Severity Rating: Important - Revision Note: V1.5 (July 23, 2008): Added removal information notes for Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) to clarify that removing this security update for WMSDE or WYukon will also completely remove the instance of WMSDE or WYukon from the system.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
Severity Rating: Important - Revision Note: V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.Summary: This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems.
Revision Note: V2.0 (July 16, 2008): Added DirectX 9.0a as affected software for MS08-033.Summary: This bulletin summary lists security bulletins released for June 2008.
Severity Rating: Important - Revision Note: V1.2 (July 16, 2008): Added Microsoft Exchange Server 2000 Service Pack 3 as non-affected software. Also provided links to additional information on Outlook Web Access Light and Outlook Web Access Premium in the Mitigating Factors sections. Finally, updated the applicable software under the “Windows Server Update Services” heading in the section, Detection and Deployment Tools and Guidance.Summary: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session.
Severity Rating: Critical - Revision Note: V2.0 (July 16, 2008): Added DirectX 9.0a as affected software.Summary: This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.3 (July 16, 2008): Removed link to Microsoft Knowledge Base Article 950749 under Known Issues in the Executive Summary.Summary: This security update resolves a security vulnerability in the Microsoft Jet Database Engine (Jet) in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: V2.0 (July 16, 2008): Bulletin updated to reflect changes to the affected software of MS07-064 bulletin.Summary: This bulletin summary lists security bulletins released for December 2007.
Severity Rating: Critical - Revision Note: V3.0 (July 16, 2008): Bulletin updated to reflect that the update for DirectX 9.0 also applies to DirectX 9.0a.Summary: This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: July 16, 2008: Updated the example workaround steps for running the update to Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 as an administrator.Summary: Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.
Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: July 2, 2008: Updated the Suggested Actions.Summary: Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.
Revision Note: June 25, 2008: Removed erroneous references to form field and cookie value testing from the HP Scrawlr tool description.Summary: Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
Revision Note: V4.0 (June 24, 2008): Affected Software table updated to add Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista x64 edition Service Pack 1, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems under MS07-042 for the KB936181 update for Microsoft XML Core Services 4.0. This is a detection change only. There were no changes to the binaries.Summary: This bulletin summary lists security bulletins released for August 2007.
Severity Rating: Critical - Revision Note: V4.0 (June 24, 2008): Bulletin updated: Added Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista x64 Edition Service Pack 1, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems as affected software. This is a detection update only. There were no changes to the binaries.Summary: This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V2.0 (June 18, 2008): Added "Why was this security update reoffered on June 18, 2008?" entry to the Update FAQ to advise customers running Windows XP Service Pack 2 and Windows XP Service Pack 3 that a revised version of the security update is available.Summary: This security update resolves a privately reported vulnerability in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Critical - Revision Note: V2.1 (June 18, 2008): Bulletin updated to clarify the Update FAQ entry on MS06-078 supersedence, and to add an Update FAQ entry describing a Windows XP installation issue when installing via Windows Server Update Services (WSUS).Summary: This critical security update resolves a privately reported vulnerability in Windows Media File Format. This vulnerability could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V6.0 (June 18, 2008): Bulletin updated to remove Microsoft Windows XP Service Pack 3 from the Affected Software list for Microsoft Windows Media Player 6.4 and to add Microsoft Windows Media Player 6.4 when installed on Microsoft Windows XP Service Pack 3 to the Non-Affected Software list.Summary: This update resolves two newly discovered vulnerabilities. These vulnerabilities are documented in the Vulnerability Details section of this bulletin. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Revision Note: June 17, 2008: Advisory updated to reflect availability of fix.Summary: Microsoft has completed the investigation into public reports of a non-security issue that affects environments with all supported versions of System Center Configuration Manager 2007 that deploy updates to Systems Management Services (SMS) 2003 clients. Microsoft has confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954474. Microsoft encourages customers affected by this issue to review and install this update.
Severity Rating: Important - Revision Note: V1.1 (June 11, 2008): Removed erroneous known issues entry from the Update FAQ. Also added ports to be blocked in the Workarounds for Active Directory Vulnerability - CVE-2008-1445 section.Summary: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.
Severity Rating: Important - Revision Note: V1.1 (June 11, 2008): Added entry to Update FAQ to explain why the vulnerability is not a remote code execution vulnerability. Also added entry to Update FAQ to explain why the update will not be offered unless WINS has been enabled on the system.Summary: This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Severity Rating: Critical - Revision Note: V1.1 (June 11, 2008): Added entry to Update FAQ to communicate that the file information in the associated Microsoft Knowledge Base Article 950759 has been updated.Summary: This security update resolves one privately reported and one publicly disclosed vulnerability. The privately reported vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The publicly disclosed vulnerability could allow information disclosure if a user viewed a specially crafted Web page using Internet Explorer.
Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user’s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.
Severity Rating: Moderate - Revision Note: Bulletin published.Summary: This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.
Severity Rating: Critical - Revision Note: V1.1 June 4, 2008: Added a link to Microsoft Knowledge Base Article 951208 under Known Issues in the Executive Summary.Summary: This security update resolves a privately reported vulnerability in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.5 (June 4, 2008): Bulletin updated: Added entry to Update FAQ to explain why the update may be offered even when Affected Software isn’t present on the system.Summary: This security update resolves a privately reported vulnerability in Microsoft Office Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane.
Severity Rating: Critical - Revision Note: V3.2 (June 4, 2008): Bulletin updated: Added entry to Update FAQ to explain why the update may be offered even when Affected Software isn’t present on the system.Summary: This security update resolves several privately reported and publicly reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.1 (May 14, 2008): Updated the Deployment Information sections for Office 2004 for Mac and Office 2008 for Mac to link to the Microsoft Download Center. Also added entry to Update FAQ to clarify why the update for Outlook 2007 is rated Critical.Summary: This security update resolves several privately reported vulnerabilities in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.3 (May 14, 2008): Bulletin updated to add a link to Microsoft Knowledge Base Article 933103 under Known Issues in the Executive Summary.Summary: This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Moderate - Revision Note: Bulletin publishedSummary: This security update resolves two privately reported vulnerabilities in the Microsoft Malware Protection Engine. An attacker could exploit either of the vulnerabilities by constructing a specially crafted file that could allow denial of service when received by the target computer system and scanned by the Microsoft Malware Protection Engine. An attacker who successfully exploited this vulnerability could cause the Microsoft Malware Protection Engine to stop responding and automatically restart.
Severity Rating: Critical - Revision Note: V2.0 (May 13, 2008): Bulletin updated to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries.Summary: This update resolves a privately reported vulnerability in Macromedia Flash Player from Adobe, version 6.0.84.0 and earlier. Macromedia Flash Player is a third party software application that also was redistributed with Microsoft Windows XP Service Pack 2, Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition. The vulnerability is documented in the Vulnerability Details section of this bulletin. The Adobe Security Bulletin APSB06-11, issued September 12, 2006, describes the vulnerabilities and provides the download locations for customers who have installed Flash Player 7 and higher so that you can install the appropriate update based on the version of Flash Player you are using. Customers that have followed the guidance in the Adobe Security Bulletinare not at risk from the vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately.
Revision Note: May 13, 2008: Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into public reports of this vulnerability. We have issued Microsoft Security Bulletin MS08-028 to address this issue. For more information about this issue, including download links for an available security update, please review MS08-028: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749). The vulnerability addressed is the Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability - CVE-2007-6026.
Severity Rating: Critical - Revision Note: V3.2 (May 7, 2008): Bulletin updated: Removed erroneous references to .NET Framework 1.0 as a component of Windows Server 2008 x64 Edition and Windows Server 2008 for Itanium-based Systems.Summary: This update resolves three privately reported vulnerabilities. Two of these vulnerabilities could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET.
Severity Rating: Critical - Revision Note: V2.1 (April 30, 2008): Bulletin updated. Added a new entry to the Update FAQ describing additional security features included in the update for Microsoft Office 2003 Service Pack 2.Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: V2.1 (April 30, 2008): Bulletin summary updated to remove Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 from the Affected Software table.Summary: Bulletin Summary for May 2007
Severity Rating: Critical - Revision Note: V2.1 (April 30, 2008): This Bulletin has been revised to move Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 from the Affected Software list to the Non-Affected Software list.Summary: This update resolves a privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.
Severity Rating: Critical - Revision Note: V2.1 (April 23, 2008): Bulletin updated: Removed erroneous references to Windows XP Professional x64 Edition Service Pack 3.Summary: This critical security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: Corrected the Registry Key Verification for all supported x64-based editions of Windows Server 2003Summary: This critical security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.5 (April 23, 2008): Clarified the Update FAQ entry about the last revision, dated April 18. That change was a detection change only that does not affect the files contained in the initial update.Summary: This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.2 (April 23, 2008) Bulletin updated: Microsoft Visio 2002 removed from Microsoft Office XP Service Pack 3 section of Affected Software table. Microsoft Visio 2002 Service Pack 2 is listed separately in the Affected Software table.Summary: This update resolves two newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin. When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. We recommend that customers apply the update immediately.
Revision Note: V2.0 (April 16, 2008): Bulletin summary updated to add Microsoft Office Word Viewer 2003 and Microsoft Office Word Viewer 2003 Service Pack 3 to the Affected Software for MS08-016.Summary: This bulletin summary lists security bulletins released for March 2008.
Revision Note: V1.2 (April 16, 2008): Finder information for MS08-021 updated, and Affected Software for Microsoft Office Suites and Software clarified.Summary: This bulletin summary lists security bulletins released for April 2008.
Severity Rating: Critical - Revision Note: V1.2 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2, and Microsoft Baseline Security Analyzer and Systems Management Server tables updated to match the Affected Software table.Summary: This security update resolves a privately reported vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.3 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2.Summary: This critical security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file with a malformed object inserted into the document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
