News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: ActiveX control change goes permanent

Microsoft's Christopher Budd outlines the finer points behind this month's security bulletins, plus offers advice on when to open Word files and guidance for Exchange administrators.


The month of June is shaping up to be a very busy month here in the Microsoft Security Response Center (MSRC). This month's release of security bulletins is a fairly large one. The last time we had a release of comparable size was in February 2005. For that reason, I'll break out the security updates so that you can get a jump on your risk assessment and prioritization, focusing on a handful of things that you'll want to be particularly aware of.

The first update I want to call out is MS06-027, "Vulnerability in Microsoft Word Could Allow Remote Code Execution." This security update, covered in detail in Microsoft Knowledge Base article 917336, addresses a vulnerability exploited in a limited number of recent attacks. For an attack to be successful, a specially formed Word document would have to be opened after being received either through e-mail or some other way. Should that happen, the attacker's code would run in the user's security context.

About Inside MSRC

As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:
Inside MSRC: Wisdom on Exchange security

Inside MSRC: Microsoft details Internet Explorer ActiveX update

When we learned of this issue, we invoked our Software Security Incident Response Process and on May 22, published Microsoft Security Advisory 919637, which included workaround information. Our teams have been actively engaged and monitoring this situation, and we've updated the advisory with new information as it has become available, as well as putting information on our blog. All indications from our work still point to this being a very limited, targeted attack. But, because there are active, albeit limited, attacks, we encourage organizations to deploy this update as quickly as possible.

Because the majority of the attacks that we are aware of used Word documents attached in e-mail, this underscores an important point that we make in the MSRC: You should always base your initial trust decision about files and attachments on the source from which you get them. There is no such thing as a safe file from an untrusted source.

The next update that I want to draw your attention to is MS06-029 "Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection." This security update contains the change in "Send as" permissions that were included in MS06-019 when it was applied to Exchange Server 2003 Service Pack 1 (SP1). What is new this month is that the change in "Send as" permissions is included when it is applied to Exchange Server 2003 SP2, in addition to Exchange Server 2003 SP1. Note that this change is not included when you apply MS06-029 to Exchange 2000 Server.

The behavior of this change when MS06-029 is applied to Exchange Server 2003 SP2 is the same as when MS06-019 (or MS06-029, now) is applied to Exchange Server 2003 SP1. Therefore, all the same caveats still apply. The May 2006 issue of Inside MSRC is an excellent resource for understanding the nature of this change and what to do as part of your planning: all of the information and guidance that applies to Exchange Server 2003 SP1 also applies to Exchange Server 2003 SP2 when you apply MS06-029. All Exchange Server 2003 SP2 administrators are encouraged to review the information on this change and make adjustments to their testing and deployment testing as appropriate.

Also note that MS06-029 does not supersede MS06-019: You need to apply both to your systems to be protected against the issues discussed in both bulletins. As always, the Microsoft Security Baseline Analyzer (MBSA) can help you around questions of supersedence. Further details can be found in Microsoft Knowledge Base article 912442.

Addressing Internet Explorer
MS06-021 is our June cumulative update for Internet Explorer. However, there are a couple of items that make this month's update somewhat different from past cumulative IE updates. First, as discussed in the April 2006 Security Bulletin for Internet Explorer, MS06-013, in MS06-021 the changes to the way Internet Explorer handles ActiveX controls are being made permanent. Also, MS06-021 is connected with two other security updates -- MS06-022 and MS06-023 -- that you should be aware of when planning for testing and deployment.

As background, the ActiveX control change was introduced in MS06-013. In February, we released Microsoft Security Advisory 912945, "Non-Security Update for Internet Explorer," to alert customers of a change that was being introduced in how Internet Explorer handles some Web pages that use ActiveX controls and to say that this change would be included in the next Internet Explorer Security Update. We provided technical details on the change in Microsoft Knowledge Base Article 912945.

In April 2006, we released MS06-013, which contained this change in ActiveX functionality. To help enterprise customers who needed more time to prepare for the ActiveX update changes, we released a compatibility patch on April 11, which we discussed in Microsoft Knowledge Base Article 917425. This was intended as a temporary tool to enable enterprises that needed more time to complete their testing by disabling the behavior of the IE ActiveX update. In MS06-013, we indicated that the tool was temporary and would only function until the release of an Internet Explorer update as part of the June update cycle.

So in a nutshell, MS06-021 is the Internet Explorer update that ends support for the compatibility patch. This means that all users who apply MS06-021 will receive the ActiveX update behavior change regardless of whether or not they have applied the compatibility patch. If you deployed the compatibility patch in April, then your organization's testing and deployment planning should account for the results of your testing of this behavior change since April.

Additional updates and changes
When planning your testing and deployment of MS06-022, which involves a remote code execution vulnerability in .art file image rendering, it's important to be aware of how it relates to MS06-021.

First, it helps to understand that the .art file is an image file format used by the America Online client software. Most versions of Windows include an .art file library, and Internet Explorer displays .art images as well.

MS06-022 addresses vulnerabilities in the .art image libraries included with most forms of Windows. MS06-021 contains a defense-in-depth change so that Internet Explorer will no longer render the .art image file format. Even though Internet Explorer will no longer render ART files, there are other non-Microsoft applications that can render .art files, and MS06-022 provides protections for those applications.

While support for .art files is included with most forms of Windows, it's worth noting that those running Windows 2000 SP4 would only have support for .art files if the Windows 2000 AOL Image Support Update is manually installed. Thus, you should think of MS06-022 as the update that addresses the vulnerability in .art files and MS06-021 as an additional layer of protection. More detail is available in Microsoft Knowledge Base article 918439.

June bulletin breakdown

Client Systems
Critical: Non-critical:

Critical: Non-critical:

Critical but require user interaction:
MS06-027 (only if Word is installed)
MS06-028 (only if Powerpoint is installed)

For your testing and deployment planning for MS06-021, think of MS06-023 as a companion update to MS06-021. For fullest protection, you should test and deploy them together. This is because, due to changes contained in MS06-021, it is possible that, if applied alone, MS06-021 could expose the vulnerability that we are addressing in MS06-023, or that other application compatibility issues could arise. Based on our development and testing, applying MS06-023 at the same time as MS06-021 will protect against the vulnerability that could be exposed and address the application compatibility issues that we identified that could arise.

Taking a step back, then, when you look at MS06-021, we recommend that you include two things throughout your evaluation, testing and deployment:
1. You account for the changes to the way Internet Explorer handles ActiveX controls.
2. You view MS06-021, MS06-022, and MS06-023 as interrelated security updates and test and deploy them together.

Also, because there are a large number of bulletins this month, I've gone ahead and grouped bulletins based on their severity rating (see sidebar left). I've also grouped those bulletins that are likely to apply to client systems and those that are likely to apply to servers. For the servers, I've also grouped those that address vulnerabilities that involve user interaction specifically, as that can be relevant to your risk assessment. Note that the Word and PowerPoint bulletins are critical, but for a server to be vulnerable, these applications would have to be specifically installed.

Note that this is based on the aggregate maximum severity of the bulletin, so as always you should check the actual severity ratings for the products installed in your environment as part of your risk assessment. And, of course, this is intended to assist but not replace your own risk assessment process.

That covers some of the important things you should be aware of in this month's release. As we do each month on the day after the bulletin release, we will be hosting a technical webcast to share more information about this month's release and, most important, to answer your questions on the air. This month's webcast will be on Wednesday, June 14, 2006, 2:00 p.m. ET and you can register by clicking on the link. Our next regularly scheduled bulletin release is slated for Tuesday, July 11.

Finally, many of us at the MSRC will be in Boston this week to meet with many of you at TechEd 2006. If you will be there, please come by to our MSRC/Security Development Lifecycle (SDL) booth and check out my presentations, "Integrating Your Emergency Response Process With the Microsoft Security Incident Response Process" and "Reading a Microsoft Security Bulletin." We hope to see you at TechEd.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.