- Microsoft Windows
- Microsoft Internet Explorer
Microsoft has released updates that address critical vulnerabilities in Windows and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
Microsoft Security Bulletins for June, 2005 address a number of vulnerabilities in Windows, Internet Explorer, Outlook Express, Outlook Web Access, ISA Server, the Step-by-Step Interactive Training engine, and telnet. Further information about the more serious vulnerabilities is available in the following Vulnerability Notes:
VU#189754 - Microsoft Internet Explorer buffer overflow in PNG image rendering component
A buffer overflow in the PNG image rendering component of Microsoft Internet Explorer may allow a remote attacker to execute code on a vulnerable system.
VU#489397 - Microsoft Server Message Block vulnerable to buffer overflow
Microsoft Server Message Block (SMB) is vulnerable to a buffer handling flaw when processing incoming SMB packets that may lead to remote code execution.
VU#851869 - Microsoft HTML Help input validation error
Microsoft HTML Help fails to properly validate input data, allowing a remote attacker to execute arbitrary code.
Exploitation of the most serious of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges. This would allow an attacker to take complete control of a vulnerable system. An attacker could also execute arbitrary code with user privileges, or cause a denial of service.
Please see the individual vulnerability notes for workarounds.
Appendix A. References
- Microsoft Security Bulletin Summary for June, 2005 - http://www.microsoft.com/technet/security/bulletin/ms05-jun.mspx
- US-CERT Vulnerability Note VU#189754 - http://www.kb.cert.org/vuls/id/189754
- US-CERT Vulnerability Note VU#489397 - http://www.kb.cert.org/vuls/id/489397
- US-CERT Vulnerability Note VU#851869 - http://www.kb.cert.org/vuls/id/851869
- CAN-2005-1211 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1222
- CAN-2005-1206 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1206
- CAN-2005-1208 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1208
- Microsoft Windows Update - http://windowsupdate.microsoft.com/
Feedback can be directed to the US-CERT Technical Staff
June 14, 2005: Initial release