Microsoft Security Bulletin MS05-053has been released.
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
See Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
Published: November 8, 2005
Graphics Rendering Engine - CAN-2005-2123
Windows Metafile Vulnerability - CAN-2005-2124
Enhanced Metafile Vulnerability - CAN-2005-0803
The update replaces MS03-045 and MS05-002 on Windows XP Service Pack 1.
There is a workaround, "Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version", MS says "Read e-mail messages in plain text format" ... "to help protect yourself from the HTML e-mail attack vector", as outlined in Article ID:307594 - Description of a new feature that users can use to read non-digitally-signed e-mail or nonencrypted e-mail as plain text in Office XP SP-1
I'll also note here that in the many previous instances of this type of buffer overflow it was common for protection to already exist in many environments. If you cannot deploy the patches rapidly please consult with your individual AV and security software vendors and ask if their security solution provides generic buffer overflow protection against these vulnerabilities.
Nov 8th 2005
1 decade ago