Microsoft Security Bulletin for July 30, 2004

[Jerry Bryant [MSFT]]

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are
authoritative in all matters concerning Microsoft Security Bulletins! ANY
e-mail, web board or newsgroup posting (including this one) should be
verified by visiting these sites for official information. Microsoft never
sends security or other updates as attachments. These updates must be
downloaded from the microsoft.com download center or Windows Update. See the
individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft
security notices, it is recommended that you physically type the URLs into
your web browser and not click on the hyperlinks provided.

Bulletin Summaries:

Windows : http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx

Critical Bulletins:

MS04-025 - Cumulative Cumulative Security Update for Internet Explorer
(867801)
http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx


This DOES NOT represent our regularly scheduled monthly bulletin release
(second Tuesday of each month). Please note that Microsoft may release
bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after
reading the above listed bulletin you should contact Product Support
Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jose Francisco]

Thanks!

 

[CZ]

Critical Bulletins:

MS04-025 - Cumulative Security Update for Internet Explorer
(867801)
http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

Jerry:

Does it also apply to the following:
SBS2k3
XP SP2 RC2

 

[Guest]

Are these updates available on the v5 update site or are they included in SP2?

 

[Jerry Bryant [MSFT]]

See the bulletin for the list of affected software and components. Since
SBS2k3 is Windows Server 2003, it is affected and an update is available
(Windows Server 2003 version for Internet Explorer 6).

This fix is not in XP SP2 RC2 but will be in the final build. However, the
local machine zone lockdown in XP SP2 mitigates against the three
vulnerabilities fixed in this update so unless you've changed the LMZ
lockdown from it's default, you should be fine against attacks that exploit
them.
--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Kolitz]

From the security bulletin, it doesn't appear that SP2 is effected by the
vulnerability being patched.

 

[CZ]

This fix is not in XP SP2 RC2 but will be in the final build. However,
the local machine zone lockdown in XP SP2 mitigates against the three
vulnerabilities fixed in this update so unless you've changed the LMZ
lockdown from it's default, you should be fine against attacks that exploit
them.

Jerry [MSFT]:

Just tried to run the fix in XP Pro SP2 RC2 and received the following
dialog:
'This update requires IE 6.0 SP1 to be installed."

I have not changed the local security zone lockdown, so I am not concerned.

BTW, my compliments on XP SP2 RC2. SP2 betas have been my main op system
for awhile, and they have been solid.

Readers of this thread:
Info on "local machine zone" from http://www.nwnetworks.com/iezones.htm

"There is a fifth security zone that is not accessible from the Security tab
in Control Panel | Internet Options. This fifth zone - called the Local
Machine zone, or My Computer - is only available for Windows systems. In
addition, it can only be configured by editing the registry, or by using the
Internet Explorer Administration Kit (see Chapter 15). The Local Machine
zone includes all of the content on the local computer, except for data that
is stored in the Temporary Internet Files web cache, or classes that have
been specifically signed with local machine privileges. This zone is very
much like the Trusted Sites zone. Security is extremely minimal, or not
present at all. Unless otherwise configured by an administrator, network
connections can also fall into this zone.

In theory, even when properly configured, malicious content could make its
way into the Local Machine zone. For example, an employee may be browsing a
restricted site. On one of the pages, there could be a malicious script
that looks for and transmits password files to a malicious web site. As a
restricted site, the script is still part of the downloaded web page, but it
won't due to the security restrictions that are in place. But say that the
employee decides to save the page to their hard drive for later inspection.
They do this by clicking File and Save As, which saves the page - including
the malicious script - to their hard drive. Later they open the page on
their hard drive. Because they are accessing a file on their local system
instead of via a World Wide Web URL, the Local Machine zone will be applied.
Because security for this zone is extremely low or nonexistent, the
malicious script could execute and cause damage or silently transmit data.
While I am not aware of any real-world instances of this, it is entirely
possible and therefore needs to be considered as one of the many security
issues related to browsing the web."