Microsoft Windows, Microsoft Visual Studio, and a Windows
bulletin that applies to Microsoft Internet Explorer (IE) are
addressed in the final Microsoft monthly security bulletins for
2006.
None of the vulnerabilities in this month's bulletin affect
Windows Vista or IE 7. If you are running IE 7, this month's IE
bulletin doesn't apply to you. Also, if you're one of the lucky
people who are running Windows Vista, the Windows bulletins don't
apply to you.
In this final column for 2006, I'll cover information that we at
Microsoft want you to understand as you evaluate, test and deploy
this month's bulletins for your environment. First, I will provide
information related to our detection and deployment tools. Then,
I'll give some information about this month's bulletins that will
be helpful for risk assessments.
 |
| About Inside
MSRC: | As part of a special partnership with
SearchSecurity.com, Christopher Budd, security program manager for
the Microsoft Security Response Center (MSRC), offers an inside
look at the process that leads up to "Patch Tuesday" and guidance
to help security professionals make the most out of the software
giant's security updates.
Also see:
Inside MSRC:
Microsoft details security tool
update |
|
| |
|
Update on WSUSSCAN.CAB issue
In last month's column I discussed how we were making a new
WSUSSCAN.CAB architecture available and how
customers who use either Systems Management Server Inventory
Tool for Microsoft Updates
(SMS ITMU) or Microsoft Baseline Security
Analyzer
(MBSA) 2.0 in offline scan mode should
download and begin to deploy the updated versions, which have
been designed to support the new architecture.
I noted that this was due to an architectural limitation in the
old WSUSSCAN.CAB architecture. We had to remove information about
obsolete security updates because of that limitation. I noted that
while we would continue to support the old architecture through
March 2007, the limitation would increasingly run a risk such that
we would have to remove information about security updates that are
now obsolete.
For the December 2006 security bulletin, we are still able to
support the old WSUSSCAN.CAB by removing information about obsolete
security updates. However, we estimate that in January 2007 we will
have to begin removing information about older but current security
updates. Because of this, we are very strongly encouraging
customers, especially those using the SMS ITMU, to download and
deploy the updated tools as soon as possible.
In the December 2006 security bulletin, we have removed
information about security updates for Windows XP Service Pack 1
from the WSUSSCAN.CAB. As of October 2006, Windows XP SP1 is no
longer publicly supported for security updates, so these updates
are now technically obsolete. Once again, we strongly encourage
anyone running Windows XP SP1 to upgrade right away to a publicly
supported version of Windows: either Windows XP SP2 or Windows
Vista.
I do want to note, though, that we have information about
Windows XP SP1 security updates in the WSUSSCN2.CAB file.
SUS 1.0 deadline
Next I want to make you aware of a change we've made regarding
the expiration of support for Software Update Services (SUS) 1.0.
Based on customer feedback, we have extended the expiration of SUS
1.0 until July 10, 2007. SUS 1.0 will support the December 2006
monthly security bulletin. SUS 1.0 will also support the Microsoft
monthly security bulletin until the July 2007 release. The July
2007 Microsoft monthly security bulletin will be the last release
supported by SUS 1.0. Although we have made this extension to the
expiration, we encourage customers to view this as additional time
to complete their migrations that are already underway to Windows
Server Update Services (WSUS). We strongly discourage any customers
from using this time to pause or halt their migration. You can find
information about WSUS, including information about how to migrate
from SUS to WSUS, at the
WSUS Web site.
MS06-073
Turning from detection and deployment news to information you
can use for risk assessment of this month's bulletin, I want to
draw your attention to
MS06-073.
MS06-073 addresses an issue that we first
discussed in Microsoft Security Advisory
(927709).
This vulnerability is in the Windows Management Instrumentation
(WMI) Object Broker, which is an ActiveX Control that the WMI
Wizard uses in Visual Studio 2005. Because the WMI Object Broker is
an ActiveX Control, the vulnerability can be exploited through
browsing-based scenarios.
However, it is important to note that Visual Studio 2005 must be
installed for the control to be present and for a system to be
vulnerable. Further, customers running Visual Studio 2005 on
Windows Server 2003 and Windows Server 2003 Service Pack 1 in their
default configurations, with the Enhanced Security Configuration
turned on, are not affected by the vulnerability. Visual Studio
2005 customers running Internet Explorer 7 with default settings
are also protected by the ActiveX Opt-in feature in the Internet
Zone. This means that those customers running Internet Explorer 7
are not at risk until the user explicitly chooses to activate the
control. Find out more about the
ActiveX Opt-in feature. Because this issue
is public and has been subject to very limited attacks, we
encourage Visual Studio 2005 customers to deploy this update as
soon as possible.
Enterprise Scan Tool
In looking at deployment options for the month, three bulletins
are supported by the Enterprise Scan Tool (EST) because they are
not fully detected by MBSA 1.2. MS06-073,
MS06-076 and
MS06-077 are all supported by the EST for
those customers using MBSA 1.2. All the bulletins this month are
supported fully by MBSA 2.0. Conclusion
As we do each month, we will be holding our TechNet Security
webcast to cover this month's bulletins the day after release. This
month's webcast will be on Wednesday, Dec. 13, 2006, at 11 a.m.
PST. During the webcast's live broadcast, we'll answer your
questions on the air as well as review information about this
month's bulletins. If you can't catch the webcast live, you can
always view it on demand. You can
register for the webcast and view it
on demand.
Be sure to mark Tuesday, Jan. 9, 2007, on your calendars. That
will be the first Microsoft monthly bulletin for 2007 and the day
the next edition of this column will be published.