May 2005

ID: 00397
Ref: 367/2005
Date: 11 May 2005:12:20:41
Version: 1

---

Title: Microsoft May Security Bulletin
Abstract: NISCC assessment of the recent advisory issued by Microsoft Corporation
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft

---

The Microsoft Security Bulletin for May addressed only one vulnerability,
classified as 'Important'. NISCC advises that exploiting this vulnerability is
deemed trivial and demonstration code is available, and has been tested.
Exploitation is expected in the near future.
http://go.microsoft.com/fwlink/?LinkId=47292

MS05-024
A vulnerability has been identified in the way Web View in Windows Explorer
handles certain HTML characters in preview fields. By enticing a user to
preview a file containing malicious content (such as word doc) and
attacker could execute arbitrary code in the context of the logged in user.

The Preview Pane outputs the document's author's name, checking whether it
is an email address and if so transforming it into a 'mailto' link. However
this transformation does not filter properly and allows for the injection of
attributes into the link enabling the execution of arbitrary script
commands.

Although the attacker would need to host a Web site that contains the
malicious page and entice the user to both visit and preview the document,
this would be relatively straightforward via a number of techniques such as
phishing and DNS poisoning that have been prevalent recently.

Affected Software:
Windows 2000 Service Packs 3 and 4
Windows 98, 98(SE), 98 ME.

See http://www.greymagic.com/security/advisories/gm015-ie/ for more in depth
information and demonstration word documents, and CAN-2005-1191 for
additional references.