Home > Microsoft Security > Microsoft Security Bulletin Ms04-040

Microsoft Security Bulletin Ms04-040

What causes the vulnerability? Office Update Software Update Services: By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server Security Update Information Installation Platforms and Prerequisites: For information about the specific security update for your platform, click the appropriate link: Windows Server 2003 (all versions) Prerequisites This security update requires What is the cross-domain security model that Internet Explorer uses? Check This Out

One of the principal security functions of a browser is to make sure that browser windows that are under the control of different Web sites cannot interfere with each other or While SUS does leverage Windows Update technology to help deploy security updates, SUS does not use Windows Update Version 5 and is not impacted by this re-release. This could allow an attacker to take complete control of the affected system. More information on Update.exe is located on the following Microsoft Web Site.

System administrators can also use the Spuninst.exe utility to remove this security update. Revisions: V1.0 February 2, 2004: Bulletin published. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration that mitigates this vulnerability.

In some situations, the Web Publishing features of ISA Server 2000 or Proxy Server 2.0 can successfully block attempts to exploit this vulnerability. An update for this issue is available, please see Knowledge Base article 831167. Severity Ratings and Vulnerability Identifiers: Vulnerability IdentifiersImpact of VulnerabilityInternet Explorer 5.01 SP3, SP4Internet Explorer 5.5 SP2Internet Explorer 6Internet Explorer 6 SP1 (All versions earlier than Windows Server 2003)Internet Explorer 6 for Restart Requirement You must restart your system after you install this security update.

However, the file and registry key information available in this bulletin can be used to write specific file/registry key collection queries in SMS to detect vulnerable computers. File Information The English version of this update has the file attributes (or later) that are listed in the following table. Install the update that is included with Microsoft Security Bulletin MS04-018 if you are using Outlook Express 5.5 SP2. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information.

Built at 2014-04-18T13:49:36Z-07:00 Show: Inherited Protected Print Export (0) Print Export (0) Share IN THIS ARTICLE Is this page helpful? The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. This update contains two additional security changes. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including the settings on the Security and the Advanced tab in the Internet Options dialog box. For more information about severity ratings, visit the following Web site. It has been assigned Common Vulnerability and Exposure number CAN-2004-0549. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer.

Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. his comment is here The content you requested has been removed. It has been assigned Common Vulnerability and Exposure number CAN-2004-0727. Install Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier.

The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. Yes. For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. this contact form How could an attacker exploit this vulnerability?

When you call, ask to speak with the local Premier Support sales manager. File Information The English version of this security update has the file attributes (or later) that are listed in the following table. FAQ for Windows Management Vulnerability - CAN-2003-0909: What is the scope of the vulnerability?

However, because your local file system is in a different domain from the Web site, the cross-domain security model should prevent the Web site from reading the file that is being

What is LSASS? For more information about how to obtain the latest service pack for Internet Explorer 6, see Microsoft Knowledge Base Article 328548. SMS can successfully deploy this update for all versions of Internet Explorer, except for Internet Explorer 6 SP1. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations.

They will be made available as soon as possible following the release. The content you requested has been removed. Security Update Information Prerequisites Microsoft has tested the versions of Windows and the versions of Internet Explorer that are listed in this bulletin to assess whether they are affected by these navigate here When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?

Impact of Workaround: Microsoft recommends that customers consider these changes to Internet Explorer security settings as a last resort only. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA) Windows Update Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as the Internet Explorer Enhanced Security Configuration. The dates and times for these files are listed in coordinated universal time (UTC).

Microsoft Security Notification Service: To receive automatic e-mail notifications whenever Microsoft security bulletins are issued, subscribe to the Microsoft Security Notification Service. A separate package has been created for Internet Explore 6 Service Pack 1 when used on Windows NT Server Service Pack 6a, Windows 98, Windows 98SE, and Windows Me. Automatic detection of intranet sites is disabled. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update.

Customers who have installed both the update referenced in Microsoft Security Bulletin MS04-024 and have installed the ADODB.Stream update that is referenced in Knowledge Base Article 870669 will be at a The content you requested has been removed. Impact of Workaround: For those sites that you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require the use of ActiveX controls Customers who use one or more of these products could be at a reduced risk from an e-mail-borne attack that tries to exploit this vulnerability by having the user click a

This utility supports the following setup switches: /?: Show the list of supported switches /z: Do not restart when the installation is complete /q: Use Quiet mode (no user interaction) To For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. An attacker could attempt to exploit this vulnerability over the Internet. Windows Management Vulnerability - CAN-2003-0909 A privilege elevation vulnerability exists in the way that Windows XP allows tasks to be created.

When you install any of the MS04-040 security updates for Internet Explorer 6 SP1, Internet Explorer hotfixes released since MS04-004 will be removed if the hotfix replaced any of the files For additional information about MBSA, please visit the Microsoft Baseline Security Analyzer Web site. How do I get it? As with the previous Internet Explorer Cumulative Security Updates that have been released since MS04-004, this update also includes a change to the functionality of a clear-text authentication feature in Internet

More information can be found in Knowledge Base Article 832414. To find information about how to manually start many of the accessibility features, visit this Web site.