News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: A look at Microsoft's September patches

Christopher Budd of the Microsoft Security Response Center says this is the final month of public security support for Windows XP Service Pack 1.

This month's Microsoft security update contains three new security bulletins, revisions for two August security bulletins -- MS06-040 and MS06-042 -- and tips on how to respond to the Microsoft Security Advisory (922582).

Before discussing the new updates for September 2006, I want to call attention to something that is as important as this month's new security updates: the upcoming expiration of public security support for Windows XP Service Pack 1.

In accordance with our Microsoft Support Lifecycle policy, the October security bulletin release is the last one in which we will regularly issue security updates for Windows XP SP1. The bulletin is scheduled for Oct. 10. After that date we will not publicly provide security updates for Windows XP SP1.

Because this deadline is less than one month away, we encourage you to review the Microsoft Support Lifecycle policies on our Web site and build up a planned schedule for upgrades and retirement that ensures your environment always remains within the window of public security support.

About this column:
As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.    
Now for a look at this month's security bulletins:

MS06-054 applies to Microsoft Publisher and is the only bulletin rated as "critical" for September 2006. Microsoft Publisher is part of the Microsoft Office family and is installed by default only on the professional suites of Office. All administrators of Microsoft Office systems should evaluate MS06-054 and deploy the updates in their environment.

An attempt to exploit the vulnerability in Microsoft Publisher would require an attacker to create a specially formed Microsoft Publisher file and either post it on a Web page or send it as an attachment in email.

We also want to make Office 2000 customers aware of a tool that administrators can download and install, called the Office Document Open Confirmation Tool, which provides the same type of security warning dialog box found in Office XP and Office 2003: The tool can be downloaded from our Web site.

Office 2000 administrators should review this tool and implement it in their environment. Because of the ways it mitigates these types of attacks, Office 2000 administrators may decide to incorporate it into any evaluation of future Office 2000 security updates.

Since Microsoft Publisher is part of the Microsoft Office family, the Microsoft Security Baseline Analyzer (MBSA) support for this update mirrors that of other Microsoft Office updates: MBSA 2.0 does not provide support for the Office 2000 security update, while MBSA 1.2.1 does.

MS06-052 affects Windows XP and is only rated as "Important." In evaluating the bulletin, administrators should be aware that this bulletin addresses a vulnerability in Pragmatic General Multicast (PGM). PGM is supported only when Microsoft Message Queuing (MSMQ) 3.0 is installed and the MSMQ service is not installed by default.

Although we encourage all administrators to ultimately deploy this security update, administrators can factor the default state of Windows XP systems into their risk assessment when they are prioritizing security updates this month.

MS06-053 addresses a cross-site scripting vulnerability in the Microsoft Indexing Service, which could enable an attacker to execute script embedded in a Web page in the security context of the logged-on user.

Although the vulnerability is located in the Microsoft Indexing Service, the particulars of the vulnerability require that for an attack to be successful, the user must be running Internet Information Services (IIS). Attempts to exploit the vulnerability against users whose systems are not running IIS would fail.

Because IIS is not installed by default on Windows XP or Windows Server 2003 systems, attempts to exploit this vulnerability on these systems in their default configuration would fail. Administrators can factor this into their risk assessment for prioritization for deploying the updates associated with this bulletin.

Revised bulletins from August
Customers running Microsoft Windows Server 2003 and Microsoft Windows XP Professional x64 should be aware that there's an updated version of MS06-040 available for them. This updated version addresses an issue experienced by applications that request a single contiguous memory allocation block exceeding 1 GB. This issue is documented in Microsoft Knowledge Base Article 924054. Customers running Windows Server 2003 and Windows XP x64 should apply the revised update.

Customers who are running Internet Explorer 5.0 Service Pack 4 and Internet Explorer 6.0 Service Pack 1, or Internet Explorer 6 on Windows Server 2003 should be aware that we have released a revised version of the MS06-042 update to address a vulnerability that was introduced in the original update and not addressed in the revised update released on Aug. 24, 2006.

Customers using Internet Explorer 5.01 SP4 on Windows 2000, Internet Explorer 6.0 SP1 on Windows 2000, Windows XP SP1 or Internet Explorer 6 on Windows Server 2003 who deployed either the original update released on Aug. 15, 2006, or the revised update released on Aug. 24, 2006, should deploy the revised version released on Sept. 11, 2006. That said, echoing the information about the upcoming expiration of public security support for Windows XP SP1, customers on that platform still should be evaluating upgrade plans to Windows XP SP2.

Microsoft Security Advisory (922582)
I want to briefly cover Microsoft Security Advisory (922582). This Security Advisory is intended to make you aware of a high-priority, non-security update being made available through Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS), and Software Update Services (SUS).

Although the update does not address a security vulnerability per se, it is an update that addresses an issue which could impact customers' ability to receive security updates. Because we use security advisories to make customers aware of important security information, we've issued this advisory to make you aware of this nonsecurity update.

The update specifically addresses an error that could result when using a minifilter-based application on a system. At this time, Windows Server 2003 R2 is the only version of Windows that ships with a minifilter-based application, however this application is not installed by default. As independent software vendors (ISVs) build new applications using the minifilter technology, this error could affect any systems in the future.

This error code could occur when updating any of the following Microsoft tools:

  • Automatic Updates
  • WU Web site
  • MU Web site
  • Inventory Tool for Microsoft Updates (ITMU) for Microsoft Systems Management Server (SMS) 2003
  • SUS
  • WSUS

    We recommend that you review the Security Advisory and the associated knowledge base article and deploy this update on all affected systems to prevent any risk of future issues deploying security updates.

    Microsoft Security Advisory (925143)
    Also, we've released Microsoft Security Advisory (925143) -- Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities today. This advisory is to make customers aware of a new Adobe Security Bulletin, APSB06-11. This bulletin discusses new security vulnerabilities in Macromedia Flash Player from Adobe which is redistributed with Microsoft Windows XP SP1 and Windows XP SP2.

    For more information please see the Adobe security bulletin.

    That covers the important information surrounding the September 2006 Microsoft monthly security bulletin release. Remember we will be hosting our regularly scheduled Webcast to give you a chance to ask any questions around this month's release.

    The October security bulletin release is scheduled for Oct. 10, 2006. I'll be back next month with more information to help you with your assessment and planning for the bulletin.

  • Dig Deeper on Microsoft Patch Tuesday and patch management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.