|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Get up to speed on Microsoft's August security bulletins By John McCormick, TechRepublic August 24, 2006 URL: http://www.zdnet.com.au/insight/security/soa/Get-up-to-speed-on-Microsoft-s-August-security-bulletins/0,139023764,139267350,00.htm
 August has been a busy month for Microsoft. The software giant released 12 security bulletins, nine of which it rated critical -- collectively fixing 10 Windows flaws and three Office threats. In this article, John McCormick brings you up to speed on these important security bulletins. Firstly we'll be addressing the ones I find most critical and wrap up with the less-critical updates on the following page. Microsoft doesn't number bulletins based on either theoretical or real-world criticality, so the security bulletin numbers are merely placeholders -- not a ranking of importance. I'm not debating that these updates are all critical; I'm simply addressing them in what I consider the correct order of significance according to the current threat each poses. Before we begin, let me give you an idea of the method behind my madness. I first looked at whether anyone is already exploiting the underlying vulnerability. In my opinion, this is the more important factor when it comes to determining the threat level, particularly because these vulnerabilities all contain some remote code execution threats. Of course, attackers could start exploiting any of the others tomorrow. However, it's unlikely that attacks would take place immediately. In addition, you probably won't want to fix everything at once -- at least not before looking over the implications of the patches. In my opinion, the following four security bulletins present the most threat. This month, Redmond released a total of 12 security bulletins, rating nine of them as critical threats. (The remaining three bulletins are important threats.) The updates collectively fix 20 flaws in Windows and patch three flaws in Office. MS06-040 Strangely enough, while the bulletin states that there has been no public disclosure of this vulnerability, it also states that the company has received reports of active exploits. The bulletin emphasises that this is not a replacement for Microsoft Security Bulletin MS06-035, which addressed a similar -- but different -- problem. Make sure you install both updates. MS06-042
So far, only one of these threats reportedly has exploit code circulating, and there are no reports of any active exploits at this time. This security bulletin affects IE 5.01 Service Pack 4 on Windows 2000 SP4 and all versions of IE 6 on Windows 2000, Windows XP, and Windows Server 2003. Although the cumulative impact of all of these vulnerabilities adds up to a critical threat, most are only moderate or low-level threats to fully patched IE 6 versions on Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1. MS06-047 MS06-047 addresses the Visual Basic for Applications Vulnerability (CVE-2006-3649). While this vulnerability also affects Office XP and Visual Basic for Applications SDK 6.0, 6.2, 6.3, and 6.4, it's only an important threat for these versions. The only recommended workaround is not to open unexpected Office files or any Office files from untrusted sources. MS06-048 However, attackers are already exploiting the Mso.dll vulnerability, which is why I'm addressing it. MS06-048 addresses two vulnerabilities: Microsoft PowerPoint Mso.dll Vulnerability (CVE-2006-3590) and Microsoft PowerPoint Malformed Records Vulnerability (CVE-2006-3449). This security bulletin replaces Microsoft Security Bulletin MS06-038. It affects PowerPoint 2000, PowerPoint 2002, PowerPoint 2003, PowerPoint 2004 for Mac, and PowerPoint 2004 v. X for Mac. These remaining updates are both critical and important. They either present a low-level threat or haven't been the target of an active exploit, making them less dangerous than the first four. MS06-041 This update affects Windows 2000 Service Pack 4, all versions of Windows XP, and all versions of Windows Server 2003. This is a critical threat for all affected versions. Both vulnerabilities are previously undisclosed threats, and there had been no reports of active exploits for either at the time of publishing. In addition, an attacker can only exploit the buffer overrun vulnerability on a subnet between the host and the DNS server. Workarounds include blocking DNS record types ATMA, TXT, X25, HINFO, and ISDN DNS at network gateways. A workaround for the Winsock vulnerability is to modify the Autodial DLL in the registry. See the security bulletin for more details. MS06-043 This is a publicly disclosed threat, but there had been no reports of active exploits at the time of publishing. Internet Explorer runs in a restricted security mode on Windows Server 2003, and Outlook Express opens HTML e-mails in the Restricted Sites security zone; both factors mitigate the potential risk. MS06-044 While this is a critical threat, it only affects Windows 2000 SP4. The best way to mitigate this threat is to run IE 6. A good workaround is to disable Active Scripting in the My Computer zone. MS06-046 This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It is a critical threat for Windows 2000 and Windows XP versions, but it's only a moderate threat for Windows Server 2003 versions. Using the latest, fully patched version of Internet Explorer or Outlook will mitigate this threat, and the security bulletin offers several workarounds. The most useful one is to disable the HTML Help ActiveX control. MS06-051 This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. Because of the Unhandled Exception Vulnerability, this is a critical threat for all affected versions. There are multiple mitigating factors. First of all, an attacker would need valid logon credentials to exploit the user profile vulnerability. In addition, applying all patches and leaving Outlook's default setting to open HTML e-mails in the Restricted Sites security zone would block the remote code execution threat. Well, that sums up this month's critical security bulletins. Now, let's look at the three bulletins rated as important threats. MS06-045 This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It's an important threat for all affected versions. Firewall best practices would likely block an attack on this vector. By default, many programs open HTML e-mails in the Restricted Sites security zone. A workaround is to disable the Web Client service. MS06-049 As the name implies, this important-rated threat is only an elevation of privilege threat, and it only affects Windows 2000. Valid logon credentials are required to conduct an attack on this vector. Microsoft reports no workarounds. This security bulletin replaces MS05-055. MS06-050 This update affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It's an important threat for all affected versions. This security bulletin replaces MS05-015. Final word In my experience, while Windows 2000 still sees heavy use in government, most corporate users have moved on, which eliminates some of the threats entirely. Using best practices will block some others, and there have been no reports of active exploits for any of the ones in this article. TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters. Ã,©2006 TechRepublic, Inc.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
