Microsoft delivers 10 patches and tool update

By Eileen Kennedy, News Writer 10 Oct 2006 | SearchWinIT.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released six critical patches Tuesday and updated a software tool. Two moderate fixes and another rated as low were also released as part of Microsoft's monthly patch announcement.

But due to some technical difficulties, the software giant was unable to push its updates out via the following automated tools: Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS) and Windows Update v6.

"To be clear, it's a delay due to the networking for these systems ... There are no issues with the security updates themselves," said Craig Gehre of the Microsoft Security Response Center (MSRC). "Also," he said in the MSRC blog, "this issue doesn't affect customers using Software Update Services (SUS), Windows Update v4 or Office Update."

He said those affected by the delay can download and deploy the patches manually by visiting Microsoft's TechNet Web site.

"Technical teams are engaged and have been working around the clock to resolve this problem," he added.

October bulletins summarized
Critical updates included fives fixes for vulnerabilities that could allow remote code execution in Windows Shell, PowerPoint, Excel, Word and XML Core Services, and one critical update for Server Service, which could allow a denial of service.

Two of the critical updates in PowerShell and Power Point address outstanding vulnerabilities that are already widely known among IT professionals.

Security experts said all six critical patches are important to implement. Three of them address outstanding zero-day exploits, MS06-057, MS06-058 and MS06-060, so they might be a higher priority because hackers already know how to take advantage of the flaws, according to Jonathan Bitle, manger of technical accounts at Qualys Inc., a vulnerability management and policy compliance company based in Redwood Shores, Calif.

One important patch that addresses a denial-of-service vulnerability in Server Service was also released.

There were also two moderate fixes: one for a vulnerability in ASP.NET that could cause information disclosure and one in Windows Object Packager that could allow a remote code execution. There was fix with a low rating that fixed vulnerabilities in TCP/IP, which could allow denial of service.

All in all, 26 different vulnerabilities were addressed by the 10 patches, Bitle said.

The critical patches include: MS06-057, which addresses a remote code execution vulnerability in Windows Shell because of improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control.

MS06-058, which addresses remote code execution vulnerabilities in PowerPoint.. It includes object pointer, data record, record memory and malformed record vulnerabilities.

MS06-059, which addresses three Excel records vulnerabilities and one Lotus 1-2-3 file vulnerability.

MS06-060, which addresses four Word vulnerabilities including one vulnerability for Word for Mac, one for Word, one malformed stack vulnerability for Word and one mail merge vulnerability.

MS06-061, which could allow for information disclosure because the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side redirect and another that exists in XSLT processing that could allow remote code execution on an affected system.

MS06-062, which addresses four separate Office vulnerabilities including improper memory access, malformed chart record, malformed record memory corruption and smart tag parsing.

The one important patch is:

MS06-063, which addresses a denial of service vulnerability that exists in the Server Service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.

The two moderate patches are:

MS06-056, which addresses a cross-site scripting vulnerability exists in a server running a vulnerable version of the .Net Framework 2.0 that could inject a client side script in the user's browser.

MS06-065, which addresses remote code execution vulnerability exists in Windows Object Packager because of the way that file extensions are handled.

The one low security patch is:

MS06-064, which addresses a denial of service that exists in the IPv6 Windows implementation of the Internet Control Message Protocol.

As is the company's usual practice, users can go to the Information about Microsoft October Security Bulletins site and participate in a Web cast during which they can ask questions about the flaws and the patches.

Tags: Security Patch Management,  Software Development Methodology,  Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary