Initial impressions on this month’s security updates – Tales from the Crypto

Initial impressions on this month’s security updates

You can find this months' Microsoft Security Bulletin here.

Here's what it contains:

Moderate:

MS06-056 – Vulnerability in ASP.NET Could Allow Information Disclosure (922770) – If you do .NET 2.0 web site hosting, apply this. Moderate risk of information disclosure – nothing to get hugely excited about, but if your .NET development team don't understand the information being disclosed, find a better expert.

Critical:

MS06-057 – Vulnerability in Windows Shell Could Allow Remote Code Execution (923191) – This is the VebViewFolderIcon ActiveX vulnerability.  Since this patch fixes the vulnerability, don't forget that if you've taken any other mitigating factors (adding a restrictive ACL, modifying the file yourself, etc), you will almost certainly want to undo them before applying this patch.

MS06-058 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163) – If you use Powerpoint, apply this patch.  Don't assume that the later "Office patch" in today's release will fix this problem.  According to the documentation as it stands currently, that is not the case.  This patch also applies to Powerpoint on the Apple Mac!

MS06-059 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164) – As with the Powerpoint patch, install this one if you use Excel.  And then install the Office patch as well. This patch applies even if you use Excel on the Apple Mac!

MS06-060 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) – You get the picture, apply this patch if you use Word – even Word on the Mac! And then install the Office patch.

MS06-061 – Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) – XML has been Microsoft's religion for the last several years. I can't begin to sum up the number of programs that are likely to have some tie-in to this.  Since it's a remote code execution vulnerability, I suggest you apply it everywhere.  That includes servers, because they may be using web services and XML in order to communicate.

MS06-062 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) – If you run Office – even Office on the Mac! – apply this patch – and then go check that you applied all the other patches for various components of Office.  Better still, go use Microsoft Update, and just update all your Microsoft applications automatically.  [I don't think Microsoft Update applies to the Mac – you may have to download these by hand.]

Important:

MS06-063 – Vulnerability in Server Service Could Allow Denial of Service (923414) – Taking your computer offline by sending it a network packet – for servers, that's generally more than important to prevent, so unless you are blocking the usual ports (and can trust your internal users not to run random downloaded garbage), definitely install this on your servers at first opportunity. And don't forget that clients run the server service, otherwise they wouldn't be able to share files across the network.

Low:

MS06-064 – IP Could Allow Denial of Service (922819) – reading the article carefully shows that this is related to IPv6 only.  Blocking all IPv6 traffic at the network would be a good mitigation if you are not using IPv6. You can also uninstall IPv6 by running the command "netsh interface ipv6 uninstall". This vulnerability essentially allows people who can 'ping' your box through IPv6 to occasionally disconnect some of your applications' connections. Most people today are not using IPv6, so this is really unlikely to cause anyone much bother. Install it or don't.

Moderate:

MS06-065 – Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496) – In my view, this one's a bit of a stretch. It'd require a user agreeing to a dialog box that didn't quite look remotely right.

General recommendations:

Okay, so clearly, at home and my small business, I'm going to install all of these by automatic updates, and reboot the first chance I get.  It's been a long time since Microsoft has released a really cruddy update.

At my day job, where it "requires an Act of Congress" to reboot a server, I'm still going to recommend that all workstations install all of the critical vulnerabilities, plus MS06-063; the servers should install MS06-056, and if they're file servers, MS06-063.

And, of course, the usual recommendations stand:

  • Don't surf from the servers.
  • Don't run Office (and Outlook is part of Office!) on the servers.
  • Don't believe your Mac is immune.
  • Don't run as an administrator-level account. Ever. Unless you absolutely have to.

Leave a Reply

Your email address will not be published. Required fields are marked *