E
Emily F [MSFT]
Microsoft Security Bulletin MS04-024
Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx
Issued: July 13, 2004
Version: 1.0
Executive Summary:
This update resolves a newly-discovered, publicly reported vulnerability. A
remote code execution vulnerability exists in the way that the Windows Shell
launches applications.
If a user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control of an
affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges. However,
significant user interaction is required to exploit this vulnerability.
Users whose accounts are configured to have fewer privileges on the system
would be at less risk than users who operate with administrative privileges.
We recommend that customers consider applying the security update.
Summary
Who should read this document: Customers who use Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest
opportunity.
Security Update Replacement: This update replaces MS03-027 on Windows XP.
This update does not replace MS03-027 on Windows NT 4.0, on Windows 2000, or
on Windows Server 2003.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 -
Download the update
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a and NT Server 4.0
Service Pack 6a with Active Desktop - Download the update
..Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack
3, Microsoft Windows 2000 Service Pack 4 - Download the update
..Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the
update
..Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
..Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
..Microsoft Windows ServerT 2003 - Download the update
..Microsoft Windows Server 2003 64-Bit Edition - Download the update
..Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of this
bulletin for details about these operating systems.
The software in this list has been tested to determine if the versions are
affected. Other versions either no longer include security update support or
may not be affected. To determine the support lifecycle for your product and
version, visit the following Microsoft Support Lifecycle Web site.
Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx
Issued: July 13, 2004
Version: 1.0
Executive Summary:
This update resolves a newly-discovered, publicly reported vulnerability. A
remote code execution vulnerability exists in the way that the Windows Shell
launches applications.
If a user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control of an
affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges. However,
significant user interaction is required to exploit this vulnerability.
Users whose accounts are configured to have fewer privileges on the system
would be at less risk than users who operate with administrative privileges.
We recommend that customers consider applying the security update.
Summary
Who should read this document: Customers who use Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest
opportunity.
Security Update Replacement: This update replaces MS03-027 on Windows XP.
This update does not replace MS03-027 on Windows NT 4.0, on Windows 2000, or
on Windows Server 2003.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
..Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 -
Download the update
..Microsoft Windows NT® Workstation 4.0 Service Pack 6a and NT Server 4.0
Service Pack 6a with Active Desktop - Download the update
..Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack
3, Microsoft Windows 2000 Service Pack 4 - Download the update
..Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the
update
..Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
..Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
..Microsoft Windows ServerT 2003 - Download the update
..Microsoft Windows Server 2003 64-Bit Edition - Download the update
..Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of this
bulletin for details about these operating systems.
The software in this list has been tested to determine if the versions are
affected. Other versions either no longer include security update support or
may not be affected. To determine the support lifecycle for your product and
version, visit the following Microsoft Support Lifecycle Web site.