That big ol’ softy Microsoft sent out valentines to all its
users on February 14—seven of them, to be exact. The software giant released
seven security bulletins for this month’s Patch Tuesday. While two of the
bulletins are critical—the remaining five are important—none of the bulletins is
actually a big threat.

Details

Microsoft’s seven security bulletins for February really
were a Valentine’s Day treat. Even the two critical bulletins aren’t particularly
dangerous in a corporate setting. In fact, some of the important bulletins
affect only a tiny fraction of the Microsoft user base. Let’s take a closer
look.

MS06-004

Microsoft
Security Bulletin MS06-004, “Cumulative Security Update for Internet
Explorer,” replaces
Microsoft Security Bulletin MS05-054.
This update fixes the WMF Image Parsing Memory Corruption Vulnerability (CVE-2006-0020),
a graphics-related problem.

This vulnerability can allow a remote attacker to run
arbitrary files on a vulnerable system by tricking users into opening a
specially crafted e-mail graphics attachment or getting them to visit a
malicious Web site. While this is a publicly disclosed threat, no exploits have
appeared in the wild.

Applicability
Fortunately, this update only affects one version of Windows—Windows 2000
Service Pack 4. MS06-004 is a cumulative browser patch that only applies to Internet
Explorer 5.01 SP4, which is part of Windows 2000 SP4. This update doesn’t apply
to any other versions, including IE 6 for Windows Server 2003 or Windows XP
SP2.

Risk level
Microsoft has rated MS06-004 as a critical threat, but keep in mind that it affects
a relatively small number of installations.

Mitigating factors
Because Microsoft’s graphics engine determines how to deal with a file based on
the actual file coding rather than the extension name, blocking Windows
Metafile Format (WMF) files won’t block this attack—merely renaming the file
with another extension would bypass the block but not remove the threat.

Fix
Install the update. A variety of known problems may occur with the installation
of this patch, so check out Microsoft Knowledge Base Article 910620
to learn more details and find out about available workarounds for the problems
caused by the patch.

MS06-005

Microsoft
Security Bulletin MS06-005, “Vulnerability in Windows Media Player
Could Allow Remote Code Execution,” fixes a remote code execution threat
caused by the improper handling of bitmap (.bmp) files, which is due to an
unchecked buffer (CVE-2006-0006).
This update replaces
Microsoft Security Bulletin MS05-009.

Because Windows Media Player isn’t the normal application that
processes bitmap files, this is mostly a concern for users who download
alternate “skins” for their media players. This is a newly disclosed
threat, and no exploits have appeared in the wild.

Applicability

  • Windows
    Media Player 7.1 on Windows 2000 SP4
  • Windows
    Media Player for XP on Windows XP SP1
  • Windows
    Media Player 9 on Windows 2000 SP4, Windows XP SP1, Windows XP SP2, and
    Windows Server 2003
  • Windows
    Media Player 10 on Windows XP S1 or Windows XP S2

Risk level
This is a critical threat for Windows Media Player 9 and Windows Media Player
10. Microsoft has rated it critical because a successful exploit would permit a
remote attacker to take complete control of a vulnerable system—not because
it’s easy to exploit or likely to be a major attack vector. This is an
important threat for Windows Media Player 7.1 and Windows Media Player for XP.

Mitigating factors
This threat requires a considerable amount of social engineering to get users to
download the dangerous code, and Windows Media Player is typically not an application
that deals with .bmp files.

Fix
Install the update. Microsoft has tested multiple workarounds for this attack
vector, but they involve editing the registry. It’s probably easier to just
install the patch, especially since the workarounds cause multiple
functionality restrictions in many DirectX applications.

MS06-006

Microsoft
Security Bulletin MS06-006, “Vulnerability in Windows Media Player
Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution,”
addresses a Windows Media Player plug-in vulnerability (CVE-2006-0005),
which is due to another unchecked buffer. This is a newly disclosed threat, and
no exploits have appeared in the wild.

Applicability

  • Windows
    2000 SP4
  • Windows
    XP SP1
  • Windows
    XP SP2
  • Windows
    XP x64 Edition
  • Windows
    Server 2003
  • Windows
    Server 2003 SP1
  • Windows
    Server 2003 x64 Edition

Risk level
While this is a remote code execution threat, Microsoft has rated it important
for all affected systems.

Mitigating factors
This threat doesn’t affect IE users—only users of alternative Web browsers. In
addition, a potential attacker would have to convince users to visit a
malicious Web site or open a suspicious e-mail.

Fix
Install the update. While there is a Microsoft-approved workaround available, using
it will affect the way some Web sites display. Read the entire security
bulletin for more details.

MS06-007

Microsoft
Security Bulletin MS06-007, “Vulnerability in TCP/IP Could Allow
Denial of Service,” addresses the IGMP v3 DoS vulnerability (CAN-2006-0021).
This update replaces
Microsoft Security Bulletin MS05-019.
This is a newly disclosed threat, and no exploits
have appeared in the wild.

Applicability

  • All
    versions of Windows XP
  • All
    versions of Windows Server 2003

This threat does not affect Windows 2000 SP4.

Risk level
This is an important threat for all affected systems.

Mitigating factors
Using firewall best practices should block this attack vector.

Fix
Install the update. A Microsoft-approved workaround is available. However, this
workaround involves editing the registry, so installing the patch is probably
the better alternative.

MS06-008

Microsoft
Security Bulletin MS06-008, “Vulnerability in Web Client Service Could
Allow Remote Code Execution,” addresses a Web client vulnerability (CVE-2006-0013).
This fixes a newly discovered, privately reported vulnerability. This update replaces Microsoft
Security Bulletin MS05-028
for Windows XP SP1 and Windows Server 2003—but not for Windows XP SP2 or Windows
Server 2003 SP1.

Applicability

  • All
    versions of Windows XP
  • All
    versions of Windows Server 2003

This threat does not affect Windows 2000 SP4.

Risk level
This is an important threat for all versions of Windows XP; it is a moderate
threat for all versions of Windows Server 2003.

Mitigating factors
A potential attacker requires valid logon credentials to exploit this threat.
In addition, Windows Server 2003 disables the Web Client Service by default.

Fix
Install the update. As a workaround, disable the Web Client Service in Windows XP.
(To do so, go to Control Panel | Administrative Tools | Services | WebClient.)
Blocking TCP Ports 139 and 445 will also stop some attacks.

MS06-009

Microsoft
Security Bulletin MS06-009, “Vulnerability in the Korean Input Method
Editor Could Allow Elevation of Privilege,” addresses the Korean IME vulnerability
(CVE-2006-0008).
This is a newly disclosed threat, and no exploits
have appeared in the wild.

Applicability
While this threat affects a variety of Microsoft software, it only affects the
Korean language version of these applications. Read the entire security
bulletin for more details.

Risk level
This is an important threat for all affected versions.

Mitigating factors
In addition to only affecting the Korean language versions, there’s a variety
of mitigating factors. See the security bulletin for more details.

Fix
Install the update. A variety of Microsoft-approved workarounds are available,
including blocking TCP port 3389 at the enterprise perimeter firewall.

MS06-010

Microsoft
Security Bulletin MS06-010, “Vulnerability in PowerPoint 2000 Could
Allow Information Disclosure,” also fixes a threat that affects only a
small amount of users. This update addresses the PowerPoint Temporary Internet
Files Information Disclosure vulnerability (CVE-2006-0004).
This is a newly disclosed threat, and no exploits
have appeared in the wild.

Applicability
This only affects PowerPoint 2000, which is part of Microsoft Office 2000
Service Pack 3. This threat doesn’t affect any other versions of PowerPoint.

Risk level
Microsoft has rated this an important threat.

Mitigating factors
In addition to only affecting one version of PowerPoint, potential attackers
would have to convince users to visit a malicious Web site or open a suspicious
e-mail.

Fix
Install the update. Some Microsoft-approved workarounds are available. Read the
entire security bulletin for more details.

Final word

Is anyone out there still using IE 5.01? If so, it really is
time to upgrade—not just install the MS06-004 patch. Likewise, the other
critical bulletin shouldn’t be much threat to computers in a corporate
environment.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.