News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: Microsoft details IE ActiveX update

In his debut column, Microsoft security specialist Christopher Budd talk about the vendor's April software update, including a fix for the createTextRange flaw and changes in IE ActiveX behavior.


As one of the people at Microsoft involved in the monthly security update release process, my job is to help people understand the technical side of our releases. In this space, I hope to help readers understand what we're releasing each month by giving you a short bulletin synopsis, some additional technical information about the bulletins that I think will be helpful for you, and pointers to other helpful resources.

Here is some quick background information about our security bulletin process. We follow a monthly release schedule for these bulletins based on repeated feedback from our customers, who say they expect a consistent schedule they can depend on for security updates. To that end, Microsoft releases security updates the second Tuesday of every month, usually around 1:00 p.m. Eastern time.

About Inside MSRC

As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.
For April 2006, we are releasing five new security bulletins. Three of the bulletins have a maximum severity rating of Critical, one has a maximum severity of Important, and one has a maximum severity rating of Moderate.

A bulletin that should get a lot of focus this month is MS06-013, which addresses the so-called createTextRange vulnerability in Internet Explorer. This bulletin is rated critical for all currently supported versions of IE. In addition, this bulletin addresses several other vulnerabilities covering issues such as remote code execution, information disclosure and spoofing. The greatest possible impact of these vulnerabilities is remote code execution in the security context of the logged-on user.

The createTextRange vulnerability has gained a lot of public attention in the last couple weeks due to reports of some attackers exploiting it. You may ask, "Why are you just now fixing this problem?" Microsoft's programmers have been working diligently in recent weeks to release an effective update. We have used intensive testing to ensure our update completely fixed the problem. Customers have told us that they would rather we take the time to develop a high-quality, reliable security update rather than issue something temporary that might have a negative effect on a customer's system or other applications. That's why we have taken the time to turn out a high-quality security update we feel will completely fix this problem.

With MS06-013, you should be aware of two additional issues. First, as we discussed in Microsoft security advisory No. 912945, this cumulative security update replaces the cumulative update for Internet Explorer that was released for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 on Feb. 28, 2006, and is discussed in Microsoft Knowledge Base article 912945. It's important to note that MS06-013 does contain the IE ActiveX update behavior discussed in the Knowledge Base article.

For customers who temporarily choose not to deploy the IE ActiveX update, a separate update is available to disable that behavior when they deploy MS06-013. This optional update is only intended to allow customers additional time to test and redesign Web pages and other software that may have been affected by the IE ActiveX update. This is a temporary update that will expire with the next Internet Explorer cumulative update. For more information, see Microsoft Knowledge Base article 917425.

For detection and deployment, MS06-013 is detectable by Microsoft Baseline Security Analyzer (MBSA) versions 1.2.1 and 2.0, and can be deployed using Software Update Services (SUS), Windows Server Update Services (WSUS), Security Update Inventory Tool (SUIT) for Systems Management Server (SMS), and the SMS 2003 Inventory Tool for Microsoft Updates (ITMU).

Next, bulletin MS06-014 is rated as critical for all currently supported versions of Windows except for Windows Server 2003, for which it is rated as moderate. MS06-014 addresses a vulnerability in Microsoft Data Access Components (MDAC) that could enable remote code execution in the context of the logged-on user. For detection and deployment, MS06-014 is detectable by MBSA 2.0 and can be deployed using SUS, WSUS, SUIT and ITMU. Detection for MBSA 1.2.1 is limited to Windows XP SP2 and Windows Server 2003 RTM and SP1. MBSA 1.2.1 customers will need to use the April 2006 version of the Enterprise Scan Tool (EST) to detect the Windows 2000 and Windows XP SP1 instances of this issue.

MS06-015 is rated as critical for all currently supported versions of Windows and is a remote code-execution vulnerability in Windows Explorer that could enable code to run in the context of the logged-on user. For detection and deployment, MS06-015 is detectable by MBSA 1.2.1 and 2.0 and can be deployed using SUS, WSUS, SUIT and ITMU.

MS06-016 is rated as important and addresses a remote code execution vulnerability in current versions of Outlook Express. This vulnerability could make it possible to run code in the security context of the logged-on user. For detection and deployment, MS06-016 is detectable by MBSA 2.0 and the April 2006 version of the EST and can be deployed using SUS, WSUS, ITMU and the SMS Security Update Scan Tools.

MS06-017 is rated as moderate and addresses a cross-site scripting vulnerability in Microsoft FrontPage Server Extensions and SharePoint Team Services 2002. The impact of this vulnerability would be to run script in the security context of the logged-on user. For detection and deployment, because FrontPage Server Extensions can ship with Windows Server 2003 or can be downloaded and installed on other versions of Windows, the detection and deployment tools will vary depending on your specific version. Deploying this through SMS may require customers to change some of their default SMS administrative settings. Please see the bulletin for more details.

Lastly, MS06-005 is being re-released to let customers know that revised versions of the security update are available for Microsoft Windows Media Player 10 when installed on Windows XP SP1 or Windows XP SP2.

As we do every month, we are releasing our monthly installment of our Windows Malicious Software Removal Tool to eradicate malware from users' systems. This month's update removes Win32/Locksky, Win32/Valla and Win32/Reatle. This tool is on Windows Update and Microsoft Update, and can be deployed using WSUS.

I'll close this month's column by sharing some resources to help you during the evaluation, testing and deployment of this month's security updates.

You can obtain Microsoft security bulletins on the TechNet Security Center site at In addition, you can find information about how to sign up for notifications when bulletins are released or updated at

Each month, we host a technical webcast to learn more about that month's security updates and answer your questions live on the air, or over the Web as the case may be. This month's will be held on Wednesday, April 12, 2006, at 2:00 p.m. EDT. You can register for the webcast at

And that completes our overview of the April 2006 release. I thank you for reading, and I appreciate the opportunity to offer extra information about our monthly updates. I look forward to sharing more with you next month about our efforts to improve security.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.