Microsoft Security Bulletin informiert/Download

[Brummelchen]

- ----------------------------------------------------------------------
Title: Unchecked Buffer in File Decompression Functions Could
Lead to Code Execution (Q329048)
Date: 02 October 2002
Software: Microsoft Windows 98 with Plus! Pack, Windows Me,
or Windows XP
Impact: Two vulnerabilities, the most serious of which could
run code of attacker?s choice
Max Risk: Moderate
Bulletin: MS02-054

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-054.asp.
- ----------------------------------------------------------------------

Issue:
======
Zipped files (files having a .zip extension) provide a means to
store information in a way that uses less space on a hard disk. This
is accomplished by compressing the files that are put into in the
zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows
XP, the Compressed Folders feature allows zipped files to be treated
as folders. The Compressed Folders feature can be used to create,
add files to, and extract files from zipped files.

Two vulnerabilities exist in the Compressed Folders function:

- An unchecked buffer exists in the programs that handles the
decompressing of files from a zipped file. A security
vulnerability results because attempts to open a file with
a specially malformed filename contained in a zipped file could
possibly result in Windows Explorer failing, or in code of the
attacker?s choice being run.
- The decompression function could place a file in a directory
that was not the same as, or a child of, the target directory
specified by the user as where the decompressed zip files should
be placed. This could allow an attacker to put a file in a known
location on the users system, such as placing a program in a
startup directory

Mitigating Factors:
====================
- The vulnerabilities could not be exploited without user
intervention. The attacker would need to entice the user to
receive, store, and open the zipped file provided by the
attacker.
- The vulnerabilities could not be exploited remotely. An attacker
would need to lure a user into receiving the zipped file onto
the user?s machine. Best practices suggest users not accept
e-mail attachments from people who are not trusted, and not to
download files from untrusted Internet sites.
- On Windows 98 and Windows Me, the Compressed Folders feature is
not installed by default. Users who had not installed this
feature would not be vulnerable.

Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-054.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Joe Testa of Rapid7, Inc. (http://www.rapid7.com/) for reporting
the Unchecked Buffer in Zipped File Handling vulnerability.
- zen-parse for reporting the Incorrect Target Path for Zipped
File Decompression vulnerability.

- ---------------------------------------------------------------------

Win XP Download englisch:
http://download.microsoft.com/downlo...P2_x86_ENU.exe

WinXP Download deutsch:
http://download.microsoft.com/downlo...P2_x86_DEU.exe

Win98 PlusPack Download deutsch:
http://download.microsoft.com/downlo...329048GER8.EXE

- ----------------------------------------------------------------------
Title: Cumulative Patch for SQL Server (Q316333)
Date: 02 October 2002
Software: Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Impact: Four vulnerabilities, the most serious of which could
enable an attacker to gain control over an affected
server.
Max Risk: Critical
Bulletin: MS02-056

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-056.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and

Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE)
2000. In addition, it eliminates four newly discovered vulner-
abilities.
* A buffer overrun in a section of code in SQL Server 2000
(and MSDE 2000) associated with user authentication. By
sending a specially malformed login request to an affected
server, an attacker could either cause the server to fail or
gain the ability to overwrite memory on the server, thereby
potentially running code on the server in the security context
of the SQL Server service. It would not be necessary for the
user to successfully authenticate to the server or to be able
to issue direct commands to it in order to exploit the
vulnerability.
* A buffer overrun vulnerability that occurs in one of the
Database Console Commands (DBCCs) that ship as part of SQL
Server 7.0 and 2000. In the most serious case, exploiting
this vulnerability would enable an attacker to run code in
the context of the SQL Server service, thereby giving the
attacker complete control over all databases on the server.
* A vulnerability associated with scheduled jobs in SQL Server
7.0 and 2000. SQL Server allows unprivileged users to create
scheduled jobs that will be executed by the SQL Server Agent.
By design, the SQL Server Agent should only perform job
steps that are appropriate for the requesting user's priv-
ileges. However, when a job step requests that an output file
be created, the SQL Server Agent does so using its own priv-
ileges rather than the job owners privileges. This creates a
situation in which an unprivileged user could submit a job
that would create a file containing valid operating system
commands in another user's Startup folder, or simply over-
write system files in order to disrupt system operation

The patch also changes the operation of SQL Server, to prevent
non-administrative users from running ad hoc queries against
non-SQL OLEDB data sources. Although the current operation does
not represent a security vulnerability, the new operation makes
it more difficult to misuse poorly coded data providers that might
be installed on the server.

Mitigating Factors:
====================
Unchecked buffer in SQL Server 2000 authentication function:
* This vulnerability on affects SQL Server 2000 and MSDE 2000.
Neither SQL Server 7.0 nor MSDE 1.0 are affected.
* If the SQL Server port (port 1433) were blocked at the firewall,
the vulnerability could not be exploited from the Internet.
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
Unchecked buffer in Database Console Commands:
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server or has permissions
to execute queries directly to the server
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server.
Flaw in output file handling for scheduled jobs:
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL server.

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-056.asp
for information on obtaining this patch.

Acknowledgment:
===================
* Issue regarding ad hoc queries against non-SQL OLEDB data
sources:
sk@scan-associates.net and pokleyzz@scan-associates.net
* Unchecked buffer in Database Console Commands:
Martin Rakhmanoff (jimmers@yandex.ru)


- ---------------------------------------------------------------------

Download nicht weiter verfolgt.

- ----------------------------------------------------------------------
Title: Unchecked Buffer in Windows Help Facility Could
Enable Code Execution (Q323255)
Date: 02 October 2002
Software: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Impact: Attacker could gain control over user's system
Max Risk: Critical
Bulletin: MS02-055

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-055.asp.
- ----------------------------------------------------------------------

Issue:
======
The HTML Help facility in Windows includes an ActiveX control that
provides much of its functionality. One of the functions exposed via
the control contains an unchecked buffer, which could be exploited by
a web page hosted on an attacker's site or sent to a user as an HTML
mail. An attacker who successfully exploited the vulnerability would
be able to run code in the security context of the user, thereby
gaining the same privileges as the user on the system.

A second vulnerability exists because of flaws associated with the
handling of compiled HTML Help (.chm) files that contain shortcuts.
Because shortcuts allow HTML Help files to take any desired action on
the system, only trusted HTML Help files should be allowed to use
them. Two flaws allow this restriction to be bypassed. First, the
HTML Help facility incorrectly determines the Security Zone in the
case where a web page or HTML mail delivers a .chm file to the
Temporary Internet Files folder and subsequently opens it. Instead of
handling the .chm file in the correct zone - the one associated with
the web page or HTML mail that delivered it - the HTML Help facility
incorrectly handles it in the Local Computer Zone, thereby
considering it trusted and allowing it to use shortcuts. This error
is compounded by the fact that the HTML Help facility doesn't
consider what folder the content resides in. Were it to do so, it
could recover from the first flaw, as content within the Temporary
Internet Folder is clearly not trusted, regardless of the Security
Zone it renders in.

The attack scenario for this vulnerability would be complex, and
involves using an HTML mail to deliver a .chm file that contains a
shortcut, then making use of the flaws to open it and allow the
shortcut to execute. The shortcut would be able to perform any action
the user had privileges to perform on the system.

Before deploying the patch, customers should familiarize themselves
with the caveats discussed in the FAQ and in the Caveats section
below.

Mitigating Factors:
====================
Buffer Overrun in HTML Help ActiveX Control:
- The HTML mail-based attack vector could not be exploited on
systems where Outlook 98 or Outlook 2000 were used in conjunction
with the Outlook Email Security Update, or Outlook Express 6 or
Outlook 2002 were used in their default configurations.
- The vulnerability would convey only the user's privileges on
the system. Users whose accounts are configured to have few
privileges on the system would be at less risk than ones who
operate with administrative privileges.

Code Execution via Compiled HTML Help File:
- The vulnerability could only be exploited if the attacker
were able to determine the exact location of the Temporary
Internet Files folder. By design, this should not be possible, and
Microsoft is unaware of any means for doing so which has not
already been patched.
- The vulnerability would convey only the user's privileges on
the system. Users whose accounts are configured to have few
privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-055.asp
for information on obtaining this patch.

Acknowledgment:
===============
- David Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/)and Thor Larholm, Security Researcher,
PivX Solutions, LLC (http://www.pivx.com) for reporting the
Buffer Overrun in HTML Help ActiveX Control.

- ---------------------------------------------------------------------

Win98 Download deutsch:
http://download.microsoft.com/downlo...323255GER8.EXE

Win2k DL deutsch:
http://download.microsoft.com/downlo...SP4_X86_DE.exe

WinXP DL deutsch:
http://download.microsoft.com/downlo...P2_x86_DEU.exe

WinXP DL englisch:
http://download.microsoft.com/downlo...P2_x86_ENU.exe

[Brummelchen]

--- Patch: S/MIME-Sicherheitsleck in Outlook Express ---
In den Versionen 5.5 und 6.0 des Mail-Programms Outlook Express steckt
ein Sicherheitsleck beim Umgang mit S/MIME-signierten E-Mails. Gemaess
einem aktuellen Security Bulletin kann ein Angreifer darueber
Programmcode auf dem betreffenden System ausfuehren oder den E-Mail-
Client zum Absturz bringen. Fuer beide Programmversionen bietet
Microsoft passende Patches an.
http://www.golem.de/0210/22098.html

im O-Ton

- ----------------------------------------------------------------------
Title: Unchecked Buffer in Outlook Express S/MIME Parsing
Could Enable System Compromise (Q328676)
Date: 10 October 2002
Software: Outlook Express
Impact: Run code of attacker's choice.
Max Risk: Critical
Bulletin: MS02-058

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-058.asp.
- ----------------------------------------------------------------------

Issue:
======
To allow for verification of the authenticity of mail messages,
Microsoft Outlook Express supports digital signing of
messages through S/MIME. A buffer overrun vulnerability lies in the
code that generates the warning message when a particular
error condition associated with digital signatures occurs.

By creating a digitally signed email and editing it to introduce
specific data, then sending it to another user, an attacker
could cause either of two effects to occur if the recipient opened or
previewed it. In the less serious case, the attacker
could cause the mail client to fail. If this happened, the recipient
could resume normal operation by restarting the mail
client and deleting the offending mail. In the more serious case, the
attacker could cause the mail client to run code of
their choice on the user's machine. Such code could take any desired
action, limited only by the permissions of the recipient
on the machine.

This vulnerability could only affect messages that are signed using
S/MIME and sent to an Outlook Express user. Users of
Microsoft Outlook products are not affected by this vulnerability.

Mitigating Factors:
====================
- Microsoft Outlook is not affected by this vulnerability.
- Outlook Express runs in the context of the user. Exploiting this
vulnerability would in the worst case scenario allow an attacker
to run arbitrary code in the context of the users' privileges
only. Any restrictions on the users' account would apply to
the attackers code.

Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-058.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Noam Rathaus of Beyond Security Ltd.
(http://www.beyondsecurity.com)

- ---------------------------------------------------------------------

Download (deutsch)
Outlook Express 6 (alle OS)
Q328676: Outlook Express Update
656 KB file, 3 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328676.exe

Outlook Express 5.5 SP2 (kein XP)
Q328389: Outlook Express Update
873 KB file, 4 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328389.exe

[Brummelchen]

Info zum Update oben:

Es wird eine MSOE.DLL ersetzt mit der Versionsnummer 6.00.2720.3000 - das IE6SP1 enthält aber schon Version 6.00.2800.1106.

Benutzer des IE6SP1 dürften daher die Meldung
"Für dieses Update muß der IE 6.0 installiert sein!"
bekommen.

[hexxxlein]

Original geschrieben von Brummelchen
Info zum Update oben:

Benutzer des IE6SP1 dürften daher die Meldung
"Für dieses Update muß der IE 6.0 installiert sein!"
bekommen.

Ganz genau so!

[Brummelchen]

Es geht weiter:

- ----------------------------------------------------------------------
Title: Flaw in Word Fields and Excel External Updates Could
Lead to Information Disclosure (Q330008)
Date: 16 October 2002
Software: Microsoft(r) Word and Microsoft(r) Excel
Impact: Information Disclosure
Max Risk: Moderate
Bulletin: MS02-059

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-059.asp.
- ----------------------------------------------------------------------

Issue:
======
Word and Excel provide a mechanism through which data from one
document can be inserted to and updated in another document. This
mechanism, known as field codes in Word and external updates in
Excel, can be automated to reduce the amount of manual effort
required by a user. An example of the use of Word field codes could
be the automatic insertion of a standard disclaimer paragraph in a
legal document. An example of the use of external updates in Excel
could be the automatic updating of a chart in one spreadsheet using
data in a different spreadsheet.

A vulnerability exists because it is possible to maliciously use
field codes and external updates to steal information from a user
without the user being aware. Certain events can trigger field code
and external update to be updated, such as saving a document or by
the user manually updating the links. Normally the user would be
aware of these updates occurring, however a specially crafted field
code or external update can be used to trigger an update without any
indication to the user. This could enable an attacker to create a
document that, when opened, would update itself to include the
contents of a file from the user's local computer.

In order for an attacker to take advantage of this vulnerability,
the attacker would need to perform the following steps:

-Craft a Word or Excel document that exploits the vulnerability
-Deliver it to the user, via email or some other method
-Entice the user to open the document
-Return the document to the attacker. (Microsoft is aware of one
case in which it would not be necessary for the user to do this.
There is one method through which the attacker's document could
post information directly to a web site, but it would only allow
the first line of the file to be sent)

Mitigating Factors:
====================
- - The attacker would need to know the location of the file that he or
she wanted to steal. If the correct filename were not presented,
the attack would fail and an invalid field error message would be
present in the document.
- - The user could always view the field codes or external updates. The
field codes or external updates used in the attack can be revealed,
as they are only hidden to prevent cluttering the document when it
is being viewed or edited. A method of checking documents for
additional undesired information is described in the Frequently
Asked Questions below.
- - Although the attacker could take some steps to obscure the stolen
information, the attacker would leave a clear audit trail. Since
the field codes or external updates can be viewed, even if an attack
is successful, the attacker would leave clear evidence in the
document in the form of the stolen information and the malicious
field codes used. This evidence could be used by law enforcement
agencies if required
- - The vulnerability would not enable the attacker to delete, modify
or add any files to the user's local system.
- - In virtually all circumstances, the attacker would need to entice
the user into returning the document. No information would be
revealed unless the user returned the document to the attacker.

Risk Rating:
============
- Internet systems: None
- Intranet systems: None
- Client systems: Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-059.asp
for information on obtaining this patch.

- ---------------------------------------------------------------------

Besprochen werden kann das auch hier
https://www.supernature-forum.de/sho...threadid=17056

Links folgen

Dann nochmal die MS Hilfe:

- ----------------------------------------------------------------------
Title: Flaw in Windows XP Help and Support Center Could Enable
File Deletion (Q328940)
Date: 16 October 2002
Software: Microsoft Windows XP
Impact: Delete files on the user's system
Max Risk: Moderate
Bulletin: MS02-060

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-060.asp.
- ----------------------------------------------------------------------

Issue:
======
Help and Support Center provides a centralized facility through which
users can obtain assistance on a variety of topics. For instance, it
provides product documentation, assistance in determining hardware
compatibility, access to Windows Update, online help from Microsoft,
and other assistance.

A security vulnerability is present in the Windows XP version of Help
and Support Center, and results because a file intended only for use
by the system is instead available for use by any web page. The
purpose of the file is to enable anonymous upload of hardware
information, with the user's permission, so that Microsoft can
evaluate which devices users are not currently finding device drivers
for. This information is then used to work with hardware vendors and
device teams to improve the quality and quantity of drivers available
in Windows. By design, after attempting to upload an XML file
containing the hardware information, the system deletes it.

An attacker could exploit the vulnerability by constructing a web
page that, when opened, would call the errant function and supply the
name of an existing file or folder as the argument. The attempt to
upload the file or folder would fail, but the file nevertheless would
be deleted. The page could be hosted on a web site in order to attack
users visiting the site, or could be sent as an HTML mail in order to
attack the recipient when it was opened.


Mitigating Factors:
====================
- - Customers who have applied Windows XP Service Pack 1 are at no risk
from the vulnerability.

- - The vulnerability could not be exploited without some degree of
user interaction. Even in the most attacker-favorable case, the
Help and Support Center window would appear unexpectedly and the
file deletion could not occur until the user responded. (Even
selecting Cancel, though, would enable the deletion to occur). If
the user killed the process rather than responding, the deletion
could not occur.

- - For an attack to be successful, the user would need to visit a
website under the attacker's control or receive an HTML e-mail
from the attacker.

- - The vulnerability would not enable an attacker to take any action
other than deleting files. It would not grant any form of
administrative control over the system, nor would it enable the
attacker to read or modify files.

- - The Help and Support Center function could not be started
automatically in Outlook Express or Outlook if the user is running
Internet Explorer 6.0 Service Pack 1, or in Outlook 2002 if "Read
as Plain Text" is enabled.

- - In order to delete a file, the attacker would need to know its
exact file and path name. To delete a folder, the attacker would
need to know its exact path.

- - If the attacker used the vulnerability to disrupt system
operation, Automatic System Recovery would provide a means of
restoring normal operation. In addition, Windows XP will
automatically restore many system files if deleted.

Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-060.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Shane Hird of the Distributed Systems Technology Centre
(http://security.dstc.edu.au)

- ---------------------------------------------------------------------

Downloads (1.3meg)
english
http://download.microsoft.com/downlo...P1_x86_ENU.exe

deutsch
http://download.microsoft.com/downlo...P1_x86_DEU.exe

[Brummelchen]

Patch für Fernwartungsfunktion von Windows 2000 und XP

Besonders Server-Systeme von der Sicherheitslücke betroffen

In einem aktuellen Security Bulletin beschreibt Microsoft eine Sicherheitslücke im PPTP-Service, der für Fernwartungen genutzt wird und Bestandteil von Windows 2000 und XP ist. Dieser Dienst kann auch zusätzlich auf Systemen mit Windows 98, 98SE, Millennium und NT 4.0 verwendet werden, soll da aber nicht von dem Sicherheitsleck betroffen sein. Microsoft bietet einen passenden Patch zum Download an.

Sowohl Windows 2000 als auch Windows XP enthalten das Point-to-Point Tunneling Protocol (PPTP), das als Teil der Remote Access Services (RAS) arbeitet und ein Sicherheitsleck besitzt. Dies erlaubt einem Angreifer, ein System über speziell formatierte PPTP-Daten gezielt zum Absturz zu bringen. Während ein solcher Angriff auf einem Server jederzeit möglich ist, gilt dies für Client-Systeme nur, wenn eine aktive PPTP-Verbindung besteht.

Microsoft bietet über das entsprechende Security Bulletin passende Patches für Windows 2000 und XP zum Download an.

- ----------------------------------------------------------------------
Title: Unchecked Buffer in PPTP Implementation Could Enable
Denial of Service Attacks (Q329834)
Date: 30 October 2002
Software: Windows 2000, Windows XP
Impact: Denial of Service
Max Risk: Critical
Bulletin: MS02-063

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-063.asp.
- ----------------------------------------------------------------------

Issue:
======
Windows 2000 and Windows XP natively support Point-to-Point Tunneling
Protocol (PPTP), a Virtual Private Networking technology that is
implemented as part of Remote Access Services (RAS). PPTP support is
an optional component in Windows NT 4.0, Windows 98, Windows 98SE,
and Windows ME.

A security vulnerability results in the Windows 2000 and Windows XP
implementations because of an unchecked buffer in a section of code
that processes the control data used to establish, maintain and tear
down PPTP connections. By delivering specially malformed PPTP control
data to an affected server, an attacker could corrupt kernel memory
and cause the system to fail, disrupting any work in progress on the
system.

The vulnerability could be exploited against any server that offers
PPTP. If a workstation had been configured to operate as a RAS server
offering PPTP services, it could likewise be attacked. Workstations
acting as PPTP clients could only be attacked during active PPTP
sessions. Normal operation on any attacked system could be restored
by restarting the system.

Mitigating Factors:
====================
- As discussed in more detail in the FAQ, Microsoft has only
successfully demonstrated denial of service attacks via this
vulnerability. Because of how the overrun occurs, it does not
appear that that there is any reliable means of using it to gain
control over a system.
- Servers would only be at risk from the vulnerability if they
had been specifically configured to offer PPTP services. PPTP does
not run by default on any Windows system. Likewise, although it
is possible to configure a workstation to offer PPTP services,
none operate in this capacity by default.
- Exploiting the vulnerability against a PPTP client could be
difficult. PPTP is typically used in scenarios in which the client
IP address changes frequently (e.g., because the client system is
mobile). Not only would an attacker need to learn the IP address,
but he or she would also need to mount an attack while the client
had an active PPTP session underway.

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Low
- Client systems: Low

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-063.asp
for information on obtaining this patch.

- ---------------------------------------------------------------------

Download deutsch Win2k
Q329834: Security Update 195 KB file
http://download.microsoft.com/downlo...SP4_X86_DE.exe

Download deutsch WinXP 32bit
Q329834_WXP_SP2_x86_ENU.exe - 210 Kb
http://download.microsoft.com/downlo...P2_x86_DEU.exe
(DL englisch)
http://download.microsoft.com/downlo...P2_x86_ENU.exe

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Information Service
(Q327696)
Date: 30 October 2002
Software: Internet Information Service
Impact: Four vulnerabilities, the most serious of which
could enable applications on a server to gain
system-level privileges.
Max Risk: Moderate
Bulletin: MS02-062

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-062.asp.
- ----------------------------------------------------------------------

Issue:
======
This patch is a cumulative patch that includes the functionality of
all security patches released for IIS 4.0 since Windows
NT 4.0 Service Pack 6a, and all security patches released to date for
IIS 5.0 and 5.1. A complete listing of the patches
superseded by this patch is provided below, in the section titled
"Additional information about this patch". Before applying
the patch, system administrators should take note of the caveats
discussed in the same section.

In addition to including previously released security patches, this
patch also includes fixes for the following newly
discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or
5.1:
- A privilege elevation vulnerability affecting the way ISAPIs
are launched when an IIS 4.0, 5.0 or 5.1 server is configured
to run them out of process. By design, the hosting process
(dllhost.exe) should run only in the security context of the
IWAM_computername account; however, it can actually be made to
acquire LocalSystem privileges under certain circumstances,
thereby enabling an ISAPI to do likewise.
- A denial of service vulnerability that results because of a flaw
in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests.
If a WebDAV request were malformed in a particular way, IIS would
allocate an extremely large amount of memory on the server. By
sending several such requests, an attacker could cause the server
to fail.
- A vulnerability involving the operation of the script source
access permission in IIS 5.0. This permission operates in
addition to the normal read/write permissions for a virtual
directory, and regulates whether scripts, .ASP files and
executable file types can be uploaded to a write-enabled virtual
directory. A typographical error in the table that defines the
file types subject to this permission has the effect of omitting
.COM files from the list of files subject to the permission. As a
result, a user would need only write access to upload such a file.
- A pair of Cross-Site Scripting (CSS) vulnerabilities affecting
IIS 4.0, 5.0 and 5.1, and involving administrative web page. Each
of these vulnerabilities have the same scope and effect: an
attacker who was able to lure a user into clicking a link on his
web site could relay a request containing script to a third-party
web site running IIS, thereby causing the third-party site's
response (still including the script) to be sent to the user.
The script would then render using the security settings of
the third-party site rather than the attacker's.

In addition, the patch causes 5.0 and 5.1 to change how frequently
the socket backlog list - which, when all connections on a
server are allocated, holds the list of pending connection requests -
is purged. The patch changes IIS to purge the list more
frequently in order to make it more resilient to flooding attacks.
The backlog monitoring feature is not present in IIS 4.0.

Mitigating Factors:
====================
Out of Process Privilege Elevation:
- This vulnerability could only be exploited by an attacker
who already had the ability to load and execute applications
on an affected web server. Normal security practices recommend
that untrusted users not be allowed to load applications onto
a server, and that even trusted users' applications be
scrutinized before allowing them to be loaded.

WebDAV Denial of Service:
- The vulnerability does not affect IIS 4.0, as WebDAV is not
supported in this version of IIS.
- The vulnerability could only be exploited if the server allowed
WebDAV requests to be levied on it. The IIS Lockdown Tool

(http://www.microsoft.com/technet/sec...s/locktool.asp),
if deployed in its default configuration, disables such requests.

Script Source Access Vulnerability:
- The vulnerability could only be exploited if the administrator
had granted all users write and execute permissions to one or
more virtual directories on the server. Default configurations of
IIS would be at no risk from this vulnerability.
- The vulnerability does not affect IIS 4.0, as WebDAV is not
supported in this version of IIS.
- The vulnerability could only be exploited if the server allowed
WebDAV requests to be levied on it. The IIS Lockdown Tool, if
deployed in its default configuration, disables such requests.

Cross-site Scripting in IIS Administrative Pages:
- The vulnerabilities could only be exploited if the attacker
could entice another user into visiting a web page and clicking
a link on it, or opening an HTML mail.
- By default, the pages containing the vulnerability are restricted
to local IP address. As a result, the vulnerability could only
be exploited if the client itself were running IIS.

Aggregate Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Low

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-062.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Li0n of A3 Security Consulting Co., Ltd. (http://www.a3sc.co.kr)
for reporting the Out of process privilege elevation
vulnerability.
- Mark Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com) for reporting the WebDAV denial
of service vulnerability.
- Luciano Martins of Deloitte & Touche Argentina
(http://www.deloitte.com.ar) for recommending the change in the
socket backlog list purge rate.

- ---------------------------------------------------------------------

DL hier
http://www.microsoft.com/technet/sec...n/ms02-062.asp

- ----------------------------------------------------------------------
Title: Windows 2000 Default Permissions Could Allow Trojan Horse
Program (Q327522)
Date: 30 October 2002
Software: Windows 2000
Impact: Trojan Horse program execution
Max Risk: Moderate
Bulletin: MS02-064

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-064.asp.
- ----------------------------------------------------------------------

Issue:
======
On Windows 2000, the default permissions provide the Everyone group
with Full access (Everyone:F) on the system root folder
(typically, C:\). In most cases, the system root is not in the search
path. However, under certain conditions - for instance, during logon
or when applications are invoked directly from the Windows desktop
via Start | Run - it can be.

This situation gives rise to a scenario that could enable an attacker
to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name
as some commonly used program, then waiting for another user to
subsequently log onto the system and invoke the program. The Trojan
horse program would execute with the user's own privileges, thereby
enabling it to take any action that the user could take.

The simplest attack scenario would be one in which the attacker knew
that a particular system program was invoked by a logon script. In
that case, the attacker could create a Trojan horse with the same
name as the system program, which would then be executed by the
logon script the next time someone logged onto the system. Other
scenarios almost certainly would require significantly greater user
interaction - for instance, convincing a user to start a particular
program via Start | Run - and would necessitate the use of social
engineering.

The systems primarily at risk from this vulnerability would be
workstations that are shared between multiple users, and local
terminal server sessions. Other systems would be at significantly
less risk:

- Workstations that are not shared between users would be at no
risk, because the attacker would require the ability to log onto
the system in order to place the Trojan horse.

- Servers would be at no risk, if standard best practices have
been followed that advocate only allowing trusted users to log
onto them.

- Remote Terminal server sessions would be at little risk,
because each user's environment is isolated. That is, the system
root is never the current folder - instead, the user's Documents
and Settings folder is, but the permissions on this folder would
not enable an attacker to place a Trojan horse there.

Mitigating Factors:
====================
- An attacker would require the ability to log onto the system
interactively in order to place the Trojan horse program. It
could not be placed remotely

- As discussed above, dedicated workstations, servers and remote
terminal server sessions would be at less risk (or, in some cases,
none at all) from the vulnerability.

Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate

Patch Availability:
===================
- This vulnerability requires an administrative procedure rather
than a patch. The needed changes are discussed in the FAQ.
Please read the Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-064.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Jason Miller of Security Focus (http://www.securityfocus.com)

- ---------------------------------------------------------------------

Diese Lücke erfordert ein administratives Verfahren anstatt eines Patches. Die erforderlichen Änderungen werden in der FAQ besprochen.

[Brummelchen]

Hab da heute nochwas gefunden (CCB/DiggnSaeg):
http://www.computerbase.de/news.php?id=4125

Scheinbar unbemerkt und ohne offizielle Bekanntgabe hat Microsoft DirectX 8.2 (Build 4.08.02.0134) herausgebracht. Gefunden haben es die Kollegen von xBetas auf einer CD von Microsofts Combat Flight Simulator 3. In der neuen Version wurde die DirectPlay-API einer Überarbeitung unterzogen.
DirectX8.2 steht derzeit nur als Update von DirectX 8.1b zur Verfügung. Es sollte also die entsprechende Version vorher installiert werden. DirectX 8.1b ist u.a. Bestandteil des ServicePack1 für WindowsXP.
Das rund 2,5MB große Update ist definitiv keine BETA und liegt in englischer Sprache vor.

DirectX 8.2 auch offiziell bei Microsoft [Drucken]
von Jan-Frederik Timm am 31.10.2002 17:12 Uhr

Vor einigen Tagen war in der Betaversion des Combat Flight Simulators ein bisher nicht angekündigtes Update der Schnittstelle DirectX von Version 8.1 auf 8.2 aufgetaucht. Das File steht allerdings auch offiziell bei Microsoft zum Download bereit.
Mit gut 27MB umfasst die Datei nicht nur das DirectPlay Update sondern auch das Grundgerüst, DirectX 8.1b. Unterstützt werden Windows 98, Windows ME, Windows 2000 und Windows XP. Wer also bereits über die letzte DirectX Version verfügt, sollte lieber zum Update greifen. Das komplette File findet sich bei Microsoft.com.

Link zu MS
http://www.microsoft.com/downloads/r...arch&ordinal=9

DirectPlay 8.2

This download contains DirectX 8.1b plus some DirectPlay fixes related to performance and connectivity issues exhibited with some online multiplayer game titles. This release of DirectX is not recommended for general installation. You should only consider installing this release if you have an online gaming problem that has been identified as being fixed with DirectX 8.2. This version of DirectX can replace all previous released versions of DirectX.

Version - 8.2
Release Date - 27 Sep 2002
Estimated Download Size/Time @28.8 - 28,325,976 kb / 2237h 27min

System Requirements

The DirectX 8.2 release supports Windows 98, Windows ME, Windows 2000 and Windows XP. The DirectX installation process requires approximately 60 megabytes (MB) of free space on your hard drive. Once installed, you can delete the installation files. The remaining DirectX files use approximately 16 MB of hard drive space. If you had an earlier version of DirectX installed on your computer, you will see little difference in used space on your hard drive. DirectX 8.2 will overwrite the earlier versions.

Note: After installation, the DirectX 8.2 runtime cannot be removed (uninstalled). The installation process changes core components and makes numerous registry changes within your operating system. Microsoft does not support un-installation.

Operating System - Windows 98 & 2000 & Windows Me, Win XP

Download (englisch)
dplay82 update.exe - 27,663 Kb
http://download.microsoft.com/downlo...2%20update.exe

[Brummelchen]

-----------------------------------------------------------------------
Title: Buffer Overrun in Microsoft Data Access Components Could
Lead to Code Execution (Q329414)
Date: 20 November, 2002
Software:
Microsoft Data Access Components (MDAC) 2.1
Microsoft Data Access Components (MDAC) 2.5
Microsoft Data Access Components (MDAC) 2.6
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Impact: Run code of attacker?s choice
Max Risk: Critical
Bulletin: MS02-065

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/se...s/ms02-065.asp
http://www.microsoft.com/technet/sec.../MS02-065.asp.
- ----------------------------------------------------------------------

Issue:
======
Microsoft Data Access Components (MDAC) is a collection of components
used to provide database connectivity on Windows platforms. MDAC is
a ubiquitous technology, and it is likely to be present on most
Windows systems:


- - It is included by default as part of Windows XP, Windows 2000, and
Windows Millennium.
- - It is available for download as a stand-alone technology in its
own right.
- - It is either included in or installed by a number of other products
and technologies. For instance, MDAC is included in the Windows NT
4.0 Option Pack, and some MDAC components are present as part of
Internet Explorer even if MDAC itself is not installed.

MDAC provides the underlying functionality for a number of database
operations, such as connecting to remote databases and returning data
to a client. One of the MDAC components, known as Remote Data
Services(RDS), provides functionality that support three-tiered
Architectures ? that is, architectures in which a client?s requests
for service from a back-end database are intermediated through a web
site that applies business logic to them. A security vulnerability
is present in the RDS implementation, specifically, in a function
called the RDS Data Stub, whose purpose it is to parse incoming
HTTP requests and generate RDS commands.

The vulnerability results because of an unchecked buffer in the Data
Stub. By sending a specially malformed HTTP request to the Data Stub,
an attacker could cause data of his or her choice to overrun onto the
heap. Although heap overruns are typically more difficult to exploit
than the more-common stack overrun, Microsoft has confirmed that in
this case it would be possible to exploit the vulnerability to run
code of the attacker?s choice on the user?s system.

Both web servers and web clients are at risk from the vulnerability:
- ----------------------------------------------------------------------
- - Web servers are at risk if a vulnerable version of MDAC is
installed
and running on the server. To exploit the vulnerability against
such
a web server, an attacker would need to establish a connection with
the server and then send a specially malformed HTTP request to it,
that would have the effect of overrunning the buffer with the
attacker?s chosen data. The code would run in the security context
of the IIS service (which, by default, runs in the LocalSystem
context)
- - Web clients are at risk in almost every case, as the RDS Data Stub
is included with all current versions of Internet Explorer and
there is no option to disable it. To exploit the vulnerability
against a client, an attacker would need to host a web page that,
when opened, would send an HTTP reply to the user's system and
overrun the buffer with the attacker's chosen data. The web page
could be hosted on a web site or sent directly to users as an HTML
Mail. The code would run in the security context of the user.

Clearly, this vulnerability is very serious, and Microsoft recommends
that all customers whose systems could be affected by them take app-
ropriate action immediately. Web server administrators should either
install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7,
which is not affected by the vulnerability. Web client users should
install the patch immediately on any system that is used for web
browsing. It is important to stress that the latter guidance applies
to any system used for web browsing, regardless of any other
protective measures that have already been taken. For instance, a
web server on which RDS had been disabled would still need the patch
if it was occasionally used as a web client.

Mitigating Factors:
====================
Web Servers
- - Web servers that are using MDAC version 2.7 (the version that
shipped with Windows XP) or later are not affected by the vulner-
ability.
- - Even if a vulnerable version of MDAC were installed, a web server
would only be at risk if RDS were enabled. RDS is disabled by
default
on clean installations of Windows XP and Windows 2000, and can be
disabled on other systems by following the guidance in the IIS
Security Checklist. In addition, the IIS Lockdown Tool will
automatically disable RDS when used in its default configuration.
- - If the URLScan tool were deployed with its default ruleset (which
allows only ASCII data to be present in an HTTP request), it is
likely that the vulnerability could only be used for denial of
service attacks.
- - IIS can be configured to run with fewer than administrative priv-
ileges. If this has been done, it would likewise limit the
privileges
that an attacker could gain through the vulnerability.
- - IP address restrictions, if applied to the RDS virtual directory,
could enable the administrator to restrict access to only trusted
users. This is, however, not practical for most web server
scenarios.

Web clients
- - The HTML mail-based attack vector could not be exploited auto-
matically on systems where Outlook 98 or Outlook 2000 were used
in conjunction with the Outlook Email Security Update, or Outlook
Express 6 or Outlook 2002 were used in their default
configurations.
- - Exploiting the vulnerability would convey to the attacker only the
user?s privileges on the system. Users whose accounts are
configured
to have few privileges on the system would be at less risk than
ones who operate with administrative privileges.

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-065.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Microsoft thanks Foundstone Research Labs
(http://www.foundstone.com/) for reporting this issue to us
and working with us to protect customers.

----------------------------------------------------------------------

Microsoft Data Access Components: Security Hotfix for Q329414

One of the components of RDS that was delivered in MDAC 2.1, 2.5 and 2.6 contains an unchecked buffer. This patch eliminates the security vulnerability. MDAC 2.7 does not contain this vulnerability. The vulnerability does not affect Windows XP.

For More Information - http://www.microsoft.com/technet/sec...n/MS02-065.asp
Version - Q329414
Release Date - 6 Nov 2002
Estimated Download Size/Time @28.8 - 814 kb / 5min
System Requirements

This patch can be run against any system, whether MDAC is installed or not. It will determine which, if any, version of MDAC exists and will install the appropriate files. This patch will install on Windows 98 or greater.

Operating System - Windows 98, NT4 & 2000, Windows Me

Download Now
q329414_mdacall_x86.exe - 814 Kb

Download (alle Versionen ausser XP)
http://download.microsoft.com/downlo...dacall_x86.exe

[Brummelchen]

-----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (Q328970)
Date: 20 November 2002
Software: Internet Explorer
Impact: Execute commands on a user's system
Max Risk: Important
Bulletin: MS02-066

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/security/se...s/ms02-066.asp
http://www.microsoft.com/technet/sec.../MS02-066.asp.


- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:


- - A buffer overrun vulnerability that occurs because Internet
Explorer does not correctly check the parameters of a PNG graphics
file when it is opened. To the best of Microsoft's knowledge, this
vulnerability could only be used to cause Internet Explorer to
fail. The effect of exploiting the vulnerability against Internet
Explorer would be relatively minor - the user would only need to
restart the browser to restore normal operation. However, a number
of other Microsoft products - notably, most Microsoft Office
products and Microsoft Index Server - rely on Internet Explorer to
render PNG files, and exploiting the vulnerability against such an
application would cause them to fail as well. Because of this,
Microsoft recommends that customers install this patch regardless
of whether they are using Internet Explorer as their primary web
browser.

- - An information disclosure vulnerability related to the way that
Internet Explorer handles encoded characters in a URL. This
vulnerability could allow an attacker to craft a URL containing
some encoded characters that would redirect a user to a second web
site. If a user followed the URL, the attacker would be able to
piggy-back the user's access to the second website. This could
allow the attacker to access any information the user shared with
the second web site.

- - A vulnerability that occurs because under certain circumstances
Internet Explorer does not correctly check the component that the
OBJECT tag calls. This could allow an attacker to obtain the name
of the Temporary Internet Files folder on the user's local machine.
The vulnerability would not allow an attacker to read or modify
any files on the user's local system, since the Temporary Internet
Files folder resides in the Internet security zone. Knowledge of
the name of the Temporary Internet Files folder could allow an
attacker to identify the username of the logged-on user and read
other information in the Temporary Internet Files folder such as
cookies.

- - Three vulnerabilities that although having differing root causes,
have the same net effects. All three vulnerabilities result
because of incomplete security checks being carried out when using
particular programming techniques in web pages, and would have the
effect of allowing one website to access information in another
domain, including the user's local system. This could enable the
web site operator to read, but not change, any file on the user's
local computer that could be viewed in a browser window. In
addition, this could also enable an attacker to invoke an
executable that was already present on the local system.

In addition, the patch sets the Kill Bit on a legacy DirectX
ActiveX control which has been retired but which has a security
vulnerability. This has been done to ensure that the vulnerable
control cannot be reintroduced onto users' systems and ensures
that users who already have the control on their system are
protected. This is discussed further in Microsoft Knowledge Base
Article 810202.

The patch also makes a further refinement to cross domain
verification check that was first introduced in Internet Explorer
Service Pack 1.

Mitigating Factors:
====================

With the exception of the Malformed PNG Image File Failure, there
are common mitigating factors across all of the vulnerabilities:

- - The attacker would have to host a web site that contained a web
page used to exploit the particular vulnerability.
- - The attacker would have no way to force users to visit the site.
Instead, the attacker would need to lure them there, typically by
getting them to click on a link that would take them to the
attacker's site.
- - By default, Outlook Express 6.0 and Outlook 2002 open HTML mails
in the Restricted Sites Zone. In addition, Outlook 98 and 2000
open HTML mails in the Restricted Sites Zone if the Outlook Email
Security Update has been installed. Customers who use any of these
products would be at no risk from an e-mail borne attack that
attempted to exploit these vulnerabilities.

In addition to there are a number of individual mitigating factors:

Malformed PNG Image File Failure

- - Internet Explorer and other affected applications such as
Microsoft Office and Microsoft Index Server could be successfully
restarted after the failure.
- - Microsoft has not identified a method by which this buffer
overrun can be used to execute code of the attacker's choice on
the user's system.
- - This vulnerability is not present in Internet Explorer 6 Service
Pack 1.

Encoded Characters Information Disclosure

- - The vulnerability would not enable an attacker to read, modify
or execute any files on the local system.

Temporary Internet Files folder Name Reading

- - An attacker could not use this vulnerability to read, delete or
modify any files on the user's local system other than information
contained in the Temporary Internet Files folder.
- - An attacker could only exploit this vulnerability by having a
user visit a malicious web site and then follow a malformed link
on this malicious web site to a second web site that the user
trusted.
- - This vulnerability is not present in Internet Explorer 6 Service
Pack 1.

Frames Cross Site Scripting, Cross Domain Verification via Cached
Methods & Improper Cross Domain Security Validation with Frames

- - The vulnerabilities would only allow an attacker to read files
on the user's local system that can be rendered in a browser
window, such as image files, HTML files and text files.
- - The vulnerabilities would not provide any way for an attacker to
put a program of their choice onto another user's system.
- - An attacker would need to know the name and location of any file
on the system to successfully invoke it.
- - The vulnerabilities could only be used to view or invoke local
executables. It could not be used to create, delete, or modify
arbitrary or malicious files.

Risk Rating:
============
- - Important

Patch Availability:
===================
- - A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-066.asp
for information on obtaining this patch.

Acknowledgment:
===============
- - Microsoft thanks eEye Digital Security for reporting the
malformed PNG issue to us and working with us to protect customers.

----------------------------------------------------------------------

Q328970: November 2002, Cumulative Patch for Internet Explorer German

November 2002, Cumulative Patch for Internet Explorer (Q328970)
Posted: November 20, 2002

Read This First

The "November 2002, Cumulative Patch for Internet Explorer" eliminates
all previously addressed security vulnerabilities affecting Internet Explorer,
as well as additional newly discovered vulnerabilities. This update includes
the functionality of all previously released patches.
Download now to continue keeping your computer secure.

For more information about the vulnerabilities this update addresses,
read the associated Microsoft Security Bulletin.
http://www.microsoft.com/technet/sec...n/ms02-066.asp

System Requirements
This update applies to Internet Explorer with the following operating systems:

Windows XP SP1 64bit
Windows XP SP1
Windows XP
Windows Millennium Edition (Windows Me)
Windows 2000 SP3
Windows 98 SE
Windows NT® 4.0 SP6A

Internet Explorer 6 SP1 (32-bit)
Security Update, 1.55 MB file, 8 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328970.exe

Internet Explorer 6 SP1 (64-bit)
Security Update, 3.17 MB file, 15 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328970.exe

Internet Explorer 6
Security Update, 2.43 MB file, 12 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328970.exe

Internet Explorer 5.5 SP2
Security Update, 2.15 MB file, 10 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328970.exe

Internet Explorer 5.01 SP3
Security Update, 1.91 MB file, 9 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q328970.exe

Auf deutsch:

Patch-Flut für Internet Explorer und Windows
Microsoft hat heute gleich mehrere wichtige Sicherheits-Updates herausgebracht. Der wichtigste ist sicherlich ein neuer "Cumulative Patch" für den Internet Explorer 5.01, 5.5 und 6.0, dessen Installation Microsoft dringend empfiehlt. Aber auch für fast alle Windowssysteme gibt es neue Flicken. Ein Patch stopft eine Lücke in Zusammenhang mit digitalen Zertifikaten. Ein weiterer beseitigt eine Schwachstelle, durch die ein Angreifer seinen Programmcode auf einem attackierten System ausführen kann.
http://www.pcwelt.de/news/viren_bugs/27468

[Brummelchen]

Hier die Info zu den "digitalen Zertifikaten":
(gabs weiter oben schon mal)

-----------------------------------------------------------------------
Title: Certificate Validation Flaw Could Enable Identity
Spoofing (Q329115)
Released: 04 September 2002
Revised: 20 November 2002 (version 4.0)
Software: Microsoft Windows, Microsoft Office for Mac, Microsoft
Internet Explorer for Mac, or Microsoft Outlook Express
for Mac.
Impact: Identity spoofing and, in some cases, ability to gain
control over a user's system.
Max Risk: Important

Bulletin: MS02-050

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-050.asp.
- ----------------------------------------------------------------------

Reason for Revision:
====================
The original version of this bulletin was released on 05 September
2002. On 09 September 2002, we updated the bulletin to advise
customers that a Microsoft-issued digital certificate, used to sign
device drivers, did not meet the stricter validation standards
established by the patch. As a result, customers who installed the
patch could see unexpected error messages when installing new
hardware, or in some cases might be unable to install new hardware
altogether. On 20 November 2002, we released an updated version of
the patch that not only eliminates this problem, but also eliminates
a newly discovered variant of the original vulnerability.

Issue:
======
The IETF Profile of the X.509 certificate standard defines several
optional fields that can be included in a digital certificate. One
of these is the Basic Constraints field, which indicates the maximum
allowable length of the certificate's chain and whether the
certificate is a Certificate Authority or an end-entity certificate.
However, the APIs within CryptoAPI that construct and validate
certificate chains (CertGetCertificateChain(),
CertVerifyCertificateChainPolicy(), and WinVerifyTrust()) do not
check the Basic Constraints field. The same flaw, unrelated to
CryptoAPI, is also present in several Microsoft products for
Macintosh.

The vulnerability identified in the original version of the bulletin
could enable an attacker who had a valid end-entity certificate to
issue a subordinate certificate that, although bogus, would
nevertheless pass validation. Because CryptoAPI is used by a wide
range of applications, this could enable a variety of identity
spoofing attacks. These are discussed in detail in the FAQ, but
could include:

- Setting up a web site that poses as a different web site, and
"proving" its identity by establishing an SSL session as the
legitimate web site.
- Sending emails signed using a digital certificate that
purportedly belongs to a different user.
- Spoofing certificate-based authentication systems to gain entry
as a highly privileged user.
- Digitally signing malware using an Authenticode certificate that
claims to have been issued to a company users might trust.

The newly discovered vulnerability announced on 20 November 2002 is
closely related to the one discussed in the original version of the
bulletin and, like that vulnerability, involves a flaw in the way
certificate validation is performed. However, this vulnerability
could enable an attacker to gain control over a user's system.
Because a fix for this vulnerability was not included in the original
version of the patch, Microsoft strongly recommends that customers
install the new patch, even if they installed the original version
of the patch. Only Microsoft Windows 98, Windows 98 Second Edition,
Windows NT 4.0, and Windows NT 4.0, Terminal Server Edition are
affected by this variant.


Mitigating Factors:
====================
Overall:

- The user could always manually check a certificate chain, and
might notice in the case of a spoofed chain that there was an
unfamiliar intermediate CA.

- Unless the attacker's digital certificate were issued by a CA
in the user's trust list, the certificate would generate a
warning when validated.

- The attacker could only spoof certificates of the same type
as the one he or she possessed. In the case where the attacker
attempted an attack using a high-value certificate such as
Authenticode certificates, this would necessitate obtaining a
legitimate certificate of the same type - which could require
the attacker to prove his or her identity or entitlement to the
issuing CA.

Web Site Spoofing:

- The vulnerability provides no way for the attacker to cause the
user to visit the attacker's web site. The attacker would need
to redirect the user to a site under the attacker's control
using a method such as DNS poisoning. As discussed in the FAQ,
this is extremely difficult to carry out in practice.

- The vulnerability could not be used to extract information from
the user's computer. The vulnerability could only be used by an
attacker as a means of convincing a user that he or she has
reached a trusted site, in the hope of persuading the user to
voluntarily provide sensitive data.

Email Signing:

- The "from" address on the spoofed mail would need to match the
one specified in the certificate, giving rise to either of two
scenarios if a recipient replied to the mail. In the case where
the "from" and "reply-to" fields matched, replies would be sent
to victim of the attack rather than the attacker. In the case
where the fields didn't match, replies would obviously be
addressed to someone other than ostensible sender. Either case
could be a tip-off that an attack was underway.

Certificate-based Authentication:

- In most cases where certificates are used for user
authentication, additional information contained within the
certificate is necessary to complete the authentication. The
type and format of such data typically varies with every
installation, and as a result significant insider information
would likely be required for a successful attack.

Authenticode Spoofing:

- To the best of Microsoft's knowledge, such an attack could not
be carried out using any commercial CA's Authenticode
certificates. These certificates contain policy information that
causes the Basic Constraints field to be correctly evaluated,
and none allow end-entity certificates to act as CAs.

- Even if an attack were successfully carried out using an
Authenticode certificate that had been issued by a corporate
PKI, it wouldn't be possible to avoid warning messages, as
trust in Authenticode is brokered on a per-certificate, not
per-name, basis.

Risk Rating:
============
- Important

Note: Responding to customer feedback, Microsoft updated its
severity rating system November 18, 2002. Security bulletins that
originally posted under the old system - before November 18,
2002 - and are later re-released under the new system, will
reflect the severity rating assessed under the new revised
system Severity Rating criteria

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-050.asp
for information on obtaining this patch.

Acknowledgment:
===============
- UK National Infrastructure Security Co-ordination Centre (NISCC)

----------------------------------------------------------------------

Downloads deutsch:

Windows 98 / 98 SE
http://download.microsoft.com/downlo...329115GER8.EXE

Windows ME
http://www.microsoft.com/windowsupdate

Windows NT 4.0:
http://www.microsoft.com/ntserver/nt...15/default.asp
Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/te...15/default.asp

Windows 2000:
http://www.microsoft.com/windows2000...15/default.asp
Security Update, 7.26 MB file, 35 min @ 28.8 Kbps
http://download.microsoft.com/downlo...SP4_X86_DE.exe

Windows XP:
32bit: http://download.microsoft.com/downlo...P2_x86_DEU.exe
64bit: http://download.microsoft.com/downlo...2_ia64_DEU.exe

Microsoft Office v.X for Mac:
http://www.microsoft.com/mac/download/security.asp
Microsoft Office 2001 for Mac:
http://www.microsoft.com/mac/download/security.asp
Microsoft Office 98 for the Macintosh:
http://www.microsoft.com/mac/download/security.asp
Microsoft Internet Explorer for Mac (for OS 8.1 to 9.x):
http://www.microsoft.com/mac/download/security.asp
Microsoft Internet Explorer for Mac (for OS X):
http://www.microsoft.com/mac/download/security.asp
Microsoft Outlook Express 5.0.6 for Mac:
http://www.microsoft.com/mac/download/security.asp

[little tyrolean]

mal ein bißchen Praxis:
Ich habe gestern nacht mein Betriebssystem - Windows 2000 SP3 - upgedatet und alle Patches zugelassen.
Es kamen so an die 15 MB Download zustande, das Update selbst verlief problemlos.
Bis jetzt habe ich nichts Nachteiliges feststellen können -
ich wäre aber dankbar, wenn mir jemand was über den IE 6 erzählen würde, bei mir läuft noch der IE 5.5 SP2.

[Brummelchen]

http://www.intern.de/news/3741.html
Sicherheitslücken immer noch vorhanden
26.11.2002

In der vergangenen Woche hatte Microsoft zwei Patches veröffentlicht. Diese Patches sind nach Ansicht des dänischen Sicherheitsunternehmens Secunia ungenügend.

Die im 65. Bulletin dieses Jahres angesprochene Sicherheitslücke in den MDAC ist beispielsweise immer noch vorhanden, da die alte MDAC-Version durch einen Angreifer wieder reaktiviert werden kann.

Auch das im 66. Bulletin angebotene kumulative Patch verspricht demanch mehr, als es hält. Die angeblich geschlossenen Sicherheitslücken sollen immer noch vorhanden sein.

Secunia: Microsoft vulnerabilities not fixed
http://www.secunia.com/advisories/7579/

intern.de: Neue kritische Sicherheitslücke
http://www.intern.de/news/3727.html

Naja, ein Versuchs war's wert
Geht um:
Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)

[Brummelchen]

Gibt was neues.

Einmal Outlook 2002

-----------------------------------------------------------------------
Title: E-mail Header Processing Flaw Could Cause Outlook 2002
to Fail (331866)
Date: 04 December 2002
Software: Microsoft Outlook 2002
Impact: Denial of Service
Max Risk: Moderate
Bulletin: MS02-067

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/sec...n/MS02-067.asp
http://www.microsoft.com/security/se...s/MS02-067.asp
- ----------------------------------------------------------------------

Issue:
======
Microsoft Outlook provides users with the ability to work with
e-mail, contacts, tasks, and appointments. Outlook e-mail handling
includes receiving, displaying, creating, editing, sending, and
organizing e-mail messages. When working with received e-mail
messages, Outlook processes information contained in the header of
the e-mail which carries information about where the e-mail came
from, its destination, and attributes of the message.

A vulnerability exists in Outlook 2002 in its processing of e-mail
header information. An attacker who successfully exploited the
vulnerability could send a specially malformed e-mail to a user of
Outlook 2002 that would cause the Outlook client to fail under
certain circumstances. The Outlook 2002 client would continue to
fail so long as the specially malformed e-mail message remained on
the e-mail server. The e-mail message could be deleted by an e-mail
administrator, or by the user via another e-mail client such as
Outlook Web Access or Outlook Express, after which point the
Outlook 2002 client would again function normally.

Mitigating Factors:
====================
- Outlook 2002 clients connecting to e-mail servers using the
MAPI protocol are not affected. Only Outlook 2002 clients using
POP3, IMAP, or WebDAV protocols are vulnerable.

- The vulnerability does not affect Outlook 2000 or Outlook Express.

- The vulnerability is a denial of service vulnerability only.
The attacker would not be able to access the user?s e-mail or
system in any way. The vulnerability could not be used to read,
delete, create, or alter the user?s e-mail.

- If an attacker was able to send a specially malformed e-mail that
successfully exploited this vulnerability, the specially
malformed e-mail could be deleted either by an e-mail
administrator, or by the user via another e-mail client such as
Outlook Web Access or Outlook Express. Once the specially
malformed e-mail has been removed, normal operation would resume.

Risk Rating:
============
- Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-067.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Richard Lawley

----------------------------------------------------------------------

Download:
http://office.microsoft.com/downloads/2002/olk1005.aspx

Works With Outlook 2002 SP2
File Name olk1005.exe
Last Updated 11-11-2002

Languages Supported
...
German
...

Dafür muss das Office SP2 installiert sein !

Download 508 KB

Und schon wieder ein IE-Patch

-----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (Q324929)
Date: 04 December 2002
Software: Microsoft(r) Internet Explorer
Impact: Information Disclosure
Max Risk: Moderate
Bulletin: MS02-068

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/se...s/MS02-068.asp
http://www.microsoft.com/technet/sec.../MS02-068.asp.
-----------------------------------------------------------------------

Issue:
======
This is a cumulative patch for Internet Explorer 5.5 and 6.0. In
addition to including the functionality of all previously released
patches for Internet Explorer 5.5 and 6.0, it also eliminates a
newly discovered flaw in Internet Explorer's cross-domain security
model. This flaw occurs because the security checks that Internet
Explorer carries out when particular object caching techniques are
used in web pages are incomplete. This could have the effect of
allowing a website in one domain to access information in another,
including the user's local system.

Exploiting the vulnerability could enable an attacker to read, but
not change, any file on the user's local computer. In addition, the
attacker could invoke an executable that was already present on the
local system. The attacker would need to know the exact location of
the executable, and would not be able to pass parameters to it.
Microsoft is not aware of any executable that ships by default as
part of Windows and, when run without parameters, could be
dangerous.

An attacker could exploit the vulnerability by constructing a web
page that uses a cached programming technique, and could then
either host it on a web site or send it to a user via email. In the
case of the web-based attack vector the page could be automatically
opened when a user visited the site In the case of the HTML mail-
based attack vector, the page could be opened when the recipient
opened the mail or viewed it using the Preview pane.

Mitigating Factors:
====================
- -Internet Explorer 5.01 is not affected by this vulnerability.
- -The web-based attack scenario would provide no way for the
attacker to force users to visit the site. Instead, the attacker
would need to lure them there, typically by getting them to click
on a link that would take them to the attacker's site.
- -The HTML mail-based attack scenario would be blocked by Outlook
Express 6.0 and Outlook 2002 in their default configurations, and
by Outlook 98 and 2000 if used in conjunction with the Outlook
Email Security Update.
- -The vulnerability would allow an attacker to read but not add,
delete or modify files on the user's local system.
- -The attacker would need to know the name and location of any file
on the system to successfully invoke it. If invoked, there would be
no way for an attacker to pass parameters to that executable.
- -This vulnerability does not provide any way for an attacker to put
a program of their choice onto another user's system.

Risk Rating:
============

Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-068.asp
for information on obtaining this patch.

----------------------------------------------------------------------

Downloads:

December 2002, Cumulative Patch for Internet Explorer (Q324929) German

The "December 2002, Cumulative Patch for Internet Explorer" eliminates
all previously addressed security vulnerabilities affecting Internet Explorer,
as well as additional newly discovered vulnerabilities. This update includes
the functionality of all previously released patches. Download now to continue
keeping your computer secure.

For more information about the vulnerabilities this update addresses,
read the associated Microsoft Security Bulletin.
http://www.microsoft.com/technet/sec...n/MS02-068.asp

System Requirements
This update applies to Internet Explorer with the following operating systems:

- Windows XP SP1 64-bit
- Windows XP SP1
- Windows XP
- Windows Millennium Edition (Windows Me)
- Windows 2000
- Windows 98 SE
- Windows NT® 4.0 SP6A

Internet Explorer 6 SP1 (32-bit)
Security Update, 2 MB file, 10 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q324929.exe

Internet Explorer 6 SP1 (64-bit)
Security Update, 4.1 MB file, 20 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q324929.exe

Internet Explorer 6
Security Update, 2.43 MB file, 12 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q324929.exe

Internet Explorer 5.5 SP2
Security Update, 2.15 MB file, 10 min @ 28.8 Kbps
http://download.microsoft.com/downlo...DE/q324929.exe

[Brummelchen]

Das ganze auf deutsch dokumentiert:

http://www.pcwelt.de/news/internet/27809/

Neuer Sammel-Patch für IE 5.5 und 6.0 erschienen

Microsoft hat einen neuen "Cumulative Patch" für den Internet Explorer 5.5 und 6.0 zur Verfügung gestellt. Laut dem "Microsoft Security Bulletin MS02-068" umfasst der Flicken alle bislang erschienen Sicherheits-Updates und beseitigt eine erst kürzlich entdeckte Sicherheitslücke im "cross-domain security model" des Browsers.

Sie ermöglicht es Angreifern, Dateien auf dem Rechner des Anwender zu lesen und Programmcode zu starten. Aufgrund der Umstände, die für einen "erfolgreichen" Angriff vorhanden sein müssten, stuft Microsoft das Risiko als moderat ein. Die Ausführungen der Redmonder dazu finden Sie hier .

Der Download beträgt mindestens zwei Megabyte. Das Update ist nur für den IE 5.5 und 6.0, die auf Windows 98SE, ME, NT 4.0 (SP6A), 2000 sowie Windows XP (auch mit SP1) laufen, bestimmt. Der IE 5.01 ist laut Microsoft nicht betroffen.

Hinweis: Beim IE 5.5 muss vor der Installation des Patches der Service Pack 2 installiert werden.

http://www.pcwelt.de/news/viren_bugs/27813/

Patch bewahrt Outlook 2002 vor Absturz

Microsoft hat einen Patch für Outlook 2002 zum Download bereit gestellt. Der Flicken soll eine Schwachstelle beseitigen, durch die das Mailprogramm zum Absturz gebracht werden kann. Ein Angreifer könnte damit den Zugang zum Mailserver eines Outlook- Benutzers blockieren.

Das Problem steckt im Header der Mail. Dort befinden sich Informationen zum Absender, Empfänger und zu den Maileigenschaften. Eine Mail mit einem fehlerhaften Header kann Outlook 2002 beim Empfang der Nachricht zum Absturz bringen. Die Mail bleibt daraufhin auf dem Mailserver liegen und blockiert jeden weiteren Zugriff auf die Mails, da das Programm bei jedem erneuten Abruf der Nachrichten wieder abstürzt.

Ohne Patch lässt sich dieses Problem nur lösen, indem der Benutzer mit einem anderen Client auf den Mailserver zugreift und die problematische Nachricht löscht. Danach ist der Zugriff unter Outlook 2002 wieder möglich. Besser ist es aber, wenn Sie die Schwachstelle durch die Installation des Patches beseitigen.

Der 508 Kilobyte große Patch steht auch für die deutschsprachige Version von Outlook 2002 zur Verfügung. Wichtig: Vor der Installation des Patches muss das Service Pack 2 für Office XP aufgespielt werden.

Alle Anwender, die mit Outlook 2002 Mails von einem POP3-, IMAP-, oder WebDAV-Server abrufen, sollten den Patch installieren. Ältere Versionen von Outlook und Outlook Express sind von diesem Problem nicht betroffen, deren Anwender können auf den Patch verzichten.

[Wolfi]

Der Patch behebt Probleme mit DVD-Playern in Verbindung mit DirectX unter MS Windows XP + SP1