Saturday, August 20, 2005

Microsoft Security Response Center: New security advisory

From the MSRC Blog:

Hey folks – Mike Reavey here, live from the situation room. (BTW- “live from the situation room” is a new favorite term ever since our big television debut this week!) I wanted to let you know that we published an advisory on a security issue in COM object, MSDDS.DLL, that when loaded in Internet Explorer could potentially run malicious code a system. The advisory is here. Some quick excerpts that are important for customers to know:

· The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in the .NET Framework.

· Microsoft Office 2003 are not affected by this vulnerability.

· Microsoft Access 2003 are not affected by this vulnerability.

· Microsoft Visual Studio 2003 are not affected by this vulnerability.

· Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability.

As far as where the control does ship:

· Microsoft Visual Studio 2002 with no service packs ships the control, but customers that have applied Service Pack 1 for Visual Studio 2002 will be protected.

· Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. However, its only in a vulnerable configuration if the C runtime library files are in the search path for Internet Explorer. These files are Msvcr70.dll and Msvscp70.dll. For instance placing them in the same directory as Msdds.dll or in the %windir%/system32 directory could expose Office XP customers to this issue.

Of course, there are more suggested actions in the advisory that can help protect customers and we’ll keep investigating this issue. Finally, you’ve heard us say it before, but I’ll say it again; publicly posting details and exploit code for a vulnerability puts customers at risk. We really want to encourage security researchers to work with us by sending information to secure@microsoft.com. You can read more about how to work with us here.


0 Comments:

Post a Comment

<< Home