Severity Rating: Critical - Revision Note: V3.2 (May 7, 2008): Bulletin updated: Removed erroneous references to .NET Framework 1.0 as a component of Windows Server 2008 x64 Edition and Windows Server 2008 for Itanium-based Systems.Summary: This update resolves three privately reported vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET.
Severity Rating: Critical - Revision Note: V2.1 (April 30, 2008): Bulletin updated. Added a new entry to the Update FAQ describing additional security features included in the update for Microsoft Office 2003 Service Pack 2.Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: V2.1 (April 30, 2008): Bulletin summary updated to remove Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 from the Affected Software table.Summary: Bulletin Summary for May 2007
Severity Rating: Critical - Revision Note: V2.1 (April 30, 2008): This Bulletin has been revised to move Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 from the Affected Software list to the Non-Affected Software list.Summary: This update resolves a privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.
Severity Rating: Critical - Revision Note: V2.1 (April 23, 2008): Bulletin updated: Removed erroneous references to Windows XP Professional x64 Edition Service Pack 3.Summary: This critical security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: Corrected the Registry Key Verification for all supported x64-based editions of Windows Server 2003Summary: This critical security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.5 (April 23, 2008): Clarified the Update FAQ entry about the last revision, dated April 18. That change was a detection change only that does not affect the files contained in the initial update.Summary: This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.2 (April 23, 2008) Bulletin updated: Microsoft Visio 2002 removed from Microsoft Office XP Service Pack 3 section of Affected Software table. Microsoft Visio 2002 Service Pack 2 is listed separately in the Affected Software table.Summary: This update resolves two newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately.
Revision Note: V2.0 (April 16, 2008): Bulletin summary updated to add Microsoft Office Word Viewer 2003 and Microsoft Office Word Viewer 2003 Service Pack 3 to the Affected Software for MS08-016.Summary: This bulletin summary lists security bulletins released for March 2008.
Revision Note: V1.2 (April 16, 2008): Finder information for MS08-021 updated, and Affected Software for Microsoft Office Suites and Software clarified.Summary: This bulletin summary lists security bulletins released for April 2008.
Severity Rating: Critical - Revision Note: V1.2 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2, and Microsoft Baseline Security Analyzer and Systems Management Server tables updated to match the Affected Software table.Summary: This security update resolves a privately reported vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.4 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This security update resolves a privately reported vulnerability in Microsoft Office Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane.
Severity Rating: Critical - Revision Note: V3.1 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This security update resolves several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.3 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This critical security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.1 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This important security update resolves three privately reported vulnerabilities in the Microsoft Works File Converter. These vulnerabilities could allow remote code execution if a user opens a specially crafted Works (.wps) file with an affected version of Microsoft Office, Microsoft Works, or Microsoft Works Suite. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Critical - Revision Note: V1.3 (April 16, 2008): Corrected the uninstall utility path for Internet Explorer 6 for Windows XP.Summary: This critical security update resolves three privately reported and one publicly reported vulnerabilities. The most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.1 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This critical security update resolves one privately reported vulnerability in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.2 (April 11, 2008): Vulnerability FAQ updated to clarify the systems at risk and remove a reference to unsupported software.Summary: This important security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Severity Rating: Critical - Revision Note: V1.2 (April 11, 2008): Bulletin updated to remove a reference to unsupported software in the Vulnerability FAQs.Summary: This critical security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Important - Revision Note: V1.2 (April 11, 2008): Vulnerability FAQ updated to clarify the systems at risk and remove a reference to unsupported software.Summary: This important security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
Severity Rating: Critical - Revision Note: V1.1 (April 9, 2008): Bulletin updated. Combined JScript with VBScript in the Vulnerability Severity rating table.Summary: This critical security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Critical - Revision Note: V1.2 (March 26, 2008): Bulletin updated to add a finder for CVE-2006-4695.Summary: This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.2 (March 26, 2008): Bulletin updated to add KB link to the known issues section.Summary: This important security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003. The vulnerability could allow a denial of service condition. On Windows Server 2003 and Windows XP an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.
Severity Rating: Critical - Revision Note: Bulletin updated to include known issues section.Summary: This update resolves severalnewly discovered, privately and publicly disclosed vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We recommend that customers apply the update immediately.
Revision Note: V2.0 (March 25, 2008): Added Windows Vista Service Pack 1, Windows Vista x64 Edition Service Pack 1, Windows Server 2008, Windows Server 2008 for Itanium-based Systems, and Windows Server 2008 x64 Edition to the Affected Software table.Summary: This bulletin summary lists security bulletins released for July 2007. For more information, see http://go.microsoft.com/fwlink/?LinkId=83730
Revision Note: Advisory publishedSummary: Microsoft is investigating new public reports of limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word. Customers running Windows Server 2003 Service Pack 2, Vista, and Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue. Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.
Revision Note: Advisory updated to reflect the correct Excel file formats in the MOICE Workarounds section. Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-014 to address this issue. For more information about this issue, including download links for an available security update, please review MS08-014. The vulnerability addressed is the Microsoft Excel Vulnerability - CVE-2008-0081.
Severity Rating: Important - Revision Note: V2.1 (February 27, 2008) Bulletin updated: Corrected the registry key verification path and the uninstall folder for Windows Server 2003.Summary: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Significant user interaction is required to exploit this vulnerability. We recommend that customers apply the update at the earliest opportunity.
Severity Rating: Critical - Revision Note: V1.2 (February 20, 2008): Bulletin updated: Corrected the file timestamps for the security update for all supported 32-bit editions of Windows XP.Summary: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.1 (February 20, 2008) Bulletin updated: update filenames changed in the file information table for all supported 32-bit editions of Windows XP.Summary: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A remote code execution vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who successfully exploited this vulnerability could then perform actions on the IIS server with the same rights as the Worker Process Identity (WPI). The WPI is configured with Network Service account privileges by default. IIS servers with ASP pages whose application pools are configured with a WPI that uses an account with administrative privileges could be more seriously impacted than IIS servers whose application pool is configured with the default WPI settings.
Revision Note: V1.1 (February 13, 2008): Bulletin summary updated. For MS08-005, corrected the download link reference for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 to reference Internet Information Services 6.0. The download link correctly directed customers to the IIS 6.0 update but the reference link incorrectly stated IIS 5.1 previously.Summary: This bulletin summary lists security bulletins released for February 2008.
Severity Rating: Critical - Revision Note: V1.1 (February 13, 2008): Bulletin updated to reflect that there are no known issues with installing this security update, and to list Microsoft Publisher 2003 Service Pack 2 (instead of Service Pack 3) in the MBSA and SMS tables under Detection and Deployment.Summary: This critical security update resolves two privately reported vulnerabilities in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.1 (February 13, 2008): Revised the FAQ to emphasize the role of user interaction in how an attacker could exploit the vulnerability.Summary: This critical security update resolves one privately reported vulnerability in the WebDAV Mini-Redirector. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Important - Revision Note: Bulletin Updated: Corrected the download link reference for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 to reference Internet Information Services 6.0. The download link correctly directed customers to the IIS 6.0 update but the reference link incorrectly stated IIS 5.1Summary: This important update resolves a privately reported vulnerability in Internet Information Services (IIS). A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: Bulletin Published.Summary: This important update resolves a privately reported vulnerability in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
Severity Rating: Critical - Revision Note: Bulletin updated to add correct link for Windows Media Format Runtime 9.5 x64 Edition in the Affected Software table. Also corrected the FAQ regarding installing the updates for Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition and added a similar FAQ for Windows Server 2003 x64 Edition.Summary: This critical security update resolves a privately reported vulnerability in Windows Media File Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: Bulletin summary updated to add Windows Small Business Server 2003 Service Pack 1, Windows Small Business Server 2003 R2, Windows Small Business Server 2003 R2 Service Pack 2, and Windows Home Server as affected software for MS08-001 bulletin.Summary: This bulletin summary lists security bulletins released for January 2008.
Severity Rating: Critical - Revision Note: This bulletin was revised to clarify the impact of Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability (CVE-2007-0069) on supported editions of Windows Small Business Server 2003 and Windows Home Server. Also included is an explanation and clarification that current Microsoft detection and deployment tools already correctly offer the update to systems running Windows Small Business Server 2003 and Windows Home Server.Summary: This critical security update resolves two privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Revision Note: Bulletin updated to reflect changes to the affected software of MS07-064 bulletin.Summary: This bulletin summary lists security bulletins released for December 2007.
Severity Rating: Critical - Revision Note: Bulletin updated to reflect that the update for DirectX 9.0 also applies to DirectX 9.0b and DirectX 9.0c.Summary: This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: Bulletin revised to address rendering issues.Summary: This critical security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerability with the most serious security impact could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: Bulletin updated to add Windows XP Home Edition SP2 to the Non-Affected Software table.Summary: This important security update resolves a privately reported vulnerability in Message Queuing Service (MSMQ) that could allow remote code execution in implementations on Microsoft Windows 2000, or elevation of privilege in implementations on Microsoft Windows XP. An attacker must have valid logon credentials to exploit the elevation of privilege vulnerability on Windows XP. An attacker could then install programs; view, change, or delete data; or create new accounts.
Severity Rating: Critical - Revision Note: Bulletin updated to add KB article information to the Known Issues area of the General Information section.Summary: This update resolves a publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.
Severity Rating: Important - Revision Note: Bulletin updated to add KB article information to the Known Issues area of the General Information section. Summary: This important update resolves two privately discovered and responsibly reported vulnerabilities in addition to other security issues identified during the course of the investigation. The privately reported vulnerabilities could allow remote code execution if a user opened a specially crafted Visio file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. User interaction is required to exploit these vulnerabilities.
Revision Note: V3.0 (January 9, 2008): Affected Software table updated to add Microsoft Word Viewer 2003 under MS07-042. The same update for Microsoft Office 2003 Service Pack 2 applies to Microsoft Word Viewer 2003.Summary: This bulletin summary lists security bulletins released for August 2007.
Severity Rating: Critical - Revision Note: Bulletin updated: Added Microsoft Word Viewer 2003 as an affected product. Also added an Update FAQ clarifying the kill bit for Microsoft XML Parser 2.6 and its applicability to this security update.Summary: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: Advisory Updated: The registry key for the Configure a Domain Suffix Search List workaround has been corrected to the proper key of SearchList.Summary: Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as contoso.co.us, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.
