February 2005

ID: 00119
Ref: 102/2005
Date: 10 February 2005:11:10:25
Version: 1

---

Title: Microsoft Security Bulletins - February Release - UNIRAS Assessment
Abstract: An assessment of some of the various vulnerabilities identified as a result of recent Microsoft Security Bulletins.
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft

---

Research indicates that proof of concept exploits have been released for the MS05-005
(Microsoft Office URL handling) and MS05-009 (Multiple PNG file decode problems)
issues. Both of these are on the MS critical patch list, and it is expected that
malware exploiting these vulnerabilities will appear in the near future.

The section of MS05-009 that relates to MSN Messenger (the libpng vulnerability)
is likely to be serious, as it may be possible to execute malicious code in a
completely undetected manner with little or no user interaction, depending on MSN
client settings.

UNIRAS is advised that the major antivirus vendors have signatures already
available or nearly completion for both of these issues.

In respect of MS05-011, some details have been published that could enable an
attacker to construct an exploit for a heap overflow in the MRXSMB.SYS SMB
device driver. The description provides examples of which fields can be
overflowed, so an exploit is likely to follow in the near future (possibly
in a week or so). The impact of this vulnerability is that arbitrary code
could be executed to provide complete control of the computer. However as
yet, there is no evidence of an exploit in the public domain.

UNIRAS advises that vulnerable systems should be patched as quickly as
possible and will continue to monitor the situation for further developments.

Useful URLs:

http://www.uniras.gov.uk/niscc/docs/al-20050208-00114.html?lang=en
http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx