April 14, 2005
They're Baaaaack! Microsoft Security Bugs
Platform: Numerous Microsoft Products
Microsoft Severity: Important to Critical
Actual Severity: IMPORTANT and CRITICAL
Microsoft this week released another landslide of vulnerability alerts and associated fixes -- the second largest batch this year. Two waves of bugs, one announced last week and one this week, hit many Microsoft operating systems and applications. The U.S. Cert published two "Technical Cyber Security Alert" bulletins summarizing the two events.
Microsoft announed several new security vulnerabilities -- five rated "Critical":
MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service
MS05-020: Vulnerabilities in IE Could Allow an Attacker to Take Complete Control of an Affected System
MS05-021: Vulnerability in Exchange Server Could Allow Remote Code Execution
MS05-022: Vulnerability in MSN Messenger Could Lead to Remote Code Execution
MS05-023: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution
Three others are rated "Important":
MS05-016: Vulnerability in Windows Shell Could Allow Remote Code Execution
MS05-017: Vulnerability in Message Queuing Could Allow Code Execution
MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service
All, fortunately, have patches available. It goes without saying that you should apply these patches immediately, because in some cases Microsoft's announcement is seen by hackers as a challenge to develop a working exploit as soon as possible.
The CERT bulletins are at:
TA05-039A: Multiple Vulnerabilities in Microsoft Windows Components
TA05-102A: Multiple Vulnerabilities in Microsoft Windows Components
Notice the very low number given to the first bulletin, despite the fact that the two were issued just a week apart. It makes one wonder how long the government sat on this information.
Posted by Mel Beckman at April 14, 2005 1:22 AM
