Patch Analysis for September 2006

This month we have the dubious privilege of witnessing a 2nd Patch Tuesday.  Today Microsoft released MS06-055 to address the Vector Markup Language vulnerability that reared its ugly head last week.  Read on for the usual chart providing need-to-know information at-a-glance for this critical vulnerability. 

Also, released today is a re-release of MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958).  Don’t worry about it unless you’ve already installed MS06-049 on a Windows 2000 computer (XP and 2003 were never impacted by this one) where you are using NTFS compression.  If so you will definitely want to install this new version of the update to prevent corruption of compressed files larger than 4k.

Finally, be aware of a yet-to-be-patched vulnerability in an ActiveX control called Microsoft DirectAnimation Path which is part of daxctle.ocx.  This is a publicly disclosed vulnerability but Microsoft says they have no reports of exploitation in actual attacks.  The security advisory at provides a number of workarounds you may consider until a update is released.  I recommend the “Modify the Access Control List on Daxctle.ocx to be more restrictive” workaround as the most effective and easiest to push out and later remove since you can use group policy.   

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
MS severity ratingProducts AffectedNotesRandy's recommendation

Arbitrary code

/ Office Publisher
Terminal Servers
No/NoNoCritical Office 2000
Office 2003
Office 2002
PublisherA bad guy can create a malicious Publisher file and email or otherwise get the victim to open it and thereby execute arbitrary code on the victim’s PC under the victim user’s authority. I recommend thoroughly testing this update on sample workstations and then deploying.

Denial of service

/ Windows
No/NoNoImportant XP
Absence of MSMQ service is a mitigating factor. See recommendationFor XP computers with MSMQ installed I recommend testing and applying this patch as soon as possible; otherwise I believe you can avoid this patch.

Information disclosure

/ Windows
Terminal Servers
No/NoNoModerate XP
Server 2003
Small Business Server 2003
Small Business Server 2000
Indexing Service. May be possible to avoid. See recommendation.A malicious website or a insecure website that allows posting of untrusted content hosts a page that exploits a vulnerability in the Indexing Service on the local client computer of a user that browses across said page. For a successful attack the user’s PC must be running IIS, the Indexing Service and the Indexing Service must be accessible to IIS. This is primarily a Windows 2000 Professional vulnerability since neither XP nor 2003 have IIS installed by default. Additionally, this is only a vulnerability on systems where you might be browsing the web and you deserve to get whacked if you indiscriminately browse the web from servers! Well, by a ruler anyway. Bottom-line: don’t browse the web from servers and use the workarounds on vulnerable workstations and you can avoid loading the patch.

Arbitrary code

/ Windows
Yes/YesNoCritical XP
Server 2003
Small Business Server 2003
Vector Markup Language (VML)The vulnerability would allow an attacker who creates a malformed web page or email with VML content to take control of the computer of a user who reads the email or views web page.

Receive Randy's same-day, independent analysis each Patch Tuesday

We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.


Additional Resources