise: This patch eliminates a newly discovered vulnerability affecting Internet Information Services. The vulnerability is similar to the first vulnerability discussed in Microsoft Security Bulletin MS02-018. Like that vulnerability, this one involves a buffer overrun in the Chunked Encoding data transfer mechanism in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on the system, with the result of either causing the IIS service to fail or allowing code to be run on the server. The chief difference between the vulnerabilities is that the newly discovered one lies in the ISAPI extension that implements HTR – an older, largely obsolete scripting technology – where the previous one lay in the ISAPI extension that implements ASP.	(MS02-028)
	June 12, 2002
Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice: There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out. A successful attack requires that the attacker be able to send information to the intended target. Anything which inhibited connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well.	(MS02-027)
	June 11, 2002
Unchecked Buffer in ASP.NET Worker Process: ASP.NET provides for session state management through a variety of modes. One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost. The StateServer mode is not the default mode for session state management in ASP.NET. ASP.NET applications using StateServer mode that do not use cookies are not vulnerable.	(MS02-026)
	June 06, 2002
Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources: A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a denial of service attack. An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. When the message was received and processed by the Store service, the CPU would spike to 100%. The effects of the attack would last as long as it took for the Exchange Store service to process the message. Neither restarting the service nor rebooting the server would remedy the denial of service.	(MS02-025)
	May 29, 2002
*Authentication Flaw in Windows Debugger can Lead to Elevated Privileges:* The Windows debugging facility provides a means for programs to perform diagnostic and analytic functions on applications as they are running on the operating system. One of these capabilities allows for a program, usually a debugger, to connect to any running program, and to take control of it. The program can then issue commands to the controlled program, including the ability to start other programs. These commands would then execute in the same security context as the controlled program. There is a flaw in the authentication mechanism for the debugging facility such that an unauthorized program can gain access to the debugger. A vulnerability results because an attacker can use this to cause a running program to run a program of her choice. Because many programs run as the operating system, this means that an attacker can exploit this vulnerability to run code as the operating system itself. She could take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.	(MS02-024)
	May 22, 2002
Cumulative Patch for Internet Explorer: This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. It introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable. In addition, it eliminates six newly discovered vulnerabilities.	(MS02-023)
	May 15, 2002
Unchecked Buffer in MSN Chat Control Can Lead to Code Execution: An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context. It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.	(MS02-022)
	May 8, 2002
*E-mail Editor Flaw Could Lead to Script Execution on Reply or Forward:* Outlook 2000 and 2002 provide the option to use Microsoft Word as the e-mail editor when creating and editing e-mail in either Rich-Text or HTML format. A security vulnerability exists when Outlook is configured this way and the user forwards or replies to a mail from an attacker. The vulnerability results from a difference in the security settings that are applied when displaying a mail versus editing one. When Outlook displays an HTML e-mail, it applies Internet Explorer security zone settings that disallow scripts from being run. However, if the user replies to or forwards a mail message and has selected Word as the e-mail editor, Outlook opens the mail and puts the Word editor into a mode for creating e-mail messages. Scripts are not blocked in this mode.	(MS02-021)
	April 25, 2002
*SQL Extended Procedure Functions Contain Unchecked Buffers:* SQL Server 7.0 and 2000 provide for extended stored procedures, which are external routines written in a programming language such as C. These procedures appear to users as normal stored procedures and are executed in the same way. SQL Server 7.0 and 2000 include a number of extended stored procedures which are used for various helper functions. Several of the Microsoft-provided extended stored procedures have a flaw in common – namely, they fail to perform input validation correctly, and are susceptible to buffer overruns as a result Exploiting the flaw could enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context in which SQL Server is running. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.	(MS02-020)
	April 17, 2002
Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute: This is a cumulative patch that, when applied, eliminates all previously released security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities. 1. The first is a buffer overrun vulnerability associated with the handling of a particular HTML element. Because of support for HTML in Office applications, this flaw affects both IE and Office for Macintosh. A security vulnerability results because an attacker can levy a buffer overrun attack against IE that attempts to exploit this flaw. A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were the user. 2. The second is a vulnerability that can allow local AppleScripts to be invoked by a web page. This vulnerability can allow locally stored AppleScripts to be invoked automatically without first calling the Helper application. The AppleScripts would run as if they had been launched by the user, and could take the same actions as any AppleScript legitimately launched by the user. The AppleScript would have to already be present on the system; there is no way for an attacker to deliver an AppleScript of her choosing through this vulnerability.	(MS02-019)
	April 16, 2002
*Cumulative Patch for Internet Information Services:* This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. A complete listing of the patches superseded by this patch is provided below, in the section titled "Additional information about this patch". Before applying the patch, system administrators should take note of the caveats discussed in the same section.	(MS02-018)
	April 10, 2002
Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution: The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.	(MS02-017)
	April 4, 2002
*Opening Group Policy Files for Exclusive Read Blocks Policy Application:* Group Policy in Windows 2000 is implemented by storing data in the Active Directory and the system volume on the domain controller. This storage location is called the Group Policy Object (GPO). When a machine or user logs onto the domain, it reads the GPO and applies the settings it contains. Most of these settings are also refreshed by default every 90 minutes. However, like most operating systems, Windows 2000 provides several types of read access, including exclusive-read, and this could enable an attacker to lock the Group Policy files, thereby allowing a user to prevent Group Policy from being applied for all users affected by the GPO.	(MS02-016)
	April 4, 2002
*Microsoft Security Bulletin MS02-015:* This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and IE 6. In addition, it eliminates the following two newly discovered vulnerabilities: 1. A vulnerability in the zone determination function that could allow a script embedded in a cookie to be run in the Local Computer zone. While HTML scripts can be stored in cookies, they should be handled in the same zone as the hosting site associated with them, in most cases the Internet zone. An attacker could place script in a cookie that would be saved to the user?s hard disk. When the cookie was opened by the site the script would then run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have. 2. A vulnerability in the handling of object tags that could allow an attacker to invoke an executable already present on the user?s machine. A malicious user could create HTML web page that includes this object tag and cause a local program to run on the victim?s machine.	(MS02-015)
	March 28, 2002
Unchecked Buffer in Windows Shell Could Lead to Code Execution: The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications. An unchecked buffer exists in one of the functions that helps to locate incompletely removed applications on the system. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. A successful attack would have the effect of either causing the Windows Shell to crash, or causing code to run in the user's context.	(MS02-014)
	March 07, 2002
*Java Applet Can Redirect Browser Traffic*: The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 95, Microsoft Windows 98, ME, Windows NT 4.0 , Windows 2000 and Windows XP. It ships as part of Windows 98, ME, and Windows 2000 and also as part of Internet Explorer 5.5 and earlier. The version of the Microsoft VM that ships with Internet Explorer version 4.x and 5.x contains a flaw affecting how Java requests for proxy resources are handled. A malicious Java applet could exploit this flaw to re-direct web traffic once it has left the proxy server to a destination of the attacker's choice.	(MS02-013)
	March 04, 2002
*Malformed Data Transfer Request can Cause Windows SMTP Service to Fail*: An SMTP service installs by default as part of Windows 2000 server products. Exchange 2000, which can only be installed on Windows 2000, uses the native Windows 2000 SMTP service rather than providing its own. In addition, Windows 2000 and Windows XP workstation products provide an SMTP service that is not installed by default. All of these implementations contain a flaw that could enable denial of service attacks to be mounted against the service.	(MS02-012)
	February 27, 2002
*Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service*: An SMTP service installs by default as part of Windows 2000 server products and as part of the Internet Mail Connector (IMC) for Microsoft Exchange Server 5.5. (The IMC, also known as the Microsoft Exchange Internet Mail Service, provides access and message exchange to and from any system that uses SMTP). A vulnerability results in both services because of a flaw in the way they handle a valid response from the NTLM authentication layer of the underlying operating system.	(MS02-011)
	February 27, 2002
*Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise*: By default, Commerce Server 2000 installs a .dll with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other authentication methods. A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server.	(MS02-010)
	February 21, 2002
*Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files*: Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker's site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information. In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files.	(MS02-009)
	February 21, 2002
*XMLHTTP Control Can Allow Access to Local Files*:Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources. A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site. An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data.	(MS02-008)
	February 21, 2002
*SQL Server Remote Data Source Function Contain Unchecked Buffers*: One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is the ability to connect to remote data sources. One capability of this feature is the ability to use "ad hoc" connections to connect to remote data sources without setting up a linked server for less-often used data-sources. This is made possible through the use of OLE DB providers, which are low-level data source providers. This capability is made possible by invoking the OLE DB provider directly by name in a query to connect to the remote data source. An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in.	(MS02-007)
	February 20, 2002
*Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run*: Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version. A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system. A patch is under development to eliminate the vulnerability. In the meantime, Microsoft recommends that customers who use the SNMP service disable it temporarily. Patches will be available shortly, at which time we will re-release this bulletin with updated details.	(MS02-006)
	February 12, 2002
*11 February 2002 Cumulative Patch for Internet Explorer*: This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6.	(MS02-005)
	February 11, 2002
*Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution*: The Telnet protocol provides remote shell capabilities. Microsoft has implemented the Telnet protocol by providing a Telnet Server in several products. The implementations in two of these products - - - Windows 2000 and Interix 2.2 - contain unchecked buffers in the code that handles the processing of telnet protocol options. An attacker could use this vulnerability to perform a buffer overflow attack. A successful attack could cause the Telnet Server to fail, or in some cases, could possibly allow an attacker to execute code of her choice on the system. Such code would execute using the security context of the Telnet service, but this context varies from product to product. In Windows 2000, the Telnet service always runs as System; in the Interix implementation, the administrator selects the security context in which to run as part of the installation process.	(MS02-004)
	February 7, 2002
*Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions*: The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. It performs a variety of functions related to the on-going maintenance of the Exchange system. To allow remote administration of an Exchange Server using the Exchange System Manager Microsoft Management Console (MMC) snap in, the System Attendant makes changes to the permissions on the Windows Registry to allow Exchange Administrators to remotely update configuration settings stored in the Registry. There is a flaw in how the System Attendant makes these Registry configuration changes. This flaw could allow an unprivileged user to remotely access configuration information on the server. Specifically, this flaw inappropriately gives the "Everyone" group privileges to the WinReg key. This key controls the ability of users and groups to remotely connect to the Registry. By default, only Administrators are given the ability to remotely connect to the Registry, by granting permissions on this key. The flaw does not grant any abilities beyond the ability to connect remotely. However, an attacker's ability to make changes to the Registry once they have successfully connected would be dictated by the permissions on the specific keys within the Registry itself. Thus, while this vulnerability does not itself give an attacker the ability to change Registry settings, it could be used in conjunction with inappropriately permissive registry settings to gain access to, and make changes to a systems Registry.	(MS02-003)
	February 7, 2002
*Malformed Network Request can cause Office v. X for Mac to Fail*: Office v. X contains a network-aware anti-piracy mechanism that detects multiple copies of Office using the same product identifier (PID) running on the local network. This feature, called the Network Product Identification (PID) Checker, announces Office's own unique product ID and listens for other announcements at regular intervals. If a duplicate PID is detected, Office shuts down. A security vulnerability results because of a flaw in the Network PID Checker. Specifically, the Network PID Checker doesn't correctly handle a particular type of malformed announcement - receiving one causes the Network PID Checker to fail. When the Network PID fails like this, the Office v. X application will fail as well. If more than one Office v. X application was running when the packet was received, the first application launched during the session would fail. An attacker could use this vulnerability to cause other users' Office applications to fail, with the loss of any unsaved data. An attacker could craft and send this packet to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines	(MS02-002)
	February 6, 2002
*Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data*: Trust relationships are created between Windows NT or Windows 2000 domains to allow users in one domain to access resources in other domains without requiring them to authenticate separately to each domain. When a user in a trusted domain requests access to a resource in a trusting domain, the trusted domain supplies authorization data in the form of a list of Security Identifiers (SIDs) that indicate the user's identity and group memberships. The trusting domain uses this data to determine whether to grant the user's request. A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identified a user or security group that is not in the trusted domain, the trusting domain would accept the information and use it for subsequent access control decisions. If an attacker inserted SIDs of his choice into the authorization data at the trusted domain, he could elevate his privileges to those associated with any desired user or group, including the Domain Administrators group for the trusting domain. This would enable the attacker to gain full Domain Administrator access on computers in the trusting domain.	(MS02-001)
	January 30, 2002