Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express

• Microsoft Windows Systems

Microsoft has released a Security
Bulletin Summary for July, 2004. This summary includes several
bulletins that address vulnerabilities in various Windows applications and
components. Exploitation of some vulnerabilities can result in the remote
execution of arbitrary code by a remote attacker. Details of the
vulnerabilities and their impacts are provided below.

The table below provides a reference between
Microsoft's Security Bulletins and the related US-CERT Vulnerability
Notes. More information related to the vulnerabilities is available in
these documents.

Impact

A remote, unauthenticated attacker may exploit VU#717748 to execute
arbitrary code on an IIS 4.0 system.

Exploitation of VU#106324, VU#187196, VU#920060, and VU#228028, would permit a
remote attacker to execute arbitrary code with the privileges of the
current user. The attacker would have to convince a victim to view an HTML
document (web page, HTML email) or click on a crafted URI link.

Vulnerabilities described in VU#647436 and VU#868580 permit a local
user to gain elevated privileges on the local system.

Exploitation of VU#869640 can lead to a
denial-of-service condition against Outlook Express.

Solution

Apply a patch

Microsoft has provided the patches for these vulnerabilities in the
Security
Bulletins and on Windows Update.

Do not follow unsolicited links

It is generally a good practice not to click on unsolicited URLs received
in email, instant messages, web forums, or Internet relay chat (IRC)
channels. However, this practice does not always prevent exploitation of
these types vulnerabilities. For example, a trusted web site could be
compromised and modified to deliver exploit script to unsuspecting
clients.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts, but variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software to
defend against these vulnerabilities. More information about viruses and
anti-virus vendors is available on the US-CERT Computer
Virus Resources page.

Appendix A. Vendor Information

Specific information about these issue are available
in the Security
Bulletin Summary for July, 2004 and the US-CERT Vulnerability Notes.

Appendix B. References

• Microsoft's Security Bulletin Summary for July, 2004 - http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx
• US-CERT Vulnerability Note VU#106324 - http://www.kb.cert.org/vuls/id/106324
• US-CERT Vulnerability Note VU#187196 - http://www.kb.cert.org/vuls/id/187196
• US-CERT Vulnerability Note VU#920060 - http://www.kb.cert.org/vuls/id/920060
• US-CERT Vulnerability Note VU#228028 - http://www.kb.cert.org/vuls/id/228028
• US-CERT Vulnerability Note VU#717748 - http://www.kb.cert.org/vuls/id/717748
• US-CERT Vulnerability Note VU#647436 - http://www.kb.cert.org/vuls/id/647436
• US-CERT Vulnerability Note VU#868580 - http://www.kb.cert.org/vuls/id/868580
• US-CERT Vulnerability Note VU#869640 - http://www.kb.cert.org/vuls/id/869640
• Increase Your Browsing and E-Mail Safety - http://www.microsoft.com/security/incident/settings.mspx
• Working with Internet Explorer 6 Security Settings - http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx

This alert was created by Jason A. Rafail. Feedback can be directed to
the Vulnerability Note authors: Jason
A. Rafail, Jeffrey P. Lanza, Chad R. Dougherty, Damon G. Morda, and Art
Manion.

Revision History

• July 14, 2004: Initial release
  

  Last updated