Microsoft Security Bulletin Ms99 017 Ms99 018

Two releases in the last couple days; these are pretty important.

MS99-017 summary:

RAS and RRAS clients save the password despite the setting of the "Save Password" checkbox.

Microsoft has published the following Knowledge Base (KB) article on this

issue:

- Microsoft Knowledge Base (KB) article Q230681,

RAS Credentials Saved when "Save Password" Option Unchecked,

http://support.microsoft.com/support/kb/articles/q230/6/81.asp

- Microsoft Knowledge Base (KB) article Q233303,

RRAS Credentials Saved when "Save Password" Option Unchecked,

http://support.microsoft.com/support/kb/articles/q233/3/03.asp

MS99-018 summary:

1) "Malformed Favories Icon" There is a buffer overrun hole in the favicon.ico handling; arbitrary code could be executed.

2) "Legacy ActiveX Control" There is an ActiveX control installed with IE3 that is not used in either IE4 or 5, though it is included with them. It could allow access to the client's hard drive.

Microsoft has published the following Knowledge Base (KB) article on this

issue:

- Microsoft Knowledge Base (KB) article Q231450,

Update Available for the "Malformed Favorites Icon" Issue in

Internet Explorer 5,

http://support.microsoft.com/support/kb/articles/q231/4/50.asp

- Microsoft Knowledge Base (KB) article Q231452,

Update Available for "Legacy ActiveX Control" Issue in Internet

Explorer 5,

http://support.microsoft.com/support/kb/articles/q231/4/52.asp

sgd