Playing with FireFox

Rich Tehrani : Communications and Technology Blog -
Rich Tehrani
| Communications and Technology Blog - Latest news in IP communications, telecom, VoIP, call center & CRM space

Playing with FireFox

I have been using FireFox more and more recently and was amused to find out
that when I went to Microsoft Office
I was told I need to use IE to download the required patches. I am
no expert on monopolies but there seems to be something unfair about being
forced into having a copy of IE on hand to make sure you can upgrade your

The same thing holds true for Windows
. I would think the EU and the DOJ/FTC would be up in arms about such

Here is the e-mail regarding a security flaw in Office that started me down
this path:

 National Cyber Alert System

 Technical Cyber
Security Alert TA05-193A

 Microsoft Windows, Internet
Explorer, and Word Vulnerabilities

 Original release date: July 12, 2005

 Last revised: --

 Source: US-CERT

Systems Affected

 * Microsoft Windows

 * Microsoft Office

 * Microsoft Internet Explorer

 For more complete information, refer
to the Microsoft Security

 Bulletin Summary for July, 2005.


 Microsoft has released updates that
address critical vulnerabilities

 in Windows, Office, and Internet
Explorer. Exploitation of these

 vulnerabilities could allow a remote,
unauthenticated attacker to

 execute arbitrary code on an affected

I. Description

 Microsoft Security Bulletins for July,
2005 address vulnerabilities in

 Windows, Office, and Internet
Explorer. Further information is

 available in the following
Vulnerability Notes:

 VU#218621 - Microsoft Word buffer
overflow in font processing routine

 A buffer overflow in the font processing
routine of Microsoft Word may

 allow a remote attacker to execute
code on a vulnerable system.


 VU#720742 - Microsoft Color Management
Module buffer overflow during

 profile tag validation

 Microsoft Color Management Module
fails to properly validate input

 data, allowing a remote attacker to
execute arbitrary code.


 VU#939605 - JVIEW Profiler
(javaprxy.dll) COM object contains an

 unspecified vulnerability

 The JVIEW Profiler COM object contains
an unspecified vulnerability,

 which may allow a remote attacker to
execute arbitrary code on a

 vulnerable system.


II. Impact

 Exploitation of these vulnerabilities
could allow a remote,

 unauthenticated attacker to execute
arbitrary code with the privileges

 of the user. If the user is logged on
with administrative privileges,

 the attacker could take control of an
affected system.

III. Solution

Apply Updates

 Microsoft has provided the updates for
these vulnerabilities in the

 Security Bulletins and on the
Microsoft Update site.


 Please see the individual
Vulnerability Notes for workarounds.

Appendix A. References

 * Microsoft Security Bulletin
Summary for July, 2005


 * US-CERT Vulnerability Note


 * US-CERT Vulnerability Note


 * US-CERT Vulnerability Note


 * CAN-2005-0564


 * CAN-2005-1219



 * CAN-2005-2087



 * Microsoft Update


 * Microsoft Update Overview




 Feedback can be directed to the
US-CERT Technical Staff.

 Please send mail to with
the subject:

 "TA05-193A Feedback


 This document is available at



 Produced 2005 by US-CERT, a government


 Terms of use



 Revision History

 July 12, 2005: Initial release

 Last updated July 12, 2005

Featured Events