For October’s Patch Tuesday, Microsoft released 10 security bulletins, six of which it’s rated as critical. (The remaining four updates address two moderate threats, one important threat, and one low threat.) In addition, several of the bulletins affect Office applications for the Mac.
Details
Redmond released 10 security bulletins for October’s Patch Tuesday, rating six as critical. Due to space constraints, I’ll review the critical updates this week, and I’ll wrap up this month’s Patch Tuesday coverage with the rest in the next issue.
Keep in mind that attackers are actively exploiting some of these threats, so make sure to examine each update on a case-by-case basis. To learn about specific workarounds and mitigating factors, read each security bulletin in detail.
Fortunately for managers and “patch masters,” most of these threats are only critical for older platforms and applications—a fact that greatly reduces the impact of these critical patch warnings. In most cases, Microsoft Baseline Security Analyzer (MBSA) 2.0 or Systems Management Server (SMS) 2003 will identify the need for a patch, but earlier versions may not work properly. However, MBSA 2.0 and SMS 2003 may not work in some instances, particularly for Macintosh platforms and Office 2000.
MS06-057
Microsoft Security Bulletin MS06-057, titled as both “Vulnerability in Windows Shell Could Allow Remote Code Execution” and “Vulnerability in Windows Explorer Could Allow Remote Execution,” addresses the Windows Shell Remote Code Execution Vulnerability (CVE-2006-3730). There have been reports that attackers are actively exploiting this vulnerability.
This is a critical threat for Windows 2000 Service Pack 4 and all versions of Windows XP; it is a moderate threat for all versions of Windows Server 2003. This bulletin replaces Microsoft Security Bulletin MS06-045 for Windows XP SP1 only.
Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com
Possible workarounds include patching the registry, disabling ActiveX controls, and altering Internet Explorer security zones—all of which can have serious side effects. See the security bulletin for more details.
MS06-058
Microsoft Security Bulletin MS06-058, “Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution,” addresses four separate problems:
* PowerPoint Malformed Object Pointer Vulnerability (CVE-2006-3435)
* PowerPoint Malformed Data Record Vulnerability (CVE-2006-3876)
* PowerPoint Malformed Record Memory Corruption Vulnerability (CVE-2006-3877)
* PowerPoint Malformed Record Vulnerability (CVE-2006-4694)—attackers are actively exploiting this vulnerability.
This is a critical threat for PowerPoint 2000; it is an important threat for PowerPoint 2002, PowerPoint 2003, PowerPoint 2004 for Mac, and PowerPoint v.X for Mac. This bulletin replaces Microsoft Security Bulletin MS06-028 for all affected versions.
See the security bulletin to learn about possible workarounds and mitigating factors, which are numerous.
MS06-059
Microsoft Security Bulletin MS06-059, “Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution,” is another threat that affects both Windows and Macintosh platforms and addresses multiple vulnerabilities:
* Excel Malformed DATETIME Record Vulnerability (CVE-2006-2387)
* Excel Malformed STYLE Record Vulnerability (CVE-2006-3431)
* Excel Handling of Lotus 1-2-3 File Vulnerability (CVE-2006-3867)
* Excel Malformed COLINFO Record Vulnerability (CVE-2006-3875)
While both the Lotus 1-2-3 and STYLE Record vulnerabilities were publicly disclosed threats, there were no reports of active exploits at the time of publication.
This collective group poses a critical threat for Excel 2000; it’s an important threat for Excel 2002, Excel 2003, Excel Viewer 2003, Excel 2004 for Mac, and Excel v.X for Mac. This bulletin replaces Microsoft Security Bulletin MS06-037 for all affected versions.
MS06-060
Microsoft Security Bulletin MS06-060, “Vulnerabilities in Microsoft Word Could Allow Remote Code Execution,” is another threat that affects both Windows and Macintosh platforms and addresses multiple vulnerabilities:
* Microsoft Word Vulnerability (CVE-2006-3647)
* Microsoft Word Mail Merge Vulnerability (CVE-2006-3651)
* Microsoft Word Malformed Stack Vulnerability (CVE-2006-4534)
* Microsoft Word for Mac Vulnerability (CVE-2006-4693)
This collective group poses a critical threat for Word 2000; it’s an important threat for Word 2002, Word 2003, Word 2003 Viewer, Word 2004 for Mac, and Word v.X for Mac. This bulletin replaces Microsoft Security Bulletin MS06-027 for Word 2000, Word 2002, Word 2003, and Word 2003 Viewer. These are newly disclosed threats, and there had been no reports of active exploits at the time of publication.
MS06-061
Microsoft Security Bulletin MS06-061, “Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution,” addresses two separate threats:
* Microsoft XML Core Services Vulnerability (CVE-2006-4685)
* XSLT Buffer Overrun Vulnerability (CVE-2006-4686)
This bulletin affects Windows 2000 SP4, all versions of Windows XP, all versions of Windows Server 2003, Office 2003 SP1, Office 2003 SP2, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0. While the XML Core Services Vulnerability poses an important to low threat—depending on the version—the XSLT Buffer Overrun Vulnerability is a critical threat, so the collective rating is critical for all affected versions.
These are newly disclosed threats, and there had been no reports of active exploits at the time of publication.
Note: While Microsoft updated the bulletin to remove a mistaken update note, this bulletin doesn’t replace any prior security patches.
MS06-062
Microsoft Security Bulletin MS06-062, “Vulnerabilities in Microsoft Office Could Allow Remote Code Execution,” addresses four separate threats:
* Office Improper Memory Access Vulnerability (CVE-2006-3434)
* Office Malformed Chart Record Vulnerability (CVE-2006-3650)
* Office Malformed Record Memory Corruption Vulnerability (CVE-2006-3864)
* Microsoft Office Smart Tag Parsing Vulnerability (CVE-2006-3868)
This bulletin affects Office 2000 SP3, Office XP SP3, Office 2003 SP1, Office 2003 SP2, Office 2004 for Mac, and Office v.X for Mac. It also affects Project 2000 Service Release 1, Project 2002 SP1, and Visio 2002 SP2. It is a critical threat for Office 2000, and it’s an important threat for all remaining versions.
This bulletin replaces Microsoft Security Bulletin MS06-048 for all affected versions. Microsoft has updated the security bulletin itself to V1.1 to clarify some details.
The Microsoft Office Smart Tag Parsing vulnerability was the only publicly disclosed threat, but there had been no reports of active exploits at the time of publication.
Final word
And if six critical patches aren’t enough, don’t forget that Microsoft also recently released a critical patch out of sequence—Microsoft Security Bulletin MS06-055 for XML problems. Yes, folks, these critical threats are the ones Redmond felt could wait for the regular scheduled Patch Tuesday! Tune in next week for details on the remaining security bulletins.