Canada Flag Public Safety and Emergency Preparedness Canada | Sécurité publique et Protection civile Canada
Symbol of the Government of Canada
Sauter les menus principaux  
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About Us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
 
You have accessed an archived page on the Public Safety and Emergency Preparedness Canada website. This material may be outdated. Please consult our new site for up-to-date information.


Advisory Number: AV05-031
Vulnerability in Microsoft DDS Library Shape Control (Msdds.dll)
19 August 2005

UPDATE
August 22, 2005

Microsoft has updated their Security Advisory (906267) to include additional mitigating factors and thier "Workaournds" section.

Excerpt from Microsoft Security Advisory (906267):

Mitigating Factors:

  • The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in Windows.
  • The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in the .NET Framework.
  • Customers who do not have Msdds.dll on their systems are not affected by this vulnerability.
  • The affected versions of Msdds.dll are 7.0.9064.9112 and 7.0.9446.0. Customers who have Msdds.dll with version 7.0.9955.0, 7.10.3077.0, or higher on their systems are not affected by this vulnerability.
  • Customers who use Microsoft Office 2003 are not affected by this vulnerability.
  • Customers who use Microsoft Access 2003 are not affected by this vulnerability. -Customers who use Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question “I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability?” for additional details.
  • Customers who use Microsoft Access 2002 Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question “I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability?” for additional details.
  • Customers who use Microsoft Visual Studio 2003 are not affected by this vulnerability.
  • Customers who use Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability.

PSEPC recommends that administrators review the updated information, and test and apply the suggested workarounds by Microsoft:
http://www.microsoft.com/technet/security/advisory/906267.mspx This link opens a new window

Purpose
The purpose of this advisory is to bring attention to a vulnerability in the Microsoft DDS Library Shape Control (Msdds.dll).

Assessment
The issue is due to a memory corruption error. The Microsoft DDS Library Shape Control (Msdds.dll) is a COM object that could, when called from a web page displayed in Internet Explorer, cause Internet Explorer to unexpectedly exit. This condition could potentially allow remote code execution if a user visited a malicious Web site.

Mitigating Factors:

  • The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in Windows by default.

Affected Software:

  • Internet Explorer 5.01 Service Pack 4
    on Microsoft Windows 2000 Service Pack 4
  • Internet Explorer 6 Service Pack 1
    on Microsoft Windows 2000 Service Pack 4
  • Internet Explorer 6 Service Pack 1
    on Microsoft Windows XP Service Pack 1
  • Internet Explorer 6 for Microsoft Windows XP Service Pack 2
  • Internet Explorer 6 Service Pack 1
    for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
  • Internet Explorer 6 for Microsoft Windows Server 2003
  • Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
  • Internet Explorer 6 for Microsoft Windows Server 2003
    for Itanium-based Systems
  • Internet Explorer 6 for Microsoft Windows Server 2003 with SP1
    for Itanium-based Systems
  • Internet Explorer 6
    for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
  • Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
  • Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
  • Microsoft Visual Studio .NET 2002
  • Microsoft Visual Studio .NET 2003
  • Microsoft Office Professional 2003
  • Microsoft Office XP

Suggested action
PSEPC recommends that administrators test and apply the suggested workarounds by Microsoft:
http://www.microsoft.com/technet/security/advisory/906267.mspx This link opens a new window

Additional information is available at:
http://secunia.com/advisories/16480/ This link opens a new window


---

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

Links to sites not under the control of the Government of Canada (GoC) are provided solely for the convenience of users. The GoC is not responsible for the accuracy, currency or the reliability of the content. The GoC does not offer any guarantee in that regard and is not responsible for the information found through these links, nor does it endorse the sites and their content.
Last Updated: 10/25/2005
Top of page
 Important Notices