Patch Tuesday Analysis for April 2006

Yesterday afternoon Microsoft released 5 security bulletins. The first 4 of these bulletins are primarily workstation risks. I recommend deploying
MS06-013 and MS06-015 as soon as possible. MS06-013 is especially urgent since the details of this exploit and attackers are already using it. You may consider the published workaround MS06-014 and a workaround I developed for MS06-016 rather than deploying the updates for these 2 bulletins.

The final bulletin, MS06-017, impacts IIS servers running FrontPage Server Extensions or Sharepoint Team Services. Although Microsoft rates the severity of this bulletin as only moderate, I recommend loading this update on all affected servers as soon as possible.

Keep reading for more analysis of each bulletin.

MS06-013 - Cumulative Security Update for Internet Explorer (912812)

This update contains fixes for a slew of newly discovered critical IE vulnerabilities affecting all supported versions of Windows. These vulnerabilities eight remote code exploits some of which are public and already being exploited. Most organizations will want to deploy this update to all workstations as soon as possible. Be aware that this update includes the change to ActiveX handling in IE released last month (MSKB 917425). If you need more time to prepare for the ActiveX change you can install the "compatibility patch" which delays activation of the ActiveX change until next month. Be sure to read MSKB 917425 before deciding what to do about this update and test this update in a limited rollout.

MS06-014 - Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

This update fixes a critical remote code vulnerability in Remote Data Services that can be exploited by malicious html content in a web page or e-mail and most organizations will want to deploy this update to all workstations and end-user accessible Terminal Services servers as soon as possible or use the workaround provided in the bulletin which disables use of the RDS.Dataspace ActiveX control by Internet Explorer. This workaround will disable web based applications that directly access ODBC databases from the client web browser. Most web based applications perform all database access from the server in ASP but some intranet applications such as data access pages created through Access use client side scripts to access databases. If you choose to use the workaround you should test it against all web based applications that are important to your users.

MS06-015 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

This critical update addresses a remote code vulnerability in Windows Explorer in which an attacker, who successfully directs Windows Explorer to access a rogue or compromised file server, succeeds in getting Windows Explorer to execute arbitrary code under the authority of the current user.
The file server could be on the local network or on the Internet. The attacker would probably attempt this attack through a link to the rogue file server embedded in an email or web page. The workarounds and mitigating factors on this bulletin are confusing and/or incomplete but I believe you could prevent this vulnerability from being exploited by remote file servers on the Internet by disabling the Web Client service on desktop workstations and blocking outgoing connections to TCP ports 139 and 445 at the firewall.
Disabling the Web Client disables WebDAV functionality which is used by some Sharepoint sites. Blocking outgoing connections to TCP ports 139 and 445 will only protect computers when they are behind your firewall. Most home, hot spot or other Internet accessible networks where your laptop users may connect will not be blocking any type of outgoing connections. Most organizations will want to take steps to protect against this exploit as soon as possible.

MS06-016 - Cumulative Security Update for Outlook Express (911567)

This important update fixes a remote code vulnerability in Outlook Express and should be deployed to all systems using Outlook Express. It would be preferable to simply disable Outlook Express for the typical environment that uses Outlook instead. However Outlook 2000 and Outlook 2002 both require Outlook Express. Outlook 2003 does not appear to share this requirement and I have verified basic Outlook 2003 functionality after adding a Deny Everyone Full Control permission entry to c:\program files\outlook express. Most organizations will want to deploy this update or test my workaround as soon as possible for workstations and user accessible Terminal Services computers.

MS06-017 - Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627)

This is a weird vulnerability. I expect to receive clarifying information on this which I will pass on to you in a special update. For now my understanding is this: This vulnerability allows an attacker to execute arbitrary client-side script against an IIS server with FrontPage Server Extensions or Sharepoint Team Services. Microsoft rates this as a moderate risk but for vulnerable servers I rate it critical. If you have run servers with FPSE or SPTS, load this patch.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS06-015

908531
Arbitrary code

/ Windows Explorer
Workstations
Terminal Servers
Servers
No/NoYesCritical XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
BackOffice Small Business Svr
NoneMost organizations will want to take steps to protect against this exploit as soon as possible.
MS06-014

911562
Arbitrary code

/ MS Data Access Components
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Server 2003
Server 2000
Datacenter Server 2000
Advance Server 2000
MS Data Access Components
If you choose to use the workaround you should test it against all web based applications that are important to your users. Most organizations will want to deploy this update to all workstations and end-user accessible Terminal Services servers as soon as possible or use the workaround provided in the bulletin which disables use of the RDS
MS06-016

911567
Arbitrary code

/ Outlook Express
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
BackOffice Small Business Svr
NoneMost organizations will want to deploy this update or test my workaround as soon as possible for workstations and user accessible Terminal Services computers.
MS06-013

912812
Arbitrary code
Information disclosure
Spoofing

/ IE
Workstations
Terminal Servers
Yes/YesNoCritical Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Advance Server 2000
Internet Explorer
Be sure to read MSKB 917425 before deciding what to do about this update and test this update in a limited rollout.Most organizations will want to deploy this update to all workstations as soon as possible.
MS06-017

917627
Arbitrary code

/ Frontpage/Sharepoint
Sharepoint Servers
No/NoNoModerate FrontPage 2002
Sharepoint Team Services
Microsoft rates this as a moderate risk but for vulnerable servers I rate it critical.If you have servers with FPSE or SPTS, load this patch.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.