The
October 2006 Microsoft monthly security bulletin is a sizable
release that addresses vulnerabilities affecting Microsoft Office,
Microsoft Windows and the Microsoft .NET Framework.
Since the
September 2006 Inside MSRC column, we've seen increased
activity around irresponsibly, publicly disclosed vulnerabilities.
At the end of September, we released
MS06-055 as an
out-of-band release to help protect customers against attempts
to exploit a
vulnerability in Vector Markup Language (VML). We also released
four Microsoft security advisories with information about steps
customers could take to protect themselves against irresponsible
publicly disclosed vulnerabilities.
 |
| About this column: | | As part of a special partnership with
SearchSecurity.com, Christopher Budd, security program manager for
the Microsoft Security Response Center (MSRC), offers an inside
look at the process that leads up to "Patch Tuesday" and guidance
to help security professionals make the most out of the software
giant's security
updates. |
|
| |
|
For this month's column, I will call out important elements of the
October 2006 monthly security bulletin and try to help you
understand how some of the bulletins for this month's release
relate to the security advisories we issued at the end of
September. Also, I will briefly review
MS06-055 and the actions we recommend you take.
Lifecycle: Windows XP SP1
Before discussing the October 2006 release or the activity we saw
after the September 2006 release, I want to call your attention to
the Microsoft Support Lifecycle (MSL) deadline for Windows XP
Service Pack 1 (SP1) this month.
As I mentioned at the start of the September 2006 column, the
October 2006 monthly bulletin marks the last release for Windows XP
SP1. This means that the updates we've provided this month are the
last ones we will be providing for Windows XP SP1 through our
standard monthly security release process.
We go to great lengths to provide clear deadlines and advanced
warning about MSL deadlines through our MSL Web site at
http://www.microsoft.com/lifecycle. It's our hope that by doing so
we're able to help you plan your upgrade cycles effectively, so
most -- if not all -- of you are now on Windows XP SP2. However, if
you are still on Windows XP SP1, we strongly urge that you move
immediately to the publicly supported service pack for Windows XP,
which is SP2.
MS06-055
On Sept. 19, 2006, we became aware of new public reports of a
vulnerability in the Microsoft Windows implementation of the Vector
Markup Language. At that time, we were also aware of the public
release of detailed exploit code that could be used to exploit this
vulnerability. We invoked our
Software Security Incident Response Process (SSIRP) and
released
Microsoft Security Advisory 925568, which provided information
on the issue and steps customers could take to protect themselves.
At that time we also announced that we were working on a security
update for the issue slated for release as part of the October 2006
monthly security bulletin release.
After releasing the security advisory, we continued to monitor
the situation and became aware of a
public attack utilizing the vulnerability. While our monitoring
of attack data continued to indicate that the attacks and customer
impact were limited, because testing of the update was completed
earlier than anticipated, we released an out-of-cycle update one
week later on Sept. 26, 2006, as Microsoft security bulletin
MS06-055.
To help address customer questions and concerns, we held a
special edition of our
security bulletin webcast on Sept. 27, 2006. If you did not
catch the webcast when it was aired, you can listen to it on demand
at the link above.
We strongly encourage customers to deploy MS06-055 as soon as
possible. Note: If customers have deployed the workaround titled
"Modify the Access Control List on Vgx.dll to be more restrictive"
from the security advisory, the security updates provided with
MS06-055 may not install correctly. Customers who have deployed
that workaround should see the "Workarounds for VML Buffer Overrun
Vulnerability – CVE-2006-4868" section of MS06-055 for instructions
on how to revert this workaround before applying the security
update.
MS06-058 and MS06-060
In September we released two security advisories related to limited
"zero-day" attacks against Microsoft Office.
Security advisory 925984 discussed limited attacks against
Microsoft PowerPoint, and
security advisory 925059 discussed limited attacks against
Microsoft Word 2000.
In the October 2006 release, we are releasing security updates
that address both of these issues.
MS06-060 addresses the vulnerability discussed in
security advisory 925059, and
MS06-058 addresses the vulnerability discussed in
Microsoft Office Security Advisory 925984.
Although the attacks in both cases were limited in scope, we
recommend customers deploy these updates right away. Note: While
security sdvisory 925059 applied only to Microsoft Word 2000, the
security bulletin MS06-060 applies to all currently supported
versions of Microsoft Word, including Microsoft Office for Mac.
MS06-057
On Sept. 28, 2006, we became aware of new public reports of a
vulnerability in the Microsoft WebViewFolderIcon ActiveX Control
(Web View). We released
Microsoft Security Advisory 926043 as part of our Software
Security Incident Response Process.
Microsoft security bulletin
MS06-057 addresses the vulnerability discussed in security
advisory 926043.
While this is a vulnerability in an ActiveX Control, unlike
MS06-056, this security update does not address the vulnerability
by setting the "kill bit" on the Microsoft WebViewFolderIcon
ActiveX Control. In this case, the vulnerability is addressed by
correcting the parameter validation in the WebViewFolderIcon
ActiveX object.
Our investigation into Web sites attempting to exploit this
vulnerability showed that, in most cases, attempts to install
malicious software by exploiting the vulnerability failed. This was
due to specific technical factors related to the vulnerability.
However, we encourage customers to deploy this update as soon as
possible.
MS06-061
MS06-061 is a critical bulletin that affects Microsoft XML Core
Services, which is designed to allow multiple versions of the
component to reside on a system in different locations, providing
support for specific applications. This means that your system may
require more than one of the security updates provided with
MS06-061, depending on your system.
Specifically, MS06-061 provides updates for the following
versions of Microsoft XML Core Services:
- Microsoft XML Core Services 3.0
- Microsoft XML Core Services 4.0
- Microsoft XML Core Services 5.0
- Microsoft XML Core Services 6.0
Any and all of these versions that are on your system should be
updated with the security updates provided with MS06-061.
In addition, the security updates for MS06-061 set the "kill
bits" for Microsoft XML Parser 2.6. Customers still using Microsoft
XML Parser 2.6 should update to the latest version, Microsoft XML
Core Services 6.0.
Fortunately, however, our detection tools will correctly
identify for you what updates provided with MS06-061 apply to your
systems; the deployment tools will also install the correct updates
for you.
As always, we will be doing our regularly scheduled webcast to
review these bulletins and answer your questions live on the air.
This month's webcast will be on Wednesday, Oct. 11, 2006, at 2:00
p.m. EDT. You can register for the live event at:
http://msevents.microsoft.com/cui/webcasteventdetails.aspx?eventid=1032308775&eventcategory=4&culture=en-us&countrycode=us
Note: If you can't make the live broadcast, the webcast will
also be available on demand; simply go to the same location to
register.
Finally, the November 2006 monthly security bulletin is
scheduled for Tuesday Nov. 14, 2006. And, once again, I will be
joining you here at SearchSecurity.com with another edition of
Inside MSRC to help you understand some of the highlights and share
information to help you with your testing and deployment of the
November security updates.