Browser

Microsoft releases five critical security bulletins for November

For November's Patch Tuesday, Microsoft released six security bulletins, rating five of them as critical. In this edition of the IT Locksmith, John McCormick has the details about this month's security bulletins.

For this month's Patch Tuesday, Microsoft released six security bulletins, five of which it's rated as critical. (The remaining update addresses an important threat.) While one of the critical threats is actually present in Macromedia Flash, the vulnerability affects Windows platforms.

Details

Redmond released six security bulletins for November's Patch Tuesday, rating five as critical. However, four of the six updates addressed privately reported threats, and there had been no reports of active exploits for these four vulnerabilities at the time of publication. Here's a closer look at each update, in order of risk.

MS06-071

Microsoft Security Bulletin MS06-071,"Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution," addresses the Microsoft XML Core Services vulnerability (CVE-2006-5745). This is a publicly disclosed threat, and there were reports that attackers were actively exploiting this vulnerability before Microsoft released the update.

This is a critical threat for XML Core Services 4.0 and XML Core Services 6.0; it does not affect XML Core Services 3.0 or XML Core Services 5.0. This bulletin replaces Microsoft Security Bulletin MS06-061 for all affected versions.

Running Windows Server 2003 in its default configuration mitigates this threat. Some complex workarounds are available; see the security bulletin for more details.

MS06-067

Microsoft Security Bulletin MS06-067, "Cumulative Security Update for Internet Explorer," addresses three problems:

  • DirectAnimation ActiveX Controls Memory Corruption Vulnerability (CVE-2006-4777)
  • DirectAnimation ActiveX Controls Memory Corruption Vulnerability (CVE-2006-4446)
  • HTML Rendering Memory Corruption Vulnerability (CVE-2006-4687)

CVE-2006-4777 and CVE-2006-4446 are publicly disclosed threats, and there were reports that attackers were actively exploiting these vulnerabilities before Microsoft released the updates. CVE-2006-4687 is a privately disclosed threat, and there had been no reports of active exploits at the time of publication.

This bulletin has a cumulative rating of critical. It affects all versions of Internet Explorer 5.01 and Internet Explorer 6; however, it does not affect Internet Explorer 7. This bulletin replaces Microsoft Security Bulletin MS06-042 for all affected versions.

Possible workarounds include restricting how ActiveX controls and Active Scripting run in Internet Explorer, completely disabling ActiveX controls, and opening all e-mails in plain text. However, if you choose to implement the workarounds while waiting to patch, Microsoft warns that it's possible, albeit difficult, to launch a successful attack even with Active Scripting disabled.

MS06-068

Microsoft Security Bulletin MS06-068, "Vulnerability in Microsoft Agent Could Allow Remote Code Execution," addresses the Microsoft Agent Memory Corruption Vulnerability (CVE-2006-3445). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.

This is a critical vulnerability for Windows 2000 Service Pack 4 and Windows XP SP2; it is only a moderate threat for Windows Server 2003 and Windows Server 2003 SP1. This bulletin replaces Microsoft Security Bulletin MS05-032 for all affected versions.

Available workarounds include disabling ActiveX controls and applying a patch to the registry. See the security bulletin for more details.

MS06-069

Microsoft Security Bulletin MS06-069, "Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution," addresses multiple Flash Player vulnerabilities: CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, and CVE-2006-4640. These are privately reported threats, and there had been no reports of active exploits at the time of publication.

This is a critical threat that only affects Windows XP SP2. This bulletin replaces Microsoft Security Bulletin MS06-020 for Windows XP SP2.

Not surprisingly, one workaround is to block ActiveX and Flash Player. See the security bulletin for more details.

MS06-070

Microsoft Security Bulletin MS06-070, "Vulnerability in Workstation Service Could Allow Remote Code Execution," addresses the Workstation Service Memory Corruption Vulnerability (CVE-2006-4691). This is a privately reported threat, and there had been no reports of active exploits at the time of publication.

This is a critical threat for Windows 2000 SP4; it is a low threat for Windows XP SP2. This bulletin replaces Microsoft security bulletins MS03-049; it replaces Microsoft Security Bulletin MS06-040 for both Windows 2000 SP4 and Windows XP SP2.

An attacker would need administrator privileges to launch a successful attack in Windows XP SP2. One simple workaround is to block ports TCP 139 and TCP 445 at the network firewall.

MS06-066

Microsoft Security Bulletin MS06-066, "Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution," addresses two vulnerabilities: the Microsoft Client Service for NetWare Memory Corruption Vulnerability (CVE-2006-4688) and the NetWare Driver Denial of Service Vulnerability (CVE-2006-4689). There had been no reports of active exploits at the time of publication.

This is an important threat for Windows 2000 SP4 and Windows XP Professional SP2; it is a moderate threat for Windows Server 2003 and Windows Server 2003 SP1. This bulletin replaces Microsoft Security Bulletin MS05-046 for Windows XP Professional SP2 only.

Final word

On the surface, five critical updates may seem to be a lot. But the important thing to remember is that two-thirds of the threats were newly reported vulnerabilities with no reports of active exploits.

Microsoft's security team got ahead of most of the threats this month. While that's not the same as having no vulnerabilities at all, it's better than a poke in the eye with a sharp stick.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

8 comments
mypl8s4u2
mypl8s4u2

On so many systems, I've had to shut down MS updates. the updates have cause many systems to constantly reboot, crash, and slow down. One update, IE7 has done nothing but bloat the system to the point it crawls. After removal of such a crappy program, the system ran great. I've since disabled automatic updates.

FilElli
FilElli

Maybe it's problem of the computers or of their administrator, not of the pacthes theirselves. I've had Automatic Updates turned on for like a year now and I've never had any problems (and I'm safer).

Deadly Ernest
Deadly Ernest

if the computer worked well before the patch, and the patch was well written, the computer should work just the same, or better, after the patch. Every year we hear of hundreds of cases where MS have issued a patch and it's killed off third party software, software where the companies have paid MS many thousands of dollars for access to the MS code to enable them to write their code to align and work with the MS code. MS release a patch and change part of that code, do they give the new code to the software companies that have paid them, no, the companies have to pay again. Want to see how well your XP system works, try turning off auto updates, don't do any for 8 weeks, then try a manual update, and see what WGA does to your system. BTW Make sure you back up all your data before you try the manual update. The most common result is that WGA will declare your system as a pirate copy and kill it.

Deadly Ernest
Deadly Ernest

from the information provided, only vulnerable in XP since they released SP2 - this makes me wonder if they became vulnerable only because of what they included to allow them to set up WGA to do what it does. Boy am I glad I no longer touch machines that go beyond XP SP1, and don't have a decent firewall before that.

cnarad
cnarad

At least I know more about the MS patches here since MS doesn't really let users know what is happening to our systems!!

Tech Locksmith
Tech Locksmith

When you are looking at a new release such as Vista, do you look mostly at raw numbers as far as vulnerabilities are concerned, or do you take into consideration how many were patched BEFORE the vulnerability became widely known or was utilized by hackers?

Deadly Ernest
Deadly Ernest

vulnerabilities in early versions of Windows, prior to the release date of the version of Vista you're looking at. next thing is to wonder why so many known problems WEREN'T fixed in the base code prior to the release. Many seem to be created by various service packs and other patches, makes you wonder about the quality of their coding, and if they known what they're doing.

tundraroamer
tundraroamer

I read and listen to the experts like yourself that have more time and skill in this area then I do. Then I sum up the responses and decide on what to do. Vista? Not even on the scope yet. No plans or needs for it now.