| Bulletin ID: MS08-077 |
Title: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) |
Update Type: Security Update |
Severity: Important |
Date: 2008-12-09 |
| Description: This security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure. | ||||
| Vulnerabilities: CVE-2008-4032 |
Included Updates: 956716 957175 |
Applies to: Office 2007 |
||
| Bulletin ID: MS08-075 |
Title: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
| Description: This security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-4268 CVE-2008-4269 |
Included Updates: 958623 958624 959349 |
Applies to: Windows Server 2008 Windows Vista |
||
| Bulletin ID: MS08-074 |
Title: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-4264 CVE-2008-4265 CVE-2008-4266 |
Included Updates: 958372 958434 958436 958437 958439 958442 959070 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-071 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
| Description: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-2249 CVE-2008-3465 |
Included Updates: 956802 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS07-017 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (925902) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
| Description: This update resolves several newly discovered, publicly disclosed and privately reported vulnerabilities as well as additional issues discovered through internal investigations. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. | ||||
| Vulnerabilities: CVE-2006-5586 CVE-2006-5758 CVE-2007-0038 CVE-2007-1211 CVE-2007-1212 CVE-2007-1213 CVE-2007-1215 |
Included Updates: 925902 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS05-053 |
Title: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-12-09 |
| Description: This update resolves several newly-discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section of this bulletin. | ||||
| Vulnerabilities: CAN-2005-0803 CAN-2005-2123 CAN-2005-2124 |
Included Updates: 896424 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS07-005 |
Title: Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-25 |
| Description: This update resolves a newly discovered, privately reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
| Vulnerabilities: CVE-2006-3448 |
Included Updates: 923723 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-068 |
Title: Vulnerability in SMB Could Allow Remote Code Execution (957097) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
| Description: This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-4037 |
Included Updates: 957097 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-065 |
Title: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
| Description: This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled. | ||||
| Vulnerabilities: CVE-2008-3479 |
Included Updates: 951071 |
Applies to: Windows 2000 |
||
| Bulletin ID: MS08-040 |
Title: Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203) |
Update Type: Security Update |
Severity: Important |
Date: 2008-11-11 |
| Description: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
| Vulnerabilities: CVE-2008-0085 CVE-2008-0086 CVE-2008-0106 CVE-2008-0107 |
Included Updates: 941203 948108 948109 948110 948111 |
Applies to: SQL Server 2000 SQL Server 2005 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 |
||
| Bulletin ID: MS08-062 |
Title: Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-28 |
| Description: This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
| Vulnerabilities: CVE-2008-1446 |
Included Updates: 953155 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-067 |
Title: Vulnerability in Server Service Could Allow Remote Code Execution (958644) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-23 |
| Description: This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter. | ||||
| Vulnerabilities: CVE-2008-4250 |
Included Updates: 958644 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-064 |
Title: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
| Description: This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
| Vulnerabilities: CVE-2008-4036 |
Included Updates: 956841 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-063 |
Title: Vulnerability in SMB Could Allow Remote Code Execution (957095) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2008-4038 |
Included Updates: 957095 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-061 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211) |
Update Type: Security Update |
Severity: Important |
Date: 2008-10-14 |
| Description: This security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
| Vulnerabilities: CVE-2008-2250 CVE-2008-2251 CVE-2008-2252 |
Included Updates: 954211 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-060 |
Title: Vulnerability in Active Directory Could Allow Remote Code Execution (957280) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
| Description: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability. | ||||
| Vulnerabilities: CVE-2008-4023 |
Included Updates: 957280 |
Applies to: Windows 2000 |
||
| Bulletin ID: MS08-059 |
Title: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights. | ||||
| Vulnerabilities: |
Included Updates: 956695 |
Applies to: Host Integration Server 2000 Host Integration Server 2004 Host Integration Server 2006 |
||
| Bulletin ID: MS08-057 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-10-14 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-3471 CVE-2008-3477 CVE-2008-4019 |
Included Updates: 955464 955466 955468 955470 955935 955936 955937 956416 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-056 |
Title: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699) |
Update Type: Security Update |
Severity: Moderate |
Date: 2008-10-14 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site. | ||||
| Vulnerabilities: CVE-2008-4020 |
Included Updates: 956464 957699 |
Applies to: Office 2002/XP |
||
| Bulletin ID: MS08-054 |
Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-13 |
| Description: This security update resolves a privately reported vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-2253 |
Included Updates: 954154 |
Applies to: Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-053 |
Title: Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-13 |
| Description: This security update resolves a privately reported vulnerability in Windows Media Encoder 9 Series. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-3008 |
Included Updates: 954156 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-052 |
Title: Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-09-09 |
| Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2007-5348 CVE-2008-3012 CVE-2008-3013 CVE-2008-3014 CVE-2008-3015 |
Included Updates: 938464 947738 947739 947742 947746 947748 952241 953405 954326 954478 954479 954593 954606 954607 954609 956483 956500 957177 |
Applies to: Forefront Client Security Microsoft Works 8 Office 2002/XP Office 2003 Office 2007 SQL Server 2000 SQL Server 2005 Visual Studio 2005 Visual Studio 2008 Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-051 |
Title: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0120 CVE-2008-0121 CVE-2008-1455 |
Included Updates: 948988 948995 949041 949785 951338 954038 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-050 |
Title: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user’s logon ID and remotely log on to the user’s Messenger client impersonating that user. | ||||
| Vulnerabilities: CVE-2008-0082 |
Included Updates: 946648 955702 |
Applies to: Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-049 |
Title: Vulnerabilities in Event System Could Allow Remote Code Execution (950974) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. | ||||
| Vulnerabilities: CVE-2008-1456 CVE-2008-1457 |
Included Updates: 950974 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-048 |
Title: Security Update for Outlook Express and Windows Mail (951066) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This security update resolves a privately reported vulnerability in Outlook Express and Windows Mail. The vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-1448 |
Included Updates: 951066 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-047 |
Title: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would disclose information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network. | ||||
| Vulnerabilities: CVE-2008-2246 |
Included Updates: 953733 |
Applies to: Windows Server 2008 Windows Vista |
||
| Bulletin ID: MS08-046 |
Title: Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This update resolves a privately reported vulnerability in the Microsoft Image Color Management (ICM) system that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-2245 |
Included Updates: 952954 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-044 |
Title: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves five privately reported vulnerabilities. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-3018 CVE-2008-3019 CVE-2008-3020 CVE-2008-3021 CVE-2008-3460 |
Included Updates: 921596 921598 924090 925256 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-043 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-3003 CVE-2008-3004 CVE-2008-3005 CVE-2008-3006 |
Included Updates: 951546 951548 951551 951589 951596 953397 954066 955472 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-042 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This security update resolves a publicly reported vulnerability in Microsoft Word. This vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-2244 |
Included Updates: 954463 954464 955048 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-041 |
Title: Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. | ||||
| Vulnerabilities: CVE-2008-2463 |
Included Updates: 955439 955440 955617 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-033 |
Title: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0011 CVE-2008-1444 |
Included Updates: 951698 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-022 |
Title: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-08-12 |
| Description: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2008-0083 |
Included Updates: 944338 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS07-047 |
Title: Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782) |
Update Type: Security Update |
Severity: Important |
Date: 2008-08-12 |
| Description: This important security update resolves two privately reported vulnerabilities. These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2007-3035 CVE-2007-3037 |
Included Updates: 936782 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-039 |
Title: Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) |
Update Type: Security Update |
Severity: Important |
Date: 2008-07-08 |
| Description: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session. | ||||
| Vulnerabilities: CVE-2008-2247 CVE-2008-2248 |
Included Updates: 949870 950159 953469 953747 |
Applies to: Exchange Server 2003 Exchange Server 2007 |
||
| Bulletin ID: MS08-038 |
Title: Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582) |
Update Type: Security Update |
Severity: Important |
Date: 2008-07-08 |
| Description: This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0951 CVE-2008-1435 |
Included Updates: 950582 |
Applies to: Windows Server 2008 Windows Vista |
||
| Bulletin ID: MS08-030 |
Title: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-18 |
| Description: This security update resolves a privately reported vulnerability in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2008-1453 |
Included Updates: 951376 |
Applies to: Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-036 |
Title: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
| Description: This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user’s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. | ||||
| Vulnerabilities: CVE-2008-1440 CVE-2008-1441 |
Included Updates: 950762 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-035 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (953235) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
| Description: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart. | ||||
| Vulnerabilities: CVE-2008-1445 |
Included Updates: 949014 949269 953235 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-034 |
Title: Vulnerability in WINS Could Allow Elevation of Privilege (948745) |
Update Type: Security Update |
Severity: Important |
Date: 2008-06-10 |
| Description: This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
| Vulnerabilities: CVE-2008-1451 |
Included Updates: 948745 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition |
||
| Bulletin ID: MS07-068 |
Title: Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-10 |
| Description: This critical security update resolves a privately reported vulnerability in Windows Media File Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2007-0064 |
Included Updates: 941569 944275 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS06-078 |
Title: Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-06-10 |
| Description: This update resolves two newly discovered vulnerabilities. These vulnerabilities are documented in the "Vulnerability Details" section of this bulletin. | ||||
| Vulnerabilities: CVE-2006-4702 CVE-2006-6134 |
Included Updates: 923689 925398 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-028 |
Title: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749) |
Update Type: Security Update |
Severity: Important |
Date: 2008-05-13 |
| Description: This security update resolves a security vulnerability in the Microsoft Jet Database Engine (Jet) in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2005-0944 CVE-2007-6026 |
Included Updates: 950749 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-027 |
Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0119 |
Included Updates: 950114 950129 950213 951208 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-026 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
| Description: This security update resolves several privately reported vulnerabilities in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-1091 CVE-2008-1434 |
Included Updates: 950113 950241 950243 950625 951207 951808 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS06-069 |
Title: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-05-13 |
| Description: This update resolves privately reported vulnerabilities in Macromedia Flash Player from Adobe, version 6.0.84.0 and earlier. Macromedia Flash Player is a third party software application that also was redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition. Each vulnerability is documented in the "Vulnerability Details" section of this bulletin. The Adobe Security Bulletin APSB06-11, issued September 12, 2006, describes the vulnerabilities and provides the download locations for customers who have installed Flash Player 7 and higher so that you can install the appropriate update based on the version of Flash Player you are using. Customers that have followed the guidance in the Adobe Security Bulletin are not at risk from these vulnerabilities. | ||||
| Vulnerabilities: CVE-2006-3014 CVE-2006-3311 CVE-2006-3587 CVE-2006-3588 CVE-2006-4640 |
Included Updates: 923789 |
Applies to: Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-019 |
Title: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-15 |
| Description: This security update resolves privately reported vulnerabilities in Microsoft Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-1089 CVE-2008-1090 |
Included Updates: 947590 947650 947896 949032 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-025 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-08 |
| Description: This security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. | ||||
| Vulnerabilities: CVE-2008-1084 |
Included Updates: 941693 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-021 |
Title: Vulnerabilities in GDI Could Allow Remote Code Execution (948590) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-04-08 |
| Description: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2008-1083 CVE-2008-1087 |
Included Updates: 948590 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-020 |
Title: Vulnerability in DNS Client Could Allow Spoofing (945553) |
Update Type: Security Update |
Severity: Important |
Date: 2008-04-08 |
| Description: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations. | ||||
| Vulnerabilities: CVE-2008-0087 |
Included Updates: 945553 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-018 |
Title: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-04-08 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-1088 |
Included Updates: 948962 949005 950183 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-014 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-19 |
| Description: This security update resolves several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0081 CVE-2008-0111 CVE-2008-0112 CVE-2008-0114 CVE-2008-0115 CVE-2008-0116 CVE-2008-0117 |
Included Updates: 943889 943985 946974 946976 947801 949029 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-017 |
Title: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
| Description: This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2006-4695 CVE-2007-1201 |
Included Updates: 932031 933103 |
Applies to: Office 2002/XP |
||
| Bulletin ID: MS08-016 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
| Description: This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0113 CVE-2008-0118 |
Included Updates: 947355 947866 949030 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-015 |
Title: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-03-11 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane. | ||||
| Vulnerabilities: CVE-2008-0110 |
Included Updates: 945432 946983 946985 949031 |
Applies to: Office 2002/XP Office 2003 Office 2007 |
||
| Bulletin ID: MS08-013 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
| Description: This critical security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0103 |
Included Updates: 944423 945185 947108 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-012 |
Title: Vulnerabilities in Microsoft Office Publisher Could Allow Remote Code Execution (947085) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
| Description: This critical security update resolves two privately reported vulnerabilities in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0102 CVE-2008-0104 |
Included Updates: 946216 946254 947085 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-011 |
Title: Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
| Description: This important security update resolves three privately reported vulnerabilities in the Microsoft Works File Converter. These vulnerabilities could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2007-0216 CVE-2008-0105 CVE-2008-0108 |
Included Updates: 943973 947081 |
Applies to: Office 2003 |
||
| Bulletin ID: MS08-009 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
| Description: This critical security update resolves one privately reported vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0109 |
Included Updates: 943957 943983 943992 947077 |
Applies to: Office 2002/XP Office 2003 |
||
| Bulletin ID: MS08-008 |
Title: Vulnerability in OLE Automation Could Allow Remote Code Execution (947890) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
| Description: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2007-0065 |
Included Updates: 943055 947890 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-007 |
Title: Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (946026) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-02-12 |
| Description: This critical security update resolves one privately reported vulnerability in the WebDAV Mini-Redirector. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2008-0080 |
Included Updates: 946026 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-006 |
Title: Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
| Description: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A remote code execution vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings. | ||||
| Vulnerabilities: CVE-2008-0075 |
Included Updates: 942830 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-005 |
Title: Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
| Description: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2008-0074 |
Included Updates: 942831 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-004 |
Title: Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
| Description: This important update resolves a privately reported vulnerability in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. | ||||
| Vulnerabilities: CVE-2008-0084 |
Included Updates: 946456 |
Applies to: Windows Vista |
||
| Bulletin ID: MS08-003 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (946538) |
Update Type: Security Update |
Severity: Important |
Date: 2008-02-12 |
| Description: This important security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003. The vulnerability could allow a denial of service condition. On Windows Server 2003 and Windows XP an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart. | ||||
| Vulnerabilities: CVE-2008-0088 |
Included Updates: 931374 943484 946538 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-002 |
Title: Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485) |
Update Type: Security Update |
Severity: Important |
Date: 2008-01-08 |
| Description: This important update resolves a privately reported vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). The vulnerability could allow an attacker to run arbitrary code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2007-5352 |
Included Updates: 943485 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS08-001 |
Title: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644) |
Update Type: Security Update |
Severity: Critical |
Date: 2008-01-08 |
| Description: This critical security update resolves two privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
| Vulnerabilities: CVE-2007-0066 CVE-2007-0069 |
Included Updates: 941644 |
Applies to: Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Vista Windows XP Windows XP x64 Edition |
||
