Was This Vulnerability Ever Completely Patched

Full Disclosure of area of Windows Security Concern

Note: Due Diligence was done to try and have this completely patched by
Microsoft if it has not been done and appears to affect both Windows 98
Second Edition and Windows 2000 Professional which is still in support phase
until July 13, 2010.

http://secunia.com/advisories/13645/

Secunia Advisory SA13645
Microsoft Windows Multiple Vulnerabilities
Secunia Advisory SA13645
Get alerted and manage the vulnerability life cycle
Free Trial

Release Date 2004-12-25
Last Update 2005-11-21

Popularity 50,286 views
Comments 0 comments

Criticality level Highly critical

Highly critical
Impact DoS
System access
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Partial Fix
Systems affected Available in Customer Area
Approve distribution Available in Customer Area

Operating System
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millenium
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Embedded
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2004-1049 CVSS available in Customer Area
CVE-2004-1305 CVSS available in Customer Area
CVE-2004-1306 CVSS available in Customer Area
CVE-2004-1361 CVSS available in Customer Area


Description
Flashsky has reported some vulnerabilities in Microsoft Windows, allowing
malicious people to compromise a vulnerable system or cause a DoS (Denial of
Service).

1) The vulnerability is caused due to an integer overflow in the LoadImage
API which can be exploited to cause a heap based buffer overflow. This can be
exploited through a website by using maliciously crafted icon, cursor,
animated cursor, or bitmap files.

Successful exploitation allows execution of arbitrary code.

2) Some errors in the Windows Kernel when parsing ANI files may cause the
system to crash. This can be exploited through specially crafted ANI files.

3) The vulnerability is caused due to a heap overflow and an integer
overflow in "winhlp32.exe" when handling HLP files. This can be exploited
through specially crafted HLP files.

All versions of Microsoft Windows are affected except Microsoft Windows XP
with Service Pack 2.

Solution
3) Do not visit untrusted web sites and don't open documents from untrusted
sources.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered independently by:
* Flashsky
* eEye Digital Security

2) Flashsky (Microsoft credits Sylvain Bruyere).
3) Keji

Changelog
Further details available in Customer Area

Original Advisory
MS05-002 (KB891711):
http://www.microsoft.com/technet/sec.../MS05-002.mspx

Flashsky:
http://www.xfocus.net/flashsky/icoExp/

eEye Digital Security:
http://www.eeye.com/html/research/ad...D20050111.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area

On 05/21/2010 02:18 AM, Dan wrote:
Full Disclosure of area of Windows Security Concern

Note: Due Diligence was done to try and have this completely patched by
Microsoft if it has not been done and appears to affect both Windows 98
Second Edition and Windows 2000 Professional which is still in support phase
until July 13, 2010.

http://secunia.com/advisories/13645/

Secunia Advisory SA13645
Microsoft Windows Multiple Vulnerabilities
Secunia Advisory SA13645
Get alerted and manage the vulnerability life cycle
Free Trial

Release Date 2004-12-25
Last Update 2005-11-21

Popularity 50,286 views
Comments 0 comments

Criticality level Highly critical

Highly critical
Impact DoS
System access
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Partial Fix
Systems affected Available in Customer Area
Approve distribution Available in Customer Area

Operating System
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millenium
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Embedded
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2004-1049 CVSS available in Customer Area
CVE-2004-1305 CVSS available in Customer Area
CVE-2004-1306 CVSS available in Customer Area
CVE-2004-1361 CVSS available in Customer Area


Description
Flashsky has reported some vulnerabilities in Microsoft Windows, allowing
malicious people to compromise a vulnerable system or cause a DoS (Denial of
Service).

1) The vulnerability is caused due to an integer overflow in the LoadImage
API which can be exploited to cause a heap based buffer overflow. This can be
exploited through a website by using maliciously crafted icon, cursor,
animated cursor, or bitmap files.

Successful exploitation allows execution of arbitrary code.

2) Some errors in the Windows Kernel when parsing ANI files may cause the
system to crash. This can be exploited through specially crafted ANI files.

3) The vulnerability is caused due to a heap overflow and an integer
overflow in "winhlp32.exe" when handling HLP files. This can be exploited
through specially crafted HLP files.

All versions of Microsoft Windows are affected except Microsoft Windows XP
with Service Pack 2.

Solution
3) Do not visit untrusted web sites and don't open documents from untrusted
sources.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered independently by:
* Flashsky
* eEye Digital Security

2) Flashsky (Microsoft credits Sylvain Bruyere).
3) Keji

Changelog
Further details available in Customer Area

Original Advisory
MS05-002 (KB891711):
http://www.microsoft.com/technet/sec.../MS05-002.mspx

Flashsky:
http://www.xfocus.net/flashsky/icoExp/

eEye Digital Security:
http://www.eeye.com/html/research/ad...D20050111.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area


Uh, did you happen to notice the update offered via WU..

Was it ever FULLY patched? You're testing the Win98 OS supposedly, why
not tell us if it was, rather than us telling you if it was or wasn't
[hint, it was 891711].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

On 05/21/2010 02:18 AM, Dan wrote:
Full Disclosure of area of Windows Security Concern

Note: Due Diligence was done to try and have this completely patched by
Microsoft if it has not been done and appears to affect both Windows 98
Second Edition and Windows 2000 Professional which is still in support phase
until July 13, 2010.

http://secunia.com/advisories/13645/

Secunia Advisory SA13645
Microsoft Windows Multiple Vulnerabilities
Secunia Advisory SA13645
Get alerted and manage the vulnerability life cycle
Free Trial

Release Date 2004-12-25
Last Update 2005-11-21

Popularity 50,286 views
Comments 0 comments

Criticality level Highly critical

Highly critical
Impact DoS
System access
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Partial Fix
Systems affected Available in Customer Area
Approve distribution Available in Customer Area

Operating System
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millenium
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Embedded
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2004-1049 CVSS available in Customer Area
CVE-2004-1305 CVSS available in Customer Area
CVE-2004-1306 CVSS available in Customer Area
CVE-2004-1361 CVSS available in Customer Area


Description
Flashsky has reported some vulnerabilities in Microsoft Windows, allowing
malicious people to compromise a vulnerable system or cause a DoS (Denial of
Service).

1) The vulnerability is caused due to an integer overflow in the LoadImage
API which can be exploited to cause a heap based buffer overflow. This can be
exploited through a website by using maliciously crafted icon, cursor,
animated cursor, or bitmap files.

Successful exploitation allows execution of arbitrary code.

2) Some errors in the Windows Kernel when parsing ANI files may cause the
system to crash. This can be exploited through specially crafted ANI files.

3) The vulnerability is caused due to a heap overflow and an integer
overflow in "winhlp32.exe" when handling HLP files. This can be exploited
through specially crafted HLP files.

All versions of Microsoft Windows are affected except Microsoft Windows XP
with Service Pack 2.

Solution
3) Do not visit untrusted web sites and don't open documents from untrusted
sources.
Further details available in Customer Area

Provided and/or discovered by
1) Discovered independently by:
* Flashsky
* eEye Digital Security

2) Flashsky (Microsoft credits Sylvain Bruyere).
3) Keji

Changelog
Further details available in Customer Area

Original Advisory
MS05-002 (KB891711):
http://www.microsoft.com/technet/sec.../MS05-002.mspx

Flashsky:
http://www.xfocus.net/flashsky/icoExp/

eEye Digital Security:
http://www.eeye.com/html/research/ad...D20050111.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area


Uh, did you happen to notice the update offered via WU..

Was it ever FULLY patched? You're testing the Win98 OS supposedly, why
not tell us if it was, rather than us telling you if it was or wasn't
[hint, it was 891711].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

On 05/21/2010 10:52 AM, Dan wrote:
Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

On 05/21/2010 10:52 AM, Dan wrote:
Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

Thanks, Meb. My main interest was mainly in Windows 98 Second Edition being
fully patched in this case. I remember seeing the 891711 in the add/remove
programs of Windows 98 Second Edition. It certainly was a clunky way to
patch it on 98SE but as long as it was fully patched on at least 98SE, then I
am glad. :-
I may primarily use the NT source code instead of 9x source code now but
will soon have more options as I delve into Linux.

"MEB" wrote:

On 05/21/2010 10:52 AM, Dan wrote:
Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
.

Thanks, Meb. My main interest was mainly in Windows 98 Second Edition being
fully patched in this case. I remember seeing the 891711 in the add/remove
programs of Windows 98 Second Edition. It certainly was a clunky way to
patch it on 98SE but as long as it was fully patched on at least 98SE, then I
am glad. :-
I may primarily use the NT source code instead of 9x source code now but
will soon have more options as I delve into Linux.

"MEB" wrote:

On 05/21/2010 10:52 AM, Dan wrote:
Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
.

On 05/21/2010 01:57 PM, Dan wrote:
Thanks, Meb. My main interest was mainly in Windows 98 Second Edition being
fully patched in this case. I remember seeing the 891711 in the add/remove
programs of Windows 98 Second Edition. It certainly was a clunky way to
patch it on 98SE but as long as it was fully patched on at least 98SE, then I
am glad. :-

Well, I didn't say it was, I merely directed to what Microsoft had
supplied to deal with the purported issue. We [the group] did have
several discussions regarding this particular Win98 "fix" when it was
current.

I may primarily use the NT source code instead of 9x source code now but
will soon have more options as I delve into Linux.

It is an interesting alternative. Don't get daunted by what it
contains, just spend some time finding what you want to try, spend time
in the support forums and groups, and you will likely develop an
enjoyment for the experience.


"MEB" wrote:

On 05/21/2010 10:52 AM, Dan wrote:
Snip

Thanks for the information, MEB. I guess Secunia.com needs to update their
information because they claim it was only a partial patch and not a complete
patch. I have never found out if a cracker could take advantage of this if
it is true that it is not a complete patch. I guess I can contact Secunia
and Micorosoft for more information about whether it was a full patch and not
just partially fixed. Since it applies to Windows 2000 Professional as well
as Windows Server 2003 there should be a complete patch. I don't know if I
will get anywhere trying to contact them about this but I can try at least.

If you look through the list of files for W2K Prof. you can compare
them to later updates offered. Again, only extensive personal testing
might ensure your knowledge regarding the matter of a complete and
unfailing fix/patch in the NT environments. Win9X was obviously left
with the provided "fix" [it was apparently a kludge "work-around"
requiring an exe, a dll, and registry settings].

--
MEB
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---