Microsoft Security Bulletin MS02-054
Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048)
Originally posted: October 02, 2002
Updated: February 28th, 2003
Who should read this bulletin:
Customers using Microsoft® Windows® 98 with Plus! Pack, Windows Me, or Windows XP
Impact of vulnerability:
Two vulnerabilities, the most serious of which could run code of attacker's choice
Maximum Severity Rating:
Consider applying the patch to affected systems
- Microsoft Windows 98 with Plus! Pack
- Microsoft Windows Me
- Microsoft Windows XP
Microsoft thanks the following people for working with us to protect customers:
- Joe Testa of Rapid7, Inc. (http://www.rapid7.com/) for reporting the Unchecked Buffer in Zipped File Handling vulnerability.
- zen-parse for reporting the Incorrect Target Path for Zipped File Decompression vulnerability.
- Microsoft Knowledge Base article Q329048 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 02, 2002): Bulletin Created.
- V1.1 (October 07, 2002): Updated information on verifying patch installation for Windows XP.
- V1.2 (October 09, 2002): Updated to correct uninstall information for Windows 98 and Windows ME.
- V1.3 (February 28, 2003): Updated download links to Windows Update.