Windows 98 & ME - Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)

Note to Windows 9x users--This Patch has been deemed "Not Critical" and =
is therefore not available to Win9x users--not even to WinME users. For =
those systems to which it "applies", this patch is deemed "Important". =
Of course, according to the definitions provided by MS at =
http://www.microsoft.com/technet/sec...in/rating.mspx, the only =
difference between "Critical" and "Important" is that while the latter =
can destroy your system, it can't spread itself like the former can. =
Gee, thanks...

(I have a request in to those in charge, asking for a bit of elucidation =
on the subject.)

--=20
Gary S. Terhune
MS MVP for Win9x
=20
"Emily F [MSFT]" wrote in message =
...
Microsoft Security Bulletin MS04-024
Vulnerability in Windows Shell Could Allow Remote Code Execution =
(839645)
http://www.microsoft.com/technet/sec.../ms04-024.mspx
Issued: July 13, 2004
Version: 1.0
Executive Summary:
This update resolves a newly-discovered, publicly reported =
vulnerability. A
remote code execution vulnerability exists in the way that the Windows =
Shell
launches applications.
If a user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control =
of an
affected system, including installing programs; viewing, changing, or
deleting data; or creating new accounts with full privileges. However,
significant user interaction is required to exploit this =
vulnerability.
Users whose accounts are configured to have fewer privileges on the =
system
would be at less risk than users who operate with administrative =
privileges.
We recommend that customers consider applying the security update.
Summary
Who should read this document: Customers who use Microsoft=AE =
Windows=AE
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest
opportunity.
Security Update Replacement: This update replaces MS03-027 on Windows =
XP.
This update does not replace MS03-027 on Windows NT 4.0, on Windows =
2000, or
on Windows Server 2003.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Softwa
.Microsoft Windows NT=AE Workstation 4.0 Service Pack 6a - Download =
the update
.Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
.Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack =
6 -
Download the update
.Microsoft Windows NT=AE Workstation 4.0 Service Pack 6a and NT Server =
4.0
Service Pack 6a with Active Desktop - Download the update
.Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service =
Pack
3, Microsoft Windows 2000 Service Pack 4 - Download the update
.Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - =
Download the
update
.Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the =
update
.Microsoft Windows XP 64-Bit Edition Version 2003 - Download the =
update
.Microsoft Windows ServerT 2003 - Download the update
.Microsoft Windows Server 2003 64-Bit Edition - Download the update
.Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me) - Review the FAQ section of =
this
bulletin for details about these operating systems.
=20
The software in this list has been tested to determine if the versions =
are
affected. Other versions either no longer include security update =
support or
may not be affected. To determine the support lifecycle for your =
product and
version, visit the following Microsoft Support Lifecycle Web site.
=20