Playing with FireFox

Rich Tehrani : Communications and Technology Blog - Tehrani.com
Rich Tehrani
CEO
| Communications and Technology Blog - Latest news in IP communications, telecom, VoIP, call center & CRM space

Playing with FireFox


I have been using FireFox more and more recently and was amused to find out
that when I went to Microsoft Office
Update
I was told I need to use IE to download the required patches. I am
no expert on monopolies but there seems to be something unfair about being
forced into having a copy of IE on hand to make sure you can upgrade your
software.



The same thing holds true for Windows
Update
. I would think the EU and the DOJ/FTC would be up in arms about such
practices.



Here is the e-mail regarding a security flaw in Office that started me down
this path:



 National Cyber Alert System



 Technical Cyber
Security Alert TA05-193A



 Microsoft Windows, Internet
Explorer, and Word Vulnerabilities



 Original release date: July 12, 2005

 Last revised: --

 Source: US-CERT



Systems Affected



 * Microsoft Windows

 * Microsoft Office

 * Microsoft Internet Explorer



 For more complete information, refer
to the Microsoft Security

 Bulletin Summary for July, 2005.



Overview



 Microsoft has released updates that
address critical vulnerabilities

 in Windows, Office, and Internet
Explorer. Exploitation of these

 vulnerabilities could allow a remote,
unauthenticated attacker to

 execute arbitrary code on an affected
system.



I. Description



 Microsoft Security Bulletins for July,
2005 address vulnerabilities in

 Windows, Office, and Internet
Explorer. Further information is

 available in the following
Vulnerability Notes:



 VU#218621 - Microsoft Word buffer
overflow in font processing routine



 A buffer overflow in the font processing
routine of Microsoft Word may

 allow a remote attacker to execute
code on a vulnerable system.

 (CAN-2005-0564)



 VU#720742 - Microsoft Color Management
Module buffer overflow during

 profile tag validation



 Microsoft Color Management Module
fails to properly validate input

 data, allowing a remote attacker to
execute arbitrary code.

 (CAN-2005-1219)



 VU#939605 - JVIEW Profiler
(javaprxy.dll) COM object contains an

 unspecified vulnerability



 The JVIEW Profiler COM object contains
an unspecified vulnerability,

 which may allow a remote attacker to
execute arbitrary code on a

 vulnerable system.

 (CAN-2005-2087)



II. Impact



 Exploitation of these vulnerabilities
could allow a remote,

 unauthenticated attacker to execute
arbitrary code with the privileges

 of the user. If the user is logged on
with administrative privileges,

 the attacker could take control of an
affected system.



III. Solution



Apply Updates



 Microsoft has provided the updates for
these vulnerabilities in the

 Security Bulletins and on the
Microsoft Update site.



Workarounds



 Please see the individual
Vulnerability Notes for workarounds.



Appendix A. References



 * Microsoft Security Bulletin
Summary for July, 2005

 <http://www.microsoft.com/technet/security/bulletin/ms05-jul.mspx>



 * US-CERT Vulnerability Note
VU#218621

 <http://www.kb.cert.org/vuls/id/218621>



 * US-CERT Vulnerability Note
VU#720742

 <http://www.kb.cert.org/vuls/id/720742>



 * US-CERT Vulnerability Note
VU#939605

 <http://www.kb.cert.org/vuls/id/939605>



 * CAN-2005-0564

 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0564>



 * CAN-2005-1219

 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1219>

 

 * CAN-2005-2087

 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>

 

 * Microsoft Update

 <http://update.microsoft.com/>



 * Microsoft Update Overview

 <http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa

 ult.mspx>



 _________________________________________________________________



 Feedback can be directed to the
US-CERT Technical Staff.



 Please send mail to cert@cert.org with
the subject:



 "TA05-193A Feedback
VU#720742"

 _________________________________________________________________



 This document is available at



 <http://www.us-cert.gov/cas/techalerts/TA05-193A.html>

 _________________________________________________________________



 Produced 2005 by US-CERT, a government
organization.

 _________________________________________________________________



 Terms of use



 <http://www.us-cert.gov/legal.html>

 _________________________________________________________________



 Revision History



 July 12, 2005: Initial release



 Last updated July 12, 2005



Featured Events