Details
Microsoft has released a slew of critical bulletins for the cruelest month of all (tax day for U.S. readers). This month we have three new critical bulletins (one of which was updated over the weekend) addressing a number of vulnerabilities, along with two more bulletins addressing minor issues. (Of course no issue is really minor if it affects you.)
MS06-013
Microsoft Security Bulletin MS06-013, “Cumulative Security Update for Internet Explorer,” replaces MS05-054 (all platforms) and MS06-004 (IE 5.01 SP4 only), and the patch will affect the way IE as well as ActiveX works. There have been reports of exploits in this vulnerability. See Microsoft Knowledge Base Article 912812 for more information and Microsoft Knowledge Base Article 917425 for details concerning ActiveX concerns.
Vulnerabilities addressed are:
All except the last two are critical for some or most affected installations.
Applicability
Internet Explorer 5.0, SP4; IE 6 Windows Server, IE 6 SP1 (all); and IE 6 SP2 (XP). Note that this Bulletin includes a patch for Windows 98, 98 SE, and ME.
Risk level-Critical
The Risks vary with platform but the cumulative risk level is critical for all platforms including Windows 98, 98 SE, and ME.
Mitigating factors
Microsoft had previously released some of these patches. As with many browser threats, a user must open a malicious email or visit a malicious Web site to be vulnerable. Unfortunately, one of these vulnerabilities is an address bar spoof so visitors may not know they are visiting a strange Web site.
Fix–Apply the patches
There are workarounds for some but not all of these vulnerabilities; see the bulletin for details but they mostly involve prompting before ActiveX code is executed.
MS06-014
Microsoft Security Bulletin MS06-014, “Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution,” addresses one vulnerability, Microsoft Windows MDAC Vulnerability-CVE-2006-0003. There have been no reports of exploits in this newly-disclosed vulnerability.
Applicability
Risk level–Critical
Note this is only a moderate-rated threat for Windows Server 2003 and WS2003 SP1.
Mitigating factors
Windows Server 2003 runs in a restricted mode by default which helps protect against an email attack.
Fix-Apply the patch
There are several workarounds that Microsoft has tested. See the bulletin for details and the latest updates on those.
MS06-015
Microsoft Security Bulletin MS06-015, “Vulnerability in Windows Explorer Could Allow Remote Code Execution,” replaces MS05-016 and MS05-008. This is a newly discovered vulnerability with no reported exploits. Note that due to the event of the bulletin’s April 15 modification, you may wish to recheck this if you had earlier dismissed the known issues with the patch as not applicable to your shop.
This patch targets Windows Shell Vulnerability-CVE-2006-0012 but also addresses CVE-2004-2289.
Applicability
Most Windows platforms including Windows 98, 98 SE, ME, Windows 2000, XP SP1 and SP2, Windows Server 2003 and WS2003 SP1.
Risk level-Critical
Mitigating factors
Best practices would prevent most attacks.
Fix-Apply the patch
There is a detailed workaround included in the bulletin and you can also block TCP ports 139 and 445 at the firewall. This will block some, but not all attacks.
The remote code execution vulnerability, “Cumulative Security Update for Outlook Express,” is an “important” threat. There have been no reports of exploits in this newly-disclosed vulnerability. The patch alters the way Outlook Express validates .WAB files.
Please note that this bulletin has been updated (April 15), regarding a privacy related change so you may wish to recheck this bulletin if you already looked at it.
The remote code execution vulnerability, “Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross Site Scripting,” rates a “moderate” threat. There have been no reports of exploits in this newly-disclosed vulnerability.
This threat mostly affects platforms with Microsoft Internet Information Services, FrontPage Server extensions 2002, or SharePoint Team Services installed.
Final word
The cruelest month is, of course, April, the month which contains tax day for those of us here in the good old U.S.A.
For others, I don’t know your tax systems so this may just be a horrible month because of all the threats to Microsoft platforms you need to patch.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick’s column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.
Daily Tech Insider Newsletter
Stay up to date on the latest in technology with Daily Tech Insider. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that will help you stay ahead of the game.
Delivered Weekdays
