Copyright Microsoft Corporation 2005 Microsoft Security Bulletins http://www.microsoft.com/technet/security/current.aspx en-us http://www.microsoft.com/technet/security/current.aspx http://technet.microsoft.com/library/toolbar/3.0/images/banners/TechNetB_masthead_ltr.gif 42 225 Wed, 11 Jan 2006 19:14:12 GMT Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. On vulnerable versions of Outlook, Office Language Interface Packs, Office MultiLanguage Packs or Office Multilingual User Interface Packs, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. On vulnerable versions of Exchange, an attacker who successfully exploited this vulnerability could take complete control of an affected system. This vulnerability could be exploited automatically without user interaction. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx?pubDate=2006-01-10 http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx Tue, 10 Jan 2006 08:00:00 GMT Critical Outlook Exchange Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. An attacker who successfully exploited this vulnerability could take control of an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx?pubDate=2006-01-10 http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx Tue, 10 Jan 2006 08:00:00 GMT Critical IE Bulletin Severity Rating:Critical - This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx?pubDate=2006-01-05 http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx Thu, 05 Jan 2006 08:00:00 GMT Critical GDI+ Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the way that asynchronous procedure calls are processed within the kernel. This vulnerability could allow a logged on user to take complete control of the system http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx?pubDate=2005-12-13 http://www.microsoft.com/technet/security/bulletin/ms05-055.mspx Tue, 13 Dec 2005 08:00:00 GMT Critical Kernel Bulletin Severity Rating:Critical - This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in its own Vulnerability Details section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx?pubDate=2005-12-13 http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx Tue, 13 Dec 2005 08:00:00 GMT Critical IE Bulletin Severity Rating:Critical - This update resolves several newly-discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-053.mspx?pubDate=2005-11-08 http://www.microsoft.com/technet/security/bulletin/ms05-053.mspx Tue, 08 Nov 2005 08:00:00 GMT Critical GDI+ Bulletin Severity Rating:Critical - This update resolves a newly-discovered public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects. The vulnerability is documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-052.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-052.mspx Tue, 11 Oct 2005 08:00:00 GMT Critical IE Bulletin Severity Rating:Critical - This update resolves several newly-discovered, privately-reported vulnerabilities. Each vulnerability is documented in this bulletin in its own Vulnerability Details section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that Windows 2000 and Windows XP Service Pack 1 customers apply the update immediately. We recommend that customers using other operating system versions apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx Tue, 11 Oct 2005 08:00:00 GMT Critical MSDTC COM+ Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-050.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-050.mspx Tue, 11 Oct 2005 08:00:00 GMT Critical DirectShow Bulletin Severity Rating:Important - This update resolves several newly-discovered, privately reported vulnerabilities in the Windows Shell. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability. http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx Tue, 11 Oct 2005 08:00:00 GMT Critical Shell Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-048.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-048.mspx Tue, 11 Oct 2005 08:00:00 GMT Critical CDO Bulletin Severity Rating:Important - This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an authenticated attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the Vulnerability Details section of this bulletin. We recommend that customers apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-047.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-047.mspx Tue, 11 Oct 2005 08:00:00 GMT Important PnP Bulletin Severity Rating:Important - This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in the Client Service for NetWare (CSNW). By default, CSNW is not installed on any affected operating system version. Only customers who manually installed CSNW could be vulnerable to this issue. The vulnerability is documented in the Vulnerability Details section of this bulletin. This service is also called Gateway Service for NetWare on Windows 2000 Server. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-046.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-046.mspx Tue, 11 Oct 2005 08:00:00 GMT Important Netware Bulletin Severity Rating:Moderate - This update resolves a newly-discovered, public vulnerability. A vulnerability in Network Connection Manager could allow a denial of service on the affected platforms against the Network Connection Manager. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received. We recommend that customers consider applying the security update. http://www.microsoft.com/technet/security/bulletin/ms05-045.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-045.mspx Tue, 11 Oct 2005 08:00:00 GMT Moderate CM Bulletin Severity Rating:Moderate - This update resolves a newly-discovered, public vulnerability. A vulnerability exists in the Windows FTP client because of the way it validates file names. This vulnerability could allow an attacker to tamper with the file transfer location on the client during an FTP file transfer session.We recommend that customers consider applying the security update. http://www.microsoft.com/technet/security/bulletin/ms05-044.mspx?pubDate=2005-10-11 http://www.microsoft.com/technet/security/bulletin/ms05-044.mspx Tue, 11 Oct 2005 08:00:00 GMT Moderate FTP Client Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exists in the Print Spooler service that could allow remote code execution. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx Tue, 09 Aug 2005 08:00:00 GMT Critical Print Spooler Bulletin Severity Rating:Moderate - This update resolves two newly-discovered vulnerabilities, a privately reported vulnerability and a publicly reported vulnerability. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could cause the service responsible for authenticating users in an Active Directory domain to stop responding. We recommend that customers consider applying the security update. http://www.microsoft.com/technet/security/bulletin/ms05-042.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-042.mspx Tue, 09 Aug 2005 08:00:00 GMT Moderate Kerberos Bulletin Severity Rating:Moderate - This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. We recommend that customers consider applying the security update. http://www.microsoft.com/technet/security/bulletin/ms05-041.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-041.mspx Tue, 09 Aug 2005 08:00:00 GMT Moderate RDP Bulletin Severity Rating:Important - This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability exits in the Telephony Application Programming Interface (TAPI) service that could allow remote code execution. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-040.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-040.mspx Tue, 09 Aug 2005 08:00:00 GMT Important Telephony Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx Tue, 09 Aug 2005 08:00:00 GMT Critical PnP Bulletin Severity Rating:Critical - This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx?pubDate=2005-08-09 http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx Tue, 09 Aug 2005 08:00:00 GMT Critical IE Bulletin Severity Rating:Critical - This update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx?pubDate=2005-07-12 http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx Tue, 12 Jul 2005 08:00:00 GMT Critical JView Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. A remote code execution vulnerability exists in the Microsoft Color Management Module because of the way that it handles ICC profile format tag validation. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately. http://www.microsoft.com/technet/security/bulletin/ms05-036.mspx?pubDate=2005-07-12 http://www.microsoft.com/technet/security/bulletin/ms05-036.mspx Tue, 12 Jul 2005 08:00:00 GMT Critical CMM Bulletin Severity Rating:Critical - This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update at the earliest opportunity. http://www.microsoft.com/technet/security/bulletin/ms05-035.mspx?pubDate=2005-07-12 http://www.microsoft.com/technet/security/bulletin/ms05-035.mspx Tue, 12 Jul 2005 08:00:00 GMT Critical Word Bulletin Severity Rating:Moderate - This update resolves several newly-discovered, privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin. We recommend that customers consider applying the security update. http://www.microsoft.com/technet/security/bulletin/ms05-034.mspx?pubDate=2005-06-14 http://www.microsoft.com/technet/security/bulletin/ms05-034.mspx Tue, 14 Jun 2005 08:00:00 GMT Moderate ISA Server