Remote Code Execution in Microsoft Exchange, Word, Internet Explorer, MSN Messenger, Windows Shell, Message Queuing, and TCP/IP

Reported April 12, 2005 by Microsoft

VERSIONS AFFECTED

DESCRIPTION

Mark Dowd and Ben Layer of ISS X-Force discovered that Exchange Server contains a vulnerabilities that could allow an intruder to connect to port 25 (SMTP) and issue a specially crafted command, which could lead to remote code execution or a denial of service condition on the server.

Alex Li discovered that Microsoft Word contains two unchecked buffers that could allow an attacker to take complete control of an affected system if the user is logged in with an account that has administrator level access. An attack launched against users that are logged in with lesser privileged accounts could result in the attacker taking any action that the user's privileges allow.

Berend-Jan Wever, 3APA3A, axle@bytefall, Andres Tarasco of SIA Group discovered that Internet Explorer contains three vulnerabilities that could allow remote code execution. The problems stem from the way Internet Explorer handles DHTML objects, parses URLs, and processes Content Advisory files.

Hongzhen Zhou discovered that MSN Messenger contains a vulnerability that could allow remote code execution. Due to the way MSN Messenger processes GIF image files an attacker could create a specially formed image file that, went sent to an MSN Messenger user, could result in the execution of code.

iDEFENSE discovered that the Windows Shell contains a vulnerability that could allow an the execution of remote code due to the way Windows handles application association. Using a specially created file, an intruder could cause Windows to start the HTML Application Host, which could be used to take complete control of an affected system.

Kostya Kortchinsky with CERT RENATER discovered that Microsoft Message Queueing (MSMQ) could be used to execute code if an intruder creates a special message and sends that message to an affected system. Such a message could allow an intruder to take complete control of an affected system.

Song Liu, Hongzhen Zhou, Neel Mehta of ISS X-Force, Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, and Qualys discovered that the Windows TCP/IP stack contains several vulnerabilities that could lead to remote code execution or denial of service attacks. The vulnerabilities pertain to IP message validation, TCP message processing, ICMP packet processing, and connection spoofing.

VENDOR RESPONSE

Microsoft has issued numerous updates to correct these problems: