August has been a busy month for Microsoft. The software giant released 12 security bulletins, nine of which it rated critical -- collectively fixing 10 Windows flaws and three Office threats. In this article, John McCormick brings you up to speed on these important security bulletins.
Firstly we'll be addressing the ones I find most critical and wrap up with the less-critical updates on the following page.
Microsoft doesn't number bulletins based on either theoretical or real-world criticality, so the security bulletin numbers are merely placeholders -- not a ranking of importance. I'm not debating that these updates are all critical; I'm simply addressing them in what I consider the correct order of significance according to the current threat each poses.
Before we begin, let me give you an idea of the method behind my madness. I first looked at whether anyone is already exploiting the underlying vulnerability. In my opinion, this is the more important factor when it comes to determining the threat level, particularly because these vulnerabilities all contain some remote code execution threats.
Of course, attackers could start exploiting any of the others tomorrow. However, it's unlikely that attacks would take place immediately. In addition, you probably won't want to fix everything at once -- at least not before looking over the implications of the patches. In my opinion, the following four security bulletins present the most threat.
This month, Redmond released a total of 12 security bulletins, rating nine of them as critical threats. (The remaining three bulletins are important threats.) The updates collectively fix 20 flaws in Windows and patch three flaws in Office.
MS06-040
Microsoft
Security Bulletin MS06-040, "Vulnerability in Server Service Could
Allow Remote Code Execution," addresses a buffer overrun vulnerability (CVE-2006-3439). This is a critical threat for all affected
versions, which includes Windows 2000 SP4, all versions of Windows XP, and all
versions of Windows Server 2003.
Strangely enough, while the bulletin states that there has been no public disclosure of this vulnerability, it also states that the company has received reports of active exploits. The bulletin emphasises that this is not a replacement for Microsoft Security Bulletin MS06-035, which addressed a similar -- but different -- problem. Make sure you install both updates.
MS06-042
Microsoft
Security Bulletin MS06-042, "Cumulative Security Update for Internet
Explorer," is a very important update simply because it affects almost
everyone. This bulletin addresses a range of vulnerabilities -- some privately
reported, some known problems:
- Redirect Cross-Domain Information Disclosure Vulnerability (CVE-2006-3280) -- information disclosure
- HTML Layout and Positioning Memory Corruption Vulnerability (CVE-2006-3450) -- remote code execution
- CSS Memory Corruption Vulnerability (CVE-2006-3451) -- remote code execution
- HTML Rendering Memory Corruption Vulnerability (CVE-2006-3637) -- remote code execution
- COM Object Instantiation Memory Corruption Vulnerability (CVE-2006-3638) -- remote code execution
- Source Element Cross-Domain Vulnerability (CVE-2006-3639) -- remote code execution and information disclosure
- Window Location Information Disclosure Vulnerability (CVE-2006-3640) -- information disclosure
- FTP Server Command Injection Vulnerability (CVE-2004-1166) -- elevation of privilege
So far, only one of these threats reportedly has exploit code circulating, and there are no reports of any active exploits at this time.
This security bulletin affects IE 5.01 Service Pack 4 on Windows 2000 SP4 and all versions of IE 6 on Windows 2000, Windows XP, and Windows Server 2003. Although the cumulative impact of all of these vulnerabilities adds up to a critical threat, most are only moderate or low-level threats to fully patched IE 6 versions on Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1.
MS06-047
Microsoft
Security Bulletin MS06-047, "Vulnerability in Microsoft Visual Basic
for Applications Could Allow Remote Code Execution," also deserves
immediate attention because attackers are actively exploiting this flaw. This
is a critical threat for Microsoft Office 2000 users.
MS06-047 addresses the Visual Basic for Applications Vulnerability (CVE-2006-3649). While this vulnerability also affects Office XP and Visual Basic for Applications SDK 6.0, 6.2, 6.3, and 6.4, it's only an important threat for these versions.
The only recommended workaround is not to open unexpected Office files or any Office files from untrusted sources.
MS06-048
Microsoft
Security Bulletin MS06-048, "Vulnerabilities in Microsoft Office Could
Allow Remote Code Execution," doesn't appear to pose a great threat at
first glace. It only affects PowerPoint users -- and it's only critical for
PowerPoint 2000. (It's an important threat for all other affected versions.)
However, attackers are already exploiting the Mso.dll vulnerability, which is why I'm addressing it. MS06-048 addresses two vulnerabilities: Microsoft PowerPoint Mso.dll Vulnerability (CVE-2006-3590) and Microsoft PowerPoint Malformed Records Vulnerability (CVE-2006-3449).
This security bulletin replaces Microsoft Security Bulletin MS06-038. It affects PowerPoint 2000, PowerPoint 2002, PowerPoint 2003, PowerPoint 2004 for Mac, and PowerPoint 2004 v. X for Mac.
6%
2%
