Windows

Get up to speed on Microsoft's August security bulletins

August has been a busy month for Microsoft. The software giant released 12 security bulletins, nine of which it rated critical&mdash;collectively fixing 10 Windows flaws and three Office threats. Last time, John McCormick told you the <a href='http://www.techrepublic.com/article/5100-1009_11-6105301.html' target='_blank'>four bulletins you needed to worry about most</a>. In this edition of the IT Locksmith, he brings you to speed on the remaining five critical and three important security bulletins.

This month's Patch Tuesday was a busy one. Redmond released a total of 12 security bulletins, rating nine of them as critical threats. (The remaining three bulletins are important threats.) The updates collectively fix 20 flaws in Windows and patch three flaws in Office.

Details

Microsoft released so many critical security bulletins for August's Patch Tuesday that I couldn't address them all in my first article. Last time, I covered the four critical security bulletins that I felt presented the most threat. This week, I'll bring you up to speed on the remaining updates, both critical and important. These bulletins either present a low-level threat or haven't been the target of an active exploit, making them less dangerous than the first four.

MS06-041

Microsoft Security Bulletin MS06-041, "Vulnerabilities in DNS Resolution Could Allow Remote Code Execution," fixes two vulnerabilities: Winsock Hostname Vulnerability (CVE-2006-3440) and DNS Client Buffer Overrun Vulnerability (CVE-2006-3441). Both are remote code execution threats.

This update affects Windows 2000 Service Pack 4, all versions of Windows XP, and all versions of Windows Server 2003. This is a critical threat for all affected versions. Both vulnerabilities are previously undisclosed threats, and there had been no reports of active exploits for either at the time of publishing.

In addition, an attacker can only exploit the buffer overrun vulnerability on a subnet between the host and the DNS server. Workarounds include blocking DNS record types ATMA, TXT, X25, HINFO, and ISDN DNS at network gateways.

A workaround for the Winsock vulnerability is to modify the Autodial DLL in the registry. See the security bulletin for more details.

MS06-043

Microsoft Security Bulletin MS06-043, "Vulnerability in Microsoft Windows Could Allow Remote Code Execution," addresses the MHTML Parsing Vulnerability (CVE-2006-2766). While this is a critical threat, it only affects Outlook Express 6 on Windows XP SP2 (including the x64 version) and Outlook Express 6 on Windows Server 2003 SP1 (also including the x64 version).

This is a publicly disclosed threat, but there had been no reports of active exploits at the time of publishing. Internet Explorer runs in a restricted security mode on Windows Server 2003, and Outlook Express opens HTML e-mails in the Restricted Sites security zone; both factors mitigate the potential risk.

MS06-044

Microsoft Security Bulletin MS06-044, "Vulnerability in Microsoft Management Console Could Allow Remote Code Execution," fixes the MMC Redirect Cross-Site Scripting Vulnerability (CVE-2006-3643). This is a newly disclosed threat, and there had been no reports of active exploits at the time of publishing.

While this is a critical threat, it only affects Windows 2000 SP4. The best way to mitigate this threat is to run IE 6. A good workaround is to disable Active Scripting in the My Computer zone.

MS06-046

Microsoft Security Bulletin MS06-046, "Vulnerability in HTML Help Could Allow Remote Code Execution," addresses the Buffer Overrun in HTML Help Vulnerability (CVE-2006-3357). This is a publicly disclosed threat, and there had been no reports of active exploits at the time of publishing.

This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It is a critical threat for Windows 2000 and Windows XP versions, but it's only a moderate threat for Windows Server 2003 versions.

Using the latest, fully patched version of Internet Explorer or Outlook will mitigate this threat, and the security bulletin offers several workarounds. The most useful one is to disable the HTML Help ActiveX control.

MS06-051

Microsoft Security Bulletin MS06-051, "Vulnerability in Windows Kernel Could Result in Remote Code Execution," addresses two threats. The User Profile Elevation of Privilege Vulnerability (CVE-2006-3443) is a low-threat elevation of privilege threat, while the Unhandled Exception Vulnerability (CVE-2006-3648) is a critical remote code execution threat. Both vulnerabilities are previously undisclosed threats, and there had been no reports of active exploits for either at the time of publishing.

This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. Because of the Unhandled Exception Vulnerability, this is a critical threat for all affected versions.

There are multiple mitigating factors. First of all, an attacker would need valid logon credentials to exploit the user profile vulnerability. In addition, applying all patches and leaving Outlook's default setting to open HTML e-mails in the Restricted Sites security zone would block the remote code execution threat.

Well, that sums up this month's critical security bulletins. Now, let's look at the three bulletins rated as important threats.

MS06-045

Microsoft Security Bulletin MS06-045, "Vulnerability in Windows Explorer Could Allow Remote Code Execution," fixes the Folder GUID Code Execution Vulnerability (CVE-2006-3281). While this is a publicly disclosed threat, there had been no reports of active exploits at the time of publishing.

This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It's an important threat for all affected versions.

Firewall best practices would likely block an attack on this vector. By default, many programs open HTML e-mails in the Restricted Sites security zone. A workaround is to disable the Web Client service.

MS06-049

Microsoft Security Bulletin MS06-049, "Vulnerability in Windows Kernel Could Result in Elevation of Privilege," addresses the Windows 2000 Kernel Elevation of Privilege vulnerability (CVE-2006-3444). While this is a publicly disclosed threat, there had been no reports of active exploits at the time of publishing.

As the name implies, this important-rated threat is only an elevation of privilege threat, and it only affects Windows 2000. Valid logon credentials are required to conduct an attack on this vector

Microsoft reports no workarounds. This security bulletin replaces MS05-055.

MS06-050

Microsoft Security Bulletin MS06-050, "Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution," addresses two vulnerabilities: Hyperlink Object Buffer Overflow Vulnerability (CVE-2006-3086) and Hyperlink Object Function Vulnerability (CVE-2006-3438). While one of these is a publicly disclosed threat, no reports of active exploits had surfaced for either vulnerability at the time of publishing.

This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It's an important threat for all affected versions. This security bulletin replaces MS05-015.

Final word

Well, that's definitely a lot of security patches for August. Looking on the bright side, many of them won't be of too much concern for a lot of managers.

In my experience, while Windows 2000 still sees heavy use in government, most corporate users have moved on, which eliminates some of the threats entirely. Using best practices will block some others, and there have been no reports of active exploits for any of the ones in this article.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks