"IIS Cross-Site Scripting" Patch rereleased

Security 10918 Published by Philipp Esselbach 0

On August 25, 2000, Microsoft released the original version of this
bulletin, to advise customers of the availability of a patch that
eliminates a vulnerability in Microsoft(r) Internet Information
Server. However, an additional variant of the vulnerability was
subsequently identified, and on November 2, 2000, the bulletin was
updated to advise customers of the availability of an updated patch.

The scope of the new vulnerability is exactly the same as that of the
originally-reported one. The updated patch eliminates all known
variants of the vulnerability. Customers who applied the original
version of the patch should apply the new version to ensure that they
are fully protected.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-060.asp

Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0

Patch Availability
==================
- Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534
- Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533

"Indexing Services Cross Site Scripting" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Indexing Services for Windows 2000.
This vulnerability could allow a malicious web site operator to
misuse another web site as a means of attacking users.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-084.asp

Affected Software Versions
==========================
- Microsoft Indexing Services for Windows 2000

NOTE: The Indexing Service ships and installs with Windows 2000, but
is not enabled by default. Users who are running web servers on
Windows 2000 who have enabled Indexing Services are urged to apply
this patch.

Patch Availability
==================
- Indexing Services for Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25517

"Netmon Protocol Parsing" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT(r) and Windows(r) 2000
server products and Systems Management Server. The vulnerability
could allow a malicious user to gain control of an affected server.

Frequently asked questions regarding this vulnerability and
the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-083.asp

Affected Software Versions
==========================
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Systems Management Server 1.2
- Microsoft Systems Management Server 2.0

Note: Netmon does not ship as part of Windows NT 4.0 Workstation or
Windows 2000 Professional. These products would only be affected if
SMS had been installed on them.

Patch Availability
==================
- Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server,
Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
- Microsoft Windows 2000 Server, Advanced Server and
Datacenter Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485
- Microsoft Systems Management Server 1.2:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505
- Microsoft Systems Management Server 2.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514

"Malformed MIME Header" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Exchange Server 5.5. The vulnerability
could enable a malicious user to cause an Exchange server to fail.

Frequently asked questions regarding this vulnerability
and the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-082.asp

Affected Software Versions
==========================
- Microsoft Exchange Server 5.5

Note: Exchange Server 2000 is not affected by the vulnerability.

Patch Availability
==================
- Microsoft Exchange Server 5.5:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443

Note: This patch can be applied atop systems running Exchange Server
5.5 Service Pack 3. It is included in Exchange Server 5.5 Service
Pack 4.

"VM File Reading" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in the Microsoft(r) virtual machine (Microsoft VM)
that originally was discussed in Microsoft Security Bulletin
MS00-011. Like the original vulnerability, the new variant could
enable a malicious web site operator to read files from the computer
of a person who visited his site or read web content from inside an
intranet if the malicious site was visited by a computer from within
that intranet.

Frequently asked questions regarding this vulnerability and the
patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-081.asp

Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:
- All builds in the 2000 series.
- All builds in the 3000 series.

Note: The Microsoft VM ships as part of several products. However,
the primary ship vehicle is Internet Explorer.

Patch Availability
==================
New versions of the Microsoft VM that include a fix for the
vulnerability can be downloaded from the following locations:
- 2000-series builds:
A patch specifically for the 2000-series builds will be available
shortly. Customers who wish to eliminate the vulnerability can
also do so by upgrading to build 3319 at
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3000-series:
Upgrade to build 3319 or later at
http://www.microsoft.com/java/vm/dl_vm40.htm.

"Session ID Cookie Marking" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Information Server. The
vulnerability could allow a malicious user to "hijack" another user´s
secure web session, under a very restricted set of circumstances.

Frequently asked questions regarding this vulnerability
and the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-080.asp

Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0

Patch Availability
==================
- IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25233
- IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25232

"HyperTerminal Buffer Overflow" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in the HyperTerminal application that ships with
several Microsoft(r) operating systems. This vulnerability could,
under certain circumstances, allow a malicious user to execute
arbitrary code on another user´s system.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-079.asp

Affected Software Versions
==========================
- Microsoft Windows 98 and Windows 98SE
- Microsoft Windows Me
- Microsoft Windows 2000

Patch Availability
==================
- Windows 98 and 98SE:
Download
- Windows Me:
Download
- Windows 2000 (can be applied to both Gold and Service Pack 1):
Download

"Web Server Folder Traversal" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) IIS 4.0 and 5.0. The vulnerability
could potentially allow a visitor to a web site to take a wide range
of destructive actions against it, including running programs on it.

This vulnerability is eliminated by the patch that accompanied
Microsoft Security Bulletin MS00-057. Customers who have applied
that patch are already protected against the vulnerability and do not
need to take additional action. Microsoft strongly urges all
customers using IIS 4.0 and 5.0 who have not already done so to apply
the patch immediately.

Frequently asked questions regarding this vulnerability
and the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-078.asp

Affected Software Versions
==========================
- Microsoft IIS 4.0
- Microsoft IIS 5.0

Patch Availability
==================
- Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
- Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862

Note: The IIS 4.0 patch can be installed on systems running Windows
NT(r) 4.0 Service Packs 5 and 6a. It will be included in Windows NT
4.0 Service Pack 7. The IIS 5.0 patch can be installed on systems
running either Windows(r) 2000 Gold or Service Pack 1. It will be
included in Windows 2000 Service Pack 2.

"NetMeeting Desktop Sharing" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in NetMeeting, an application that ships with
Microsoft(r) Windows 2000 and is also available as a separate
download for Windows NT 4.0. The vulnerability could allow a
malicious user to temporarily prevent an affected machine from
providing any NetMeeting services and possibly consume 100% CPU
utilization during an attack.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-077.asp

Affected Software Versions
==========================
NetMeeting Version 3.01 (4.4.3385) on Windows 2000 or Windows NT 4.0.

Patch Availability
==================
- Windows 2000 and Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25029

"Cached Web Credentials" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Internet Explorer. Under a daunting
set of conditions, the vulnerability could enable a malicious user to
obtain another user´s userid and password to a web site.

Frequently asked questions regarding this vulnerability
and the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-076.asp

Affected Software Versions
==========================
- Microsoft Internet Explorer 4.x
- Microsoft Internet Explorer 5.x prior to version 5.5

Note: Internet Explorer 5.5 is not affected by this vulnerability.
Customers using IE 5.5 do not need to take any action.

Patch Availability
==================
- http://www.microsoft.com/windows/ie/download/critical/q273868.htm

Note: The patch requires IE 5.01 SP1 to install. Customers who
install this patch on other versions may receive a message reading
"This update does not need to be installed on this system". This
message is incorrect. More information is available in KB article
Q273868.

Note: As discussed in Affected Software Versions, this vulnerability
does not affect IE 5.5.

"Microsoft VM ActiveX Component" Patch

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) virtual machine (Microsoft VM). If a
malicious web site operator were able to coax a user into visiting
his site, the vulnerability could allow him to take any desired
action on a visiting user´s machine.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-075.asp

Affected Software Versions
==========================
Versions of the Microsoft VM are identified by build numbers, which
can be determined using the JVIEW tool, as discussed in the FAQ. The
following builds of the Microsoft VM are affected:

- All builds in the 2000 series.
- All builds in the 3100 series.
- All builds in the 3200 series.
- All builds in the 3300 series.

Patch Availability
==================
- 2000-series Microsoft VM customers will be provided with an update
soon.
- 3100-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3200-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm
- 3300-series Microsoft VM customers upgrade to build 3318 or later
from:
http://www.microsoft.com/java/vm/dl_vm40.htm

Patch for "Word Mail Merge" Vulnerability

Security 10918 Published by Philipp Esselbach 0

Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Word 2000 and 97. The vulnerability
could allow a malicious user to run arbitrary code on a victim´s
computer without their approval.

Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-071.asp

Affected Software Versions
==========================
- Microsoft Word 2000
- Microsoft Word 97

Patch Availability
==================
- Microsoft Word 2000:
http://officeupdate.microsoft.com/2000/downloadDetails/wrdacc.htm
- Microsoft Word 97: Patch will be available shortly.

Note Additional security patches are available at the Microsoft
Download Center

Previous Page

Next Page

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...