Microsoft Security Bulletin MS05-038:
Cumulative Security Update for Internet Explorer (896727)
Bulletin URL:
<http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx>
Reason for Revision: Bulletin revised to include notification of new
packages available from the Microsoft Download Center as the original
packages were causing some Systems Management Server (SMS) and Internet
Explorer installation failures.
Version Number: 2.0
Issued Date: Tuesday, August 09, 2005
Revision Date: Wednesday, August 10, 2005
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Patch(es) Replaced: This update replaces the update that is included
with Microsoft Security Bulletin MS05-025. That update is also a
cumulative update. This update also replaces the update that is included
with Microsoft Security Bulletin MS05-037.
Caveats: Packages for this security update that were located on the
Microsoft Download Center have been updated as the initial packages were
corrupt, causing some Systems Management Server (SMS) and Internet
Explorer installation failures. New packages are now available and
Microsoft encourages users to re-download the packages from the links
below and re-apply. Updates downloaded from Automatic Update, Windows
Update, Microsoft Update and Windows Server Update Services (WSUS), were
not affected by this issue. Microsoft Knowledge Base Article 896727
documents the currently known issues that customers may experience when
they install this security update. The article also documents
recommended solutions for these issues. For more information, see
Microsoft Knowledge Base Article 896727. This update does include
hotfixes that have been released since the release of MS04-004 or
MS04-025, but they will only be installed on systems that need them.
Customers who have received hotfixes from Microsoft or from their
support providers since the release of MS04-004 or MS04-025 should
review the 'I have received a hotfix from Microsoft or my support
provider since the release of MS04-004. Is that hotfix included in this
security update?' question in the FAQ section of this bulletin to
determine how you can make sure that the necessary hotfixes are
installed. Microsoft Knowledge Base Article 896727 also documents this
in more detail.
Tested Software:
Affected Software:
------------------
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003
Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with Service Pack 1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of
this bulletin for details about these operating systems.
* Windows Server 2003 (all versions)
Affected Components:
--------------------
* Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000
Service Pack 4 <http://tinyurl.com/d7t5s>
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
Pack 4 or on Microsoft Windows XP Service Pack 1
<http://tinyurl.com/8qwpn>
* Internet Explorer 6 for Microsoft Windows XP Service Pack 2
<http://tinyurl.com/ajbhp>
* Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft
Windows Server 2003 Service Pack 1 <http://tinyurl.com/8k7b4>
* Internet Explorer 6 for Microsoft Windows Server 2003 for
Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for
Itanium-based Systems <http://tinyurl.com/aknm7>
* Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
<http://tinyurl.com/8sbu5>
* Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium
Edition - Review the FAQ section of this bulletin for details about this
version.
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on
Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition -
Review the FAQ section of this bulletin for details about this version.
<http://tinyurl.com/cd2e9>
Technical Description:
----------------------
* JPEG Image Rendering Memory Corruption Vulnerability - CAN-2005-1988 A
remote code execution vulnerability exists in Internet Explorer because
of the way that it handles JPEG images. An attacker could exploit the
vulnerability by constructing a malicious JPEG image that could
potentially allow remote code execution if a user visited a malicious
Web site or viewed a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.
* Web Folder Behaviors Cross-Domain Vulnerability - CAN-2005-1989: A
cross-domain vulnerability exists in Internet Explorer that could allow
information disclosure or remote code execution on an affected system.
An attacker could exploit the vulnerability by constructing a malicious
Web page. The malicious Web page could potentially allow remote code
execution if it is viewed by a user. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. However, significant user interaction and social engineering is
required to exploit this vulnerability.
* COM Object Instantiation Memory Corruption Vulnerability -
CAN-2005-1990: A remote code execution vulnerability exists in the way
Internet Explorer instantiates COM Objects that are not intended to be
used in Internet Explorer. An attacker could exploit the vulnerability
by constructing a malicious Web page that could potentially allow remote
code execution if a user visited the malicious Web site. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system.
Revision History:
-----------------
* v1.0 - 8/9/2005: Bulletin published
* v2.0 - 8/10/2005: Bulletin revised to include notification of new
packages available from the Microsoft Download Center as the original
packages were causing some Systems Management Server (SMS) and Internet
Explorer installation failures.
This email is sent to NTBugtraq automagically as a service to my
subscribers. (v4.01.2047.14260)
Cheers,
Russ Cooper - Senior Information Security Analyst - Cybertrust/NTBugtraq
Editor
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
