For this month's Patch Tuesday, Microsoft released six security bulletins, five of which it's rated as critical. (The remaining update addresses an important threat.) While one of the critical threats is actually present in Macromedia Flash, the vulnerability affects Windows platforms.
Redmond released six security bulletins for November's Patch Tuesday, rating five as critical. However, four of the six updates addressed privately reported threats, and there had been no reports of active exploits for these four vulnerabilities at the time of publication. Here's a closer look at each update, in order of risk.
Microsoft Security Bulletin MS06-071,"Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution," addresses the Microsoft XML Core Services vulnerability (CVE-2006-5745). This is a publicly disclosed threat, and there were reports that attackers were actively exploiting this vulnerability before Microsoft released the update.
This is a critical threat for XML Core Services 4.0 and XML Core Services 6.0; it does not affect XML Core Services 3.0 or XML Core Services 5.0. This bulletin replaces Microsoft Security Bulletin MS06-061 for all affected versions.
Running Windows Server 2003 in its default configuration mitigates this threat. Some complex workarounds are available; see the security bulletin for more details.
Microsoft Security Bulletin MS06-067, "Cumulative Security Update for Internet Explorer," addresses three problems:
- DirectAnimation ActiveX Controls Memory Corruption Vulnerability (CVE-2006-4777)
- DirectAnimation ActiveX Controls Memory Corruption Vulnerability (CVE-2006-4446)
- HTML Rendering Memory Corruption Vulnerability (CVE-2006-4687)
CVE-2006-4777 and CVE-2006-4446 are publicly disclosed threats, and there were reports that attackers were actively exploiting these vulnerabilities before Microsoft released the updates. CVE-2006-4687 is a privately disclosed threat, and there had been no reports of active exploits at the time of publication.
This bulletin has a cumulative rating of critical. It affects all versions of Internet Explorer 5.01 and Internet Explorer 6; however, it does not affect Internet Explorer 7. This bulletin replaces Microsoft Security Bulletin MS06-042 for all affected versions.
Possible workarounds include restricting how ActiveX controls and Active Scripting run in Internet Explorer, completely disabling ActiveX controls, and opening all e-mails in plain text. However, if you choose to implement the workarounds while waiting to patch, Microsoft warns that it's possible, albeit difficult, to launch a successful attack even with Active Scripting disabled.
Microsoft Security Bulletin MS06-068, "Vulnerability in Microsoft Agent Could Allow Remote Code Execution," addresses the Microsoft Agent Memory Corruption Vulnerability (CVE-2006-3445). This is a newly discovered vulnerability, and there had been no reports of active exploits at the time of publication.
This is a critical vulnerability for Windows 2000 Service Pack 4 and Windows XP SP2; it is only a moderate threat for Windows Server 2003 and Windows Server 2003 SP1. This bulletin replaces Microsoft Security Bulletin MS05-032 for all affected versions.
Available workarounds include disabling ActiveX controls and applying a patch to the registry. See the security bulletin for more details.
Microsoft Security Bulletin MS06-069, "Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution," addresses multiple Flash Player vulnerabilities: CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, and CVE-2006-4640. These are privately reported threats, and there had been no reports of active exploits at the time of publication.
Not surprisingly, one workaround is to block ActiveX and Flash Player. See the security bulletin for more details.
Microsoft Security Bulletin MS06-070, "Vulnerability in Workstation Service Could Allow Remote Code Execution," addresses the Workstation Service Memory Corruption Vulnerability (CVE-2006-4691). This is a privately reported threat, and there had been no reports of active exploits at the time of publication.
This is a critical threat for Windows 2000 SP4; it is a low threat for Windows XP SP2. This bulletin replaces Microsoft security bulletins MS03-049; it replaces Microsoft Security Bulletin MS06-040 for both Windows 2000 SP4 and Windows XP SP2.
An attacker would need administrator privileges to launch a successful attack in Windows XP SP2. One simple workaround is to block ports TCP 139 and TCP 445 at the network firewall.
Microsoft Security Bulletin MS06-066, "Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution," addresses two vulnerabilities: the Microsoft Client Service for NetWare Memory Corruption Vulnerability (CVE-2006-4688) and the NetWare Driver Denial of Service Vulnerability (CVE-2006-4689). There had been no reports of active exploits at the time of publication.
This is an important threat for Windows 2000 SP4 and Windows XP Professional SP2; it is a moderate threat for Windows Server 2003 and Windows Server 2003 SP1. This bulletin replaces Microsoft Security Bulletin MS05-046 for Windows XP Professional SP2 only.
On the surface, five critical updates may seem to be a lot. But the important thing to remember is that two-thirds of the threats were newly reported vulnerabilities with no reports of active exploits.
Microsoft's security team got ahead of most of the threats this month. While that's not the same as having no vulnerabilities at all, it's better than a poke in the eye with a sharp stick.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.