Reported April 12, 2005 by Microsoft

VERSIONS AFFECTED

            Microsoft Exchange Server
Microsoft Word
Microsoft Internet Explorer
MSN Messenger
Windows Shell
Microsoft Message Queueing (MSMQ)
Windows TCP/IP Stack

DESCRIPTION

Mark Dowd and Ben Layer of ISS X-Force discovered that Exchange Server contains a vulnerabilities that could allow an intruder to connect to port 25 (SMTP) and issue a specially crafted command, which could lead to remote code execution or a denial of service condition on the server.

Alex Li discovered that Microsoft Word contains two unchecked buffers that could allow an attacker to take complete control of an affected system if the user is logged in with an account that has administrator level access. An attack launched against users that are logged in with lesser privileged accounts could result in the attacker taking any action that the user's privileges allow.

Berend-Jan Wever, 3APA3A, axle@bytefall, Andres Tarasco of SIA Group discovered that Internet Explorer contains three vulnerabilities that could allow remote code execution. The problems stem from the way Internet Explorer handles DHTML objects, parses URLs, and processes Content Advisory files.

Hongzhen Zhou discovered that MSN Messenger contains a vulnerability that could allow remote code execution. Due to the way MSN Messenger processes GIF image files an attacker could create a specially formed image file that, went sent to an MSN Messenger user, could result in the execution of code.

iDEFENSE discovered that the Windows Shell contains a vulnerability that could allow an the execution of remote code due to the way Windows handles application association. Using a specially created file, an intruder could cause Windows to start the HTML Application Host, which could be used to take complete control of an affected system.

Kostya Kortchinsky with CERT RENATER discovered that Microsoft Message Queueing (MSMQ) could be used to execute code if an intruder creates a special message and sends that message to an affected system. Such a message could allow an intruder to take complete control of an affected system.

Song Liu, Hongzhen Zhou, Neel Mehta of ISS X-Force, Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, and Qualys discovered that the Windows TCP/IP stack contains several vulnerabilities that could lead to remote code execution or denial of service attacks. The vulnerabilities pertain to IP message validation, TCP message processing, ICMP packet processing, and connection spoofing.

VENDOR RESPONSE

Microsoft has issued numerous updates to correct these problems:

MS05-023: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)
MS05-022: Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)
MS05-021: Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)
MS05-020: Cumulative Security Update for Internet Explorer (890923)
MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)
MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
MS05-017: Vulnerability in Message Queuing Could Allow Code Execution (892944)
MS05-016: Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086)