-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />********************************************************************<br />Title: Microsoft Security Bulletin Summary for April 2005<br />Issued: April 12, 2005<br />Version Number: 1.0<br />Bulletin: http://go.microsoft.com/fwlink/?LinkId=46049<br />*******************************************************************<br /><br />Summary:<br />========<br />This advisory contains information about all security updates<br />released this month. It is broken down by security bulletin severity.<br /><br />Critical Security Bulletins<br />===========================<br /> <br /> MS05-019 - Vulnerabilities in TCP/IP Could Allow Remote Code <br /> Execution and Denial of Service (893066) <br /><br /> - Affected Software:<br /> - Microsoft Windows 2000 Service Pack 3<br /> - Microsoft Windows 2000 Service Pack 4<br /> - Microsoft Windows XP Service Pack 1<br /> - Microsoft Windows XP Service Pack 2<br /> - Microsoft Windows XP 64-Bit Edition Service Pack 1<br /> (Itanium)<br /> - Microsoft Windows XP 64-Bit Edition Version 2003 <br /> (Itanium)<br /> - Microsoft Windows Server 2003<br /> - Microsoft Windows Server 2003 for Itanium-based <br /> Systems<br /><br /> - Review the FAQ section of bulletin MS05-019 for<br /> information about these operating systems:<br /> - Microsoft Windows 98<br /> - Microsoft Windows 98 Second Edition (SE)<br /> - Microsoft Windows Millennium Edition (ME)<br /> <br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0<br /><br /> MS05-020 - Cumulative Security Update for Internet Explorer <br /> (890923)<br /><br /> - Affected Software <br /> - Microsoft Windows 2000 Service Pack 3<br /> - Microsoft Windows 2000 Service Pack 4<br /> - Microsoft Windows XP Service Pack 1 <br /> - Microsoft Windows XP Service Pack 2<br /> - Microsoft Windows XP 64-Bit Edition Service Pack 1 <br /> (Itanium)<br /> - Microsoft Windows XP 64-Bit Edition Version 2003 <br /> (Itanium)<br /> - Microsoft Windows Server 2003<br /> - Microsoft Windows Server 2003 for Itanium-based <br /> Systems<br /><br /> Review the FAQ section of bulletin MS05-020 for<br /> information about these operating systems:<br /> - Microsoft Windows 98<br /> - Microsoft Windows 98 Second Edition (SE)<br /> - Microsoft Windows Millennium Edition (ME)<br /><br /> - Affected Components:<br /> - Internet Explorer 5.01 Service Pack 3<br /> - Internet Explorer 5.01 Service Pack 4<br /> - Internet Explorer 5.5 Service Pack 2 on Microsoft<br /> Windows ME<br /> - Internet Explorer 6 Service Pack 1 <br /> - Internet Explorer 6 Service Pack 1 (64-Bit Edition)<br /> - Internet Explorer 6 for Windows XP Service Pack 2<br /> - Internet Explorer 6 for Windows Server 2003<br /> - Internet Explorer 6 for Windows Server 2003 for<br /> Itanium-based Systems<br /><br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0<br /><br /> MS05-021 - Vulnerability in Exchange Server Could Allow Remote<br /> Code Execution (894549)<br /><br /> - Affected Software: <br /> - Microsoft Exchange 2000 Server Service Pack 3<br /> - Microsoft Exchange Server 2003 <br /> - Microsoft Exchange Server 2003 Service Pack 1<br /> <br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0 <br /><br /> MS05-022 - Vulnerability in MSN Messenger Could Lead to Remote <br /> Code Execution (896597)<br /><br /> - Affected Software:<br /> - MSN Messenger 6.2<br /><br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0 <br /><br /> MS05-023 - Vulnerabilities in Microsoft Word May Lead to Remote<br /> Code Execution (890169)<br /><br /> - Affected Software:<br /> - Microsoft Word 2000<br /> - Microsoft Word 2002<br /> - Microsoft Word 2003<br /> - Microsoft Works Suite 2001<br /> - Microsoft Works Suite 2002<br /> - Microsoft Works Suite 2003<br /> - Microsoft Works Suite 2004<br /><br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0<br /><br />Important Security Bulletins<br />============================<br /><br /> MS05-016 - Vulnerability in Windows Shell that Could Allow Remote <br /> Code Execution (893086)<br /> <br /> - Affected Software: <br /> - Microsoft Windows 2000 Service Pack 3<br /> - Microsoft Windows 2000 Service Pack 4<br /> - Microsoft Windows XP Service Pack 1<br /> - Microsoft Windows XP Service Pack 2<br /> - Microsoft Windows XP 64-Bit Edition Service Pack 1 <br /> (Itanium)<br /> - Microsoft Windows XP 64-Bit Edition Version 2003 <br /> (Itanium)<br /> - Microsoft Windows Server 2003<br /> - Microsoft Windows Server 2003 for Itanium-based<br /> Systems<br /> <br /> - Review the FAQ section of bulletin MS05-016 for<br /> information about these operating systems:<br /> - Microsoft Windows 98<br /> - Microsoft Windows 98 Second Edition (SE)<br /> - Microsoft Windows Millennium Edition (ME)<br /> <br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0<br /> <br /> MS05-017 - Vulnerability in MSMQ Could Allow Remote Code Execution<br /> (892944)<br /> <br /> - Affected Software:<br /> - Microsoft Windows 2000 Service Pack 3<br /> - Microsoft Windows 2000 Service Pack 4<br /> - Microsoft Windows XP Service Pack 1 <br /> - Microsoft Windows XP 64-Bit Edition Service Pack 1 <br /> (Itanium)<br /> <br /> - Review the FAQ section of bulletin MS05-017 for<br /> information about these operating systems:<br /> - Microsoft Windows 98<br /> - Microsoft Windows 98 Second Edition (SE)<br /> <br /> - Impact: Remote Code Execution<br /> - Version Number: 1.0<br /><br /> MS05-018 - Vulnerability in Windows Kernel Could Allow Elevation <br /> of Privilege and Denial of Service (890859)<br /><br /> - Affected Software:<br /> - Microsoft Windows 2000 Service Pack 3<br /> - Microsoft Windows 2000 Service Pack 4<br /> - Microsoft Windows XP Service Pack 1<br /> - Microsoft Windows XP Service Pack 2<br /> - Microsoft Windows XP 64-Bit Edition Service Pack 1 <br /> (Itanium)<br /> - Microsoft Windows XP 64-Bit Edition Version 2003 <br /> (Itanium)<br /> - Microsoft Windows Server 2003<br /> - Microsoft Windows Server 2003 for Itanium-based <br /> Systems <br /> <br /> - Review the FAQ section of bulletin MS05-018 for<br /> information about these operating systems:<br /> - Microsoft Windows 98<br /> - Microsoft Windows 98 Second Edition (SE)<br /> - Microsoft Windows Millennium Edition (ME)<br /> <br /> - Impact: Elevation of Privilege<br /> - Version Number: 1.0<br /><br />Update Availability:<br />===================<br />Updates are available to address these issues.<br />For additional information, including Technical Details,<br />Workarounds, answers to Frequently Asked Questions,<br />and Update Deployment Information please read<br />the Microsoft Security Bulletin Summary for this<br />month at: http://go.microsoft.com/fwlink/?LinkId=46049<br /><br />Support:<br />========<br />Technical support is available from Microsoft Product Support<br />Services at 1-866-PC SAFETY (1-866-727-2338). There is no<br />charge for support calls associated with security updates.<br />International customers can get support from their local Microsoft<br />subsidiaries. Phone numbers for international support can be found<br />at: http://support.microsoft.com/common/international.aspx <br /> <br />Additional Resources:<br />=====================<br />* Microsoft has created a free monthly e-mail newsletter containing<br /> valuable information to help you protect your network. This<br /> newsletter provides practical security tips, topical security<br /> guidance, useful resources and links, pointers to helpful<br /> community resources, and a forum for you to provide feedback<br /> and ask security-related questions.<br /> You can sign up for the newsletter at:<br /><br /> http://www.microsoft.com/technet/security/secnews/default.mspx<br /><br />* Microsoft has created a free e-mail notification service that<br /> serves as a supplement to the Security Notification Service<br /> (this e-mail). It provides timely notification of any minor<br /> changes or revisions to previously released Microsoft Security<br /> Bulletins. This new service provides notifications that are<br /> written for IT professionals and contain technical information<br /> about the revisions to security bulletins.<br /> Visit http://www.microsoft.com to subscribe to this service:<br /><br /> - Click on Subscribe at the top of the page.<br /> - This will direct you via Passport to the Subscription center.<br /> - Under Newsletter Subscriptions you can sign up for the<br /> "Microsoft Security Notification Service: Comprehensive Version".<br /><br />* Join Microsoft's webcast for a live discussion of the technical<br /> details of these security bulletins and steps you can take<br /> to protect your environment. Details about the live webcast<br /> can be found at: <br /><br /> www.microsoft.com/technet/security/bulletin/summary.mspx<br /><br /> The on-demand version of the webcast will be available 24 hours<br /> after the live webcast at:<br /><br /> www.microsoft.com/technet/security/bulletin/summary.mspx<br /><br />* Protect your PC: Microsoft has provided information on how you<br /> can help protect your PC at the following locations:<br /><br /> http://www.microsoft.com/security/protect/<br /><br /> If you receive an e-mail that claims to be distributing a<br /> Microsoft security update, it is a hoax that may be distributing a<br /> virus. Microsoft does not distribute security updates through<br /> e-mail. You can learn more about Microsoft's software distribution<br /> policies here:<br /> <br />http://www.microsoft.com/technet/security/topics/policy/swdist.mspx<br /><br />Acknowledgments:<br />================<br />Microsoft thanks the following for working with us to protect<br />customers:<br /><br />* Mark Dowd and Ben Layer of ISS X-Force (http://www.iss.net) for <br /> reporting an issue described in MS05-021.<br /><br />* Alex Li (alexli@hush.com) for reporting an issue<br /> described in MS05-023.<br /><br />* Hongzhen Zhou (felix__zhou@hotmail.com)for reporting the issue <br /> described in MS05-022.<br /><br />* Song Liu (songsong@shaw.ca), Hongzhen Zhou, and Neel Mehta of ISS<br /> X-Force (http://www.iss.net) for reporting an issue described in<br /> MS05-019.<br /><br />* Fernando Gont (http://www.gont.com.ar) for reporting an issue <br /> described in MS05-019.<br /><br />* Qualsys (http://www.qualys.com) for reporting an issue described in<br /> MS05-019.<br /><br />* Berend-Jan Wever working with iDefense <br /> (http://www.idefense.com) for reporting an issue described in <br /> MS05-020.<br /><br />* 3APA3A and axle@bytefall working with iDefense<br /> (http://www.idefense.com) for reporting an issue described in<br /> MS05-020.<br /><br />* Andres Tarasco of SIA Group (http://www.siainternational.com) for<br /> reporting an issue described in MS05-020.<br /><br />* iDefense (http://www.idefense.com) for reporting an issue described<br /> in MS05-016.<br /><br />* Kostya Kortchinsky (kostya.kortchinsky@renater.fr) with CERT <br /> RENATER for reporting an issue described in MS05-017.<br /><br />* John Heasman with NGSSoftware (http://www.ngssoftware.com) for <br /> reporting an issue described in MS05-018.<br /><br />* Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with <br /> GreenBorder Technologies (http://www.greenborder.com) for<br /> reporting an issue described in MS05-018.<br /><br />* David Fritz working with iDefense (http://www.idefense.com) for <br /> reporting an issue described in MS05-018.<br /><br />********************************************************************<br />THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS<br />PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT<br />DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING<br />THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR<br />PURPOSE.<br />IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE<br />LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,<br />INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL<br />DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN<br />ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY<br />FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING<br />LIMITATION MAY NOT APPLY.<br />********************************************************************<br /><br />-----BEGIN PGP SIGNATURE-----<br />Version: PGP 8.1<br /><br />iQIVAwUBQlwERIreEgaqVbxmAQIzahAAlKDP0zz9tHxRWg7IF+n8MyRC+OjM+ljk<br />jpQJ5dATUX1HximAiuRTUZjFVujXQ8Ao1GVqfvuAD5FXSS/ULNun+mt8hWNw5j2n<br />i9Cz7+H0aWs/Si+E23WnuRVrw7UUPGUBwmochn8PUlmDb1ZrNgr1KoQaJKNBXry7<br />gV0+jhrZIMEcApvNP4aWZTikvOqST15DQfwo5Br4EsCebRp2V4RpPX6aSBxN18r9<br />qyvt6BvF9u9qPAfMMdbO4pCUPAaLTLyqr7vITaHPWJc+PcKlSLTEXiy34Wq7dyo7<br />lLda+eCSJ3OMwIGe6H+kkiUPanAkBzln5dOFOD8CK4xsSdI4422j0qK95DkYx8lI<br />mcHJHMZ3tOL3PclFofzuq36HPX1iyybu3bAtW7Ii9Obkb/IvosFLa1zJZxIo0EEO<br />CZf6QCLP+hhv+l8P0Mhpjzjtc/fmwubxkwu90aXm4efvS9bDQxnPA21fkGnUVaxp<br />yhotdlJTB+UR429CN5pHDaoBzzNQ16phK+sxXPu+WWgFGdLK4Kf82wsrZv9o8A7e<br />u8m+9pHV/SW0yqQLEu5OAmqugaBf88Bnb8/Rbu48h08x/jz5Rg1SnMxTLAhbmzUT<br />EvLEOApU0iLJ4uxghA+o+StGgwutd0dOIqJ/UjMHg2OPk4L7mhRFeJSKIRnUcg1r<br />fyrg6mMkols=<br />=IrfB<br />-----END PGP SIGNATURE-----<br />To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at the Microsoft.com web site <http://www.microsoft.com/misc/unsubscribe.htm>. You can manage all your Microsoft.com communication preferences at this site.<br /><br />Legal Information <http://www.microsoft.com/info/legalinfo/default.mspx>.<br /><br />This newsletter was sent by the Microsoft Corporation<br />1 Microsoft Way<br />Redmond, Washington, USA<br />98052