M$ bulletin for May released MS04-015

[ric-o]

So far Microsoft only released one bulletin for May (MS04-015)...dont know if there are more.

Notes:
* Microsoft classified criticality level at "Important"
* Only affects Windows XP & Server 2003
* Affects Help & Support Center
* Is remote code execution vulnerability

Microsoft Security Bulletin MS04-015
Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)

Issued: May 11, 2004
Version: 1.0

Summary
Who should read this document: Customers who use Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest opportunity.

Security Update Replacement: None

Caveats: Microsoft Knowledge Base Article 841996 documents a known issue that customers may experience when they install this security update on a system where the Help and Support Center service is disabled. For the installation of this security update to be successful, the Help and Support Center service cannot be disabled. The article also documents recommended solutions for this issue. For more information, see Microsoft Knowledge Base Article 841996.

Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update

• Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update

• Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update

• Microsoft Windows Server™ 2003 – Download the update

• Microsoft Windows Server 2003 64-Bit Edition – Download the update


Non-Affected Software:

• Microsoft Windows NT® Workstation 4.0 Service Pack 6a

• Microsoft Windows NT Server 4.0 Service Pack 6a

• Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

• Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)


The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site

http://www.microsoft.com/technet/sec.../MS04-015.mspx

[Lansing_Banda]

crap, you beat me to it.

[Tedob1]

this is a truely uninformative alert from micrsoft. whats it all about? ill look myself and its good that you posted it but i really think your thread should be more informative than just this.

[Tedob1]

here ya go:

A remote code execution vulnerability exists in the Help and Support Center because of the way that it handles HCP URL validation. An attacker could exploit the vulnerability by constructing a malicious HCP URL that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.


in other words be prepared for another rash of "hey shithead checkout this really cool link " in IM's and emails. and dont surf for porn or warez until you've updated.

[ric-o]

Originally posted here by Tedob1
this is a truely uninformative alert from micrsoft. whats it all about? ill look myself and its good that you posted it but i really think your thread should be more informative than just this.

You're right Tedob1...sorry about that. I read through M$'s bulletin and was basically unimpressed and quite frankly STUNNED that this was the only bulletin.

I cannot believe this is the ONLY patch they have when there are SOOO many "pot holes" left in the road to fill. Ugh!

Anyway, I probably should have put more comments in there. Tip noted for future ref.

[gore]

Damn it!

OK, someone who works for Microsoft, read this and send it to the right people:

Windows XP is good, do a damn code analysis like SuSE Linux and Open BSD do, and get this **** fixed right!

I remember when Windows XP came out. I was like "Wow, that UI looks like a clown ate too much cotton candy and puked on it!". But it is actually stable. I had to use it at school, and began to actually like it. When I bought a new machine it came with it, and I was like "OK, I'll leave this on, but more than likely I'll end up formatting it and putting Windows 2000 on it since I need Windows for school".

Well, I had so little problems with it that I just left it on. And I have that box, still with Windows XP on it, but I get so tired of updates.

They could have waited to release XP by a few more months to find more bugs. This is what? 3 Years later? Windows XP is turning into Sendmail. If you've ever updated a UNIX box, you know what that means. 5,000 bugs and counting pretty much.

Heh, I guess this will make Service pack 2 for XP ship later now. Another bug fix has to be tested with it.

Microsoft, quit being so pushy about releasing a new OS every year. Instead, when you think it's ready for release, how about sending it to a security company, and having them test it too?

Start supporting NT again and drop Windows 98 instead... Or do both. NT is still in use today.

Release Windows server 2003 without the server programs in it, as a desktop OS. It's fast, stable, and to damn much money with worthless software for a desktop OS for a home user, but it's stable as I said, and should have a release for desktop use.

Hell, it already has Windows Media Player.

OK I'm rambling on because I have to update AGAIN. But I think I have some very good ideas. Maybe I should send Microsoft an Email. I'll send it to the piracy mail address, that way they will actually read it. They only care what we say when we save them money.

What do you guys think? I kind of babbled on a bit but I'm also doing 5 things right now. Maybe I can make a list of things Microsoft could do that would make them a better company with better products, but also be possible without screwing something up.

[pooh sun tzu]

better company with better products, but also be possible without screwing something up.

Ms Bob 3.1 - reference here - http://toastytech.com/guis/bob.html

Need I say anything else?

[SirDice]

I'm confused why is MS calling this a remote code execution vulnerability?
There's nothing remote about it. MS04-011 was/is a remote code execution vulnerability.
This one is a local one because it has to run on the local machine.