Microsoft has released a slew of critical bulletins for the cruelest month of all (tax day for U.S. readers). This month we have three new critical bulletins (one of which was updated over the weekend) addressing a number of vulnerabilities, along with two more bulletins addressing minor issues. (Of course no issue is really minor if it affects you.)


Microsoft Security Bulletin MS06-013, “Cumulative Security Update for Internet Explorer,” replaces MS05-054 (all platforms) and MS06-004 (IE 5.01 SP4 only), and the patch will affect the way IE as well as ActiveX works. There have been reports of exploits in this vulnerability. See Microsoft Knowledge Base Article 912812 for more information and Microsoft Knowledge Base Article 917425 for details concerning ActiveX concerns.

Vulnerabilities addressed are:

  • DHTML Method Call Memory Corruption Vulnerability-CVE-2006-1359 (this is being actively exploited)
  • Multiple Event Handler Memory Corruption Vulnerability-CVE-2006-1245
  • HTA Execution Vulnerability-CVE-2006-1388
  • HTML Parsing Vulnerability-CVE-2006-1185
  • COM Object Instantiation Memory Corruption Vulnerability-CVE-2006-1186
  • HTML Tag Memory Corruption Vulnerability-CVE-2006-1188 (proof of concept code is circulating)
  • Double Byte Character Parsing Memory Corruption Vulnerability-CVE-2006-1189
  • Script Execution Vulnerability-CVE-2006-1190
  • Cross-Domain Information Disclosure Vulnerability-CVE-2006-1191, and
  • Address Bar Spoofing Vulnerability-CVE-2006-1192
  • All except the last two are critical for some or most affected installations.


    Internet Explorer 5.0, SP4; IE 6 Windows Server, IE 6 SP1 (all); and IE 6 SP2 (XP). Note that this Bulletin includes a patch for Windows 98, 98 SE, and ME.

    Risk level-Critical

    The Risks vary with platform but the cumulative risk level is critical for all platforms including Windows 98, 98 SE, and ME.

    Mitigating factors

    Microsoft had previously released some of these patches. As with many browser threats, a user must open a malicious email or visit a malicious Web site to be vulnerable. Unfortunately, one of these vulnerabilities is an address bar spoof so visitors may not know they are visiting a strange Web site.

    Fix–Apply the patches

    There are workarounds for some but not all of these vulnerabilities; see the bulletin for details but they mostly involve prompting before ActiveX code is executed.


    Microsoft Security Bulletin MS06-014, “Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution,” addresses one vulnerability, Microsoft Windows MDAC Vulnerability-CVE-2006-0003. There have been no reports of exploits in this newly-disclosed vulnerability.


    Risk level–Critical

    Note this is only a moderate-rated threat for Windows Server 2003 and WS2003 SP1.

    Mitigating factors

    Windows Server 2003 runs in a restricted mode by default which helps protect against an email attack.

    Fix-Apply the patch

    There are several workarounds that Microsoft has tested. See the bulletin for details and the latest updates on those.


    Microsoft Security Bulletin MS06-015, “Vulnerability in Windows Explorer Could Allow Remote Code Execution,” replaces MS05-016 and MS05-008. This is a newly discovered vulnerability with no reported exploits. Note that due to the event of the bulletin’s April 15 modification, you may wish to recheck this if you had earlier dismissed the known issues with the patch as not applicable to your shop.

    This patch targets Windows Shell Vulnerability-CVE-2006-0012 but also addresses CVE-2004-2289.


    Most Windows platforms including Windows 98, 98 SE, ME, Windows 2000, XP SP1 and SP2, Windows Server 2003 and WS2003 SP1.

    Risk level-Critical

    Mitigating factors

    Best practices would prevent most attacks.

    Fix-Apply the patch

    There is a detailed workaround included in the bulletin and you can also block TCP ports 139 and 445 at the firewall. This will block some, but not all attacks.


    The remote code execution vulnerability, “Cumulative Security Update for Outlook Express,” is an “important” threat. There have been no reports of exploits in this newly-disclosed vulnerability. The patch alters the way Outlook Express validates .WAB files.

    Please note that this bulletin has been updated (April 15), regarding a privacy related change so you may wish to recheck this bulletin if you already looked at it.


    The remote code execution vulnerability, “Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross Site Scripting,” rates a “moderate” threat. There have been no reports of exploits in this newly-disclosed vulnerability.

    This threat mostly affects platforms with Microsoft Internet Information Services, FrontPage Server extensions 2002, or SharePoint Team Services installed.

    Final word

    The cruelest month is, of course, April, the month which contains tax day for those of us here in the good old U.S.A.

    For others, I don’t know your tax systems so this may just be a horrible month because of all the threats to Microsoft platforms you need to patch.

    Miss a column?

    Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick’s column.

    Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

    John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.