Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execut

E

Emily F [MSFT]

Microsoft Security Bulletin MS04-024
Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx
Issued: July 13, 2004
Version: 1.0
Executive Summary:
This update resolves a newly-discovered, publicly reported vulnerability. A
remote code execution vulnerability exists in the way that the Windows Shell
launches applications.
If a user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control of an
affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges. However,
significant user interaction is required to exploit this vulnerability.
Users whose accounts are configured to have fewer privileges on the system
would be at less risk than users who operate with administrative privileges.
We recommend that customers consider applying the security update.
Summary
Who should read this document: Customers who use Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest
opportunity.
Security Update Replacement: This update replaces MS03-027 on Windows XP.
This update does not replace MS03-027 on Windows NT 4.0, on Windows 2000, or
on Windows Server 2003.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 -
Download the update
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a and NT Server 4.0
Service Pack 6a with Active Desktop - Download the update
..Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack
3, Microsoft Windows 2000 Service Pack 4 - Download the update
..Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the
update
..Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
..Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
..Microsoft Windows ServerT 2003 - Download the update
..Microsoft Windows Server 2003 64-Bit Edition - Download the update
..Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of this
bulletin for details about these operating systems.

The software in this list has been tested to determine if the versions are
affected. Other versions either no longer include security update support or
may not be affected. To determine the support lifecycle for your product and
version, visit the following Microsoft Support Lifecycle Web site.
 
S

Scott Harding - MS MVP

Ummm...your looking at the wrong numbers......the NT update is only 464kb
and windows 2000 is only 1433kb and the XP update is only 3905 kb. Are you
looking at the version number?
 
P

Paul.

the following
....
Ummm...your looking at the wrong numbers......the NT update is only 464kb
and windows 2000 is only 1433kb and the XP update is only 3905 kb. Are you
looking at the version number?
Click to expand...

This is what is displayed on the choose updates to install:

Size: 91.4 MB

A security issue has been identified that could allow an attacker to
compromise a computer running Windows and gain control over it. You can help
protect your computer by installing this update from Microsoft. After you
install this item, you may have to restart your computer.
More information for this update can be found at
http://go.microsoft.com/fwlink/?LinkId=30585

I have not touched XP SP2(rc1 or 2) on this my main PC but I did notice that
I seem to be running V5 of windows update. I do remember seeing this update
to run the newer version of win update and didn't think anything of it. Is
this the problem?

Thanks.

Paul
 
J

Jone Doe

Hilary Karp said:
The download for XP is only 3.81 mb. Not sure what you are looking at.
Click to expand...
Using a dial up connection, it took about 11 minutes, and installed
flawlessly as usual
 
S

Scott Harding - MS MVP

Are you just installing this single update or many? Do you have Sp1 yet?
 
P

Paul.

the following
Are you just installing this single update or many? Do you have Sp1 yet?
Click to expand...

Did you read my reply to your first comments? Is it possible to go back to
V4 Windows Update?

Update offered me the 3 updates mentioned here today and I declined this one
as I couldn't believe it was about to download 91.4MB.

The others were small.

Thanks for helping.

Paul.
 
G

Gary S. Terhune

Could be, though I'm not in a position to test. However, on my Windows XP Pro, with V4 of WinUp, it's only 677 KB. Which, I admit, is still different than the download provided by the Bulletin. Not only that, while it's the first WinUp patch I've seen to prompt an internet access alert from my Firewall, it didn't seem to download much if anything more. Weirder yet, the WinUp ReadMe for this Patch is not for MS04-024, it's for MS04-023!
 
G

Gary S. Terhune

The download from Windows Updates using V4 engine is only 667KB, however that's only a stub. It downloaded something else after it started to install, as evidenced by my firewall prompt (first time I've seen that prompt in this installation.) My Add/Remove entry shows 0.8 MB.

The Security Bulletin download probably contains all possible required, prerequisite components.
 
G

Guest

Who are you kidding PA. One can go back to the V4 engine if one desires. Quite a simple process to do so. {:~)
 
J

Jim Macklin

I had 5 updates, 3.5 MB and also the request to allow the
installer to pass the firewall several times (XP Pro/OE 6).


--
The people think the Constitution protects their rights;
But government sees it as an obstacle to be overcome.


The download from Windows Updates using V4 engine is only
667KB, however that's only a stub. It downloaded something
else after it started to install, as evidenced by my
firewall prompt (first time I've seen that prompt in this
installation.) My Add/Remove entry shows 0.8 MB.

The Security Bulletin download probably contains all
possible required, prerequisite components.
 
G

Gary S. Terhune

Same here (same platform.) But due to the confusion here, I had tried MS04-024 first. (In fact, I uninstalled it after the first time and did it again, just to be sure I had all the details right.)

(And before anyone decides to comment on the redundancy in my previous post ... Yeah, I know. I'm tired, hungry and well past cerebral overload, today.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Microsoft Security Bulletin MS04-023 Vulnerability in HTML Help Could Allow Code Execution (840315) 1
Security Bulletin: MS04-22: Vulnerability in Task Scheduler Could Allow Code Execution (841873) 2
Microsoft Security Bulletin MS04-018 - Cumulative Security Update for Outlook Express (823353) 4
MS04-008: Vulnerability in Windows Media Services 2
MS06-024 update not found 3
Microsoft Security Bulletin Summary for July 2004 1
How do I update Office 2000 Premier to SR-1 level 7
Critical Security Bulletins 9

Top