Remote Code Execution Vulnerability in Multiple Microsoft Products

Reported June 14, 2005 by Microsoft

VERSIONS AFFECTED


Windows 98
Windows 2000
Windows XP
Windows Server 2003
Internet Explorer 5.x and 6.0
Outlook Express
Outlook Web Access
Step-by-Step Interactive Training
Windows Web Client
Windows HTML Help



DESCRIPTION

Multiple vulnerabilities have been discovered in Windows and its components that could allow intruders to launch code from a remote location on systems running the affected software.

An unchecked buffer in the PNG rendering library used by Internet Explorer (IE) might allow an intruder to launch code on an affected system that could let the intruder take complete control over that system. Also, IE doesn't handle Web site redirects properly when processing XML data. Because of this vulnerability, an intruder might be able to gain access to XML data outside the intruder's domain. Microsoft released a cumulative update for IE to address these issues. The update also corrects other problems in IE, including an issue with the pop-up blocker as well as problems with? GIF and XBM image rendering.

The Windows HTML Help facility doesn't properly validate input, which could allow an intruder to take complete control of an affected system.

Due to an error in the way Windows processes Server Message Block (SMB) packets, an intruder could craft specialized packets that might allow that intruder complete control over an affected system or launch Denial of Service (DoS) attacks.

An unchecked buffer in the Windows Web Client service might allow an intruder to take complete control of an affected system. However the intruder would need valid logon credentials.

Due to the way Outlook Web Access (OWA) performs HTML encoding in its Compose New Message form, a cross-site scripting attack could occur. An intruder might be able to convince a user to allow a script to be executed that could take any action allowed by the security settings that govern the Web site.

An unchecked buffer in the Network News Transfer Protocol (NNTP) response processing function of Outlook Express could allow an intruder to take complete control of an affected system.

MIcrosoft's Step-by-Step Interactive Training component contains an unchecked buffer in the function that processes bookmarks. This buffer could allow an intruder to take complete control over an affected system.

VENDOR RESPONSE

Microsoft released several security bulletins to address these problems:

Cumulative Security Update for Internet Explorer (883939)
Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)

Vulnerability in Web Client Service Could Allow Remote Code Execution (896426)
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
Cumulative Security Update in Outlook Express (897715)
Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)

CREDITS

Mark Dowd of ISS X-Force reported the PNG image rendering problem.

Mark Litchfield of Next Generation Security Software reported the issues with XML and the Web Client service.

Thor Larholm of PivX Solutions reported the pop-up blocker issue.

The UK National Infrastructure Security Co-ordination Centre (NISCC) reported the GIF- and XBM-rendering issues.

Both Peter Winter-Smith with Next Generation Security Software and eEye Digital Security reported the HTML Help vulnerability.

Qualys reported the SMB vulnerability.

Gaƫl Delalleau and iDEFENSE reported the Outlook Web Access vulnerability.

iDEFENSE reported the issue with Outlook Express.

iDEFENSE and Brett Moore of Security-Assessment.com reported the vulnerability in Step-by-Step Interactive Training.