With seven bulletins, the
July 2006 Microsoft monthly security bulletin release is
smaller than last month's. In addition to being a smaller release,
it is generally a simpler release from the standpoint of testing:
This month's updates do not contain any non-security changes, like
the Microsoft Exchange bulletin,
MS06-029, or the Microsoft Internet Explorer bulletin,
MS06-021, issued last month.
Overall, for this month you can best think of the updates as
falling into three broad categories:
- Three updates for Microsoft Office system applications
- Two updates for networking components in Microsoft Windows
- Two updates for systems running Internet Information Services
(IIS)
Because it is a smaller release, for this month's column I want to
focus on providing additional clarification and information about
the updates. Specifically, I will clarify what issues our updates
for Office address. I will also provide some additional information
about the possible vectors for attempts to exploit the
vulnerabilities addressed in the two updates for networking
components in Windows. Finally, I'll briefly touch on information
that will help you understand the scope of the more serious of the
two updates for systems running IIS.
Change to a June update
However, before talking about the July release, I wanted to provide
some follow-up information regarding an
update released in June,
MS06-025. After its initial release, some issues were
identified by our product support service teams working with
customers.
We found that some users who required the use of legacy dial-up
connections that use a terminal window, dial-up scripting, or used
scripts to change device configuration parameters were experiencing
some issues. We updated the Microsoft Knowledge Base article
associated with MS06-025,
911280, to let
customers know about this issue and the circumstances in which they
might encounter this issue. On June 27, we released an updated
version of MS06-025 that addressed the issues that had been
identified.
One question we have received from customers is whether they
need to apply the updated version of MS06-025. First, it's
important to note that the re-released update contains no new
security changes. Customers who have applied MS06-025 and not
experienced any of the outlined issues do not need to apply this
updated version. Only customers who either applied MS06-025 and
encountered the known issues or have not yet applied MS06-025 need
to apply the updated version. In fact, if you are using Windows
Server Update Services (WSUS) or the Microsoft Baseline Security
Analyzer (MBSA), these will not offer the new version of MS06-025
to systems that already have MS06-025 installed.
Updates for Office
With that said, let's discuss this month's updates. MS06-037
is the one we encourage people to look at first.
This update addresses an issue we discussed in Microsoft
Security Advisory 912365, titled "Vulnerability in Excel Could
Allow Remote Code Execution," which we released on June 21, 2006.
Because the vulnerability addressed by MS06-037 was
subject to limited attacks at the time of the release of the
bulletin, we encourage customers to prioritize this security update
aggressively.
MS06-038 addresses two vulnerabilities, one of which was
also publicly disclosed and exploited on an even more limited
basis.
Finally, unlike MS06-037 and MS06-038, none of the
vulnerabilities addressed by MS06-039 were publicly
disclosed or exploited at the time of bulletin release.
It's important to note that these three Office updates are rated
as critical for Office 2000 family products, they are rated as
important for Office XP and Office 2003 family products. This is
because Office XP and Office 2003 family products raise a security
dialog box that an end-user must acknowledge before the Office file
is opened, making any attempts to exploit this with malformed
Office files more difficult.
Clarity on additional issues
Beyond reviewing the latest bulletins we are releasing for Office,
I wanted to clarify a couple recent items of interest that might
cause some confusion this month.
First, on June 20, 2006, there was a public posting of a
proof-of-concept PERL script that claimed to demonstrate a
vulnerability in Excel's processing of long links. We started an
investigation as soon as we learned of this and
posted information on our weblog about the issue. We learned
it's not an issue in Excel, but rather with a Windows component
called hlink.dll. That issue is still under investigation at this
time and none of this month's bulletins apply to that issue.
Also, a public posting by a security researcher about how
Microsoft Excel handles embedded vulnerable ActiveX controls may
have caused some confusion. The posting discussed how it's possible
to embed a vulnerable ActiveX control in an Excel spreadsheet and
use that as a method to exploit the vulnerability in the ActiveX
control.
The important thing to understand is that there is no
vulnerability in Excel in this instance: The posting actually
details a way to exploit vulnerabilities in certain ActiveX
controls, not in Excel. Excel honors the so-called "killbit"
function that prevents ActiveX controls from loading. Any time we
ship a security update for an ActiveX Control, we set that
"killbit" to prevent the old, vulnerable control from being usable.
You can read more about killbits in
Microsoft
Knowledge Base article 240797.
Windows networking, IIS updates
Next, to help with your risk assessment process, let's discuss some
details about the scope of the vulnerability addressed by
MS06-036.
This update is rated critical and addresses a vulnerability in
the DHCP client. The vulnerability is exposed when the DHCP client
has sent out a DHCP request and is waiting for a response from a
DHCP server. This means that attempting to exploit the
vulnerability requires very precise timing and the ability to
generate DHCP server packets. Also, since most networks do not
forward DHCP packets across subnets, attempts to exploit the
vulnerability would be contained within the local subnet.
Speaking of networking, you'll want to note that the two
vulnerabilities addressed in MS06-035 are related to how the
server service handles
Server Message Block (SMB) packets. This means that blocking
Port 445 and Port 139 at your network perimeter will block attempts
to exploit these vulnerabilities. This is a best practice we
strongly recommend; if you don't currently block these ports, you
should consider implementing that practice in addition to deploying
these security updates.
MS06-034 is rated important and is the more serious of
the two bulletins that apply to systems running
IIS. One thing to note with
this update is that it is a vulnerability that occurs when
Active Server Pages (ASP) are processed. This means that any
attempt to exploit the vulnerability would require placing a
specially formed ASP page on the system to be processed. Any
restrictions on the ability to place ASP pages on your IIS system
work against attempts to exploit this vulnerability, so you can
factor them into your risk assessment for this issue.
Legacy OS support ends
In closing, I would like to note that with the July Microsoft
monthly security bulletin release our
public support for security updates for Windows 98, Windows 98
Second Edition and Windows Millennium Edition stops. We
provided additional support for critical security updates for these
versions through Windows Update to allow customers additional time
to migrate off them. With this expiration, we will no longer offer
security updates for these versions of Windows. We encourage anyone
who is still using these versions to upgrade to a version of
Windows that we are still publicly supporting for security updates.
Microsoft offers more information on its product support policies
at the Microsoft
Support Lifecycle Web site.
Also, on Wednesday, July 12, 2006, at 2:00 p.m. EDT, we'll host
our
live webcast, where we will talk about this month's release and
answer your questions. We hope you'll join us.
Finally, mark your calendar for Tuesday, Aug. 8, 2006, for our
August Microsoft monthly security bulletin release.