Patch Tuesday Analysis for February 2006

This Month’s Security Updates from Microsoft

Although there are 7 security updates this month, organizations running XP SP2, Office 2003 and Windows Server 2003 SP 1 will be able to avoid loading all but one patch assuming administrators refrain from dangerous interactive activities on servers. If you are using some other web browser than IE be sure to check MS06-006. If you have Office 2000 still deployed MS06-010 will be important to you as will MS06-009 if you have Office 2003 Proofing Tools or East Asian language versions of Windows or Office out there on your network.

MS06-004 - Cumulative Security Update for Internet Explorer (910620)
This is another critical Windows Metafile (WMF) vulnerability but only affects systems running Internet Explorer 5.x. The only *supported* version of Windows vulnerable is Windows 2000 with SP4 running IE 5.01; earlier service packs for Windows 2000 are beyond end of life cycle. You are not vulnerable if you are already running IE 6 SP1 on Windows 2000. For most organizations this is a workstation vulnerability that allows arbitrary code execution through malformed WMF image files. Organizations running Windows 2000 Professional should install this update or upgrade to IE 6 SP1. Details of the vulnerability are public.

MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
This critical remote code execution vulnerability is primarily a workstation vulnerability affecting Windows Media Player on Windows 2000 SP4, XP SP1, XP SP2 and Windows Server 2003 without SP1. The vulnerability would most likely be exploited through end-user activities such as using Windows Media Player, web browsing, reading email or editing office documents with embedded WMP files. The exploit was not public and MS has no reports of attacks. MS does offer a number of workarounds that appear to have minimal functionality impact. The workarounds could be scripted and deployed through group policy or SMS.

MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)

Unless you are using a non-IE browser such as Firefox you can ignore this update. This important remote code execution vulnerability is another mostly workstation vulnerability but only affects “alternative” web browsers. The published workaround (deployable through group policy) has minimal impact to functionality, affecting only sites that play multimedia content using EMBED instead of OBJECT elements.

MS06-007 - Vulnerability in TCP/IP Could Allow Denial of Service (913446)
This is a privately reported denial of service vulnerability affecting XP SP1, XP SP2 and all versions of Windows Server 2003. Servers exposed to the IGMP traffic from the Internet should receive this patch to prevent denial of service attacks in which the system “stops responding”. The published workarounds may allow you to defer loading the update but I advise you to verify your server does not depend on IGMP functionality. IGMP pertains to multicast traffic. This update requires a restart.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS06-010

889167
Information disclosure

/ PowerPoint
Workstations
Terminal Servers
No/NoYesImportant Office 2000
This vulnerability only affects PowerPoint 2000 and only allows the attack to access objects in the Temporary Internet Files Folder.Most organizations will forego this update.
MS06-009

901190
Privilege elevation

/ Windows & Office
Workstations
Terminal Servers
No/NoNoImportant XP
Project 2003
Server 2003
Visio 2003
Small Business Server 2003
One Note 2003
Only affects systems with Office 2003 Proofing Tools, Korean language versions of Windows and Office 2003 or any other East Asian language version with the Korean language IME enabled.Most organizations will forego this update.
MS06-004

910620
Arbitrary code

/ IE
Workstations
Terminal Servers
Yes/NoYesCritical Win2000
Datacenter Server 2000
Advance Server 2000
Small Business Server 2000
Internet Explorer
NoneOrganizations running Windows 2000 Professional should install this update or upgrade to IE 6 SP1.
MS06-006

911564
Arbitrary code

/ Media Player Plugin for Non-IE Browsers
Workstations
Terminal Servers
No/NoYesImportant XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
Unless you are using a non-IE browser such as Firefox you can ignore this update.The published workaround (deployable through group policy) has minimal impact to functionality, affecting only sites that play multimedia content using EMBED instead of OBJECT elements.
MS06-005

911565
Arbitrary code

/ Windows Media
Workstations
Terminal Servers
No/NoYesCritical XP
Server 2003
Server 2000
Small Business Server 2003
Small Business Server 2000
The workarounds could be scripted and deployed through group policy or SMS. MS does offer a number of workarounds that appear to have minimal functionality impact.
MS06-008

911927
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Small Business Server 2003
Doubly surprising is the fact that while the Web Client implements WebDAV, the attack vector is TCP ports 139 or 445 instead of ports 80 or 443 normally associated with WebDAV. Windows Server 2003 is only vulnerable if the Web Client service is started; the default is disabled. XP is vulnerable if Web Client service is started and incoming connections to port 139 or 445 are allowed.Many organizations that keep Web Client disabled on Windows Server 2003 and use Windows Firewall on XP to block ports 139 and 445 will choose to forego this update.
MS06-007

913446
Denial of service

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Small Business Server 2003
The published workarounds may allow you to defer loading the update but I advise you to verify your server does not depend on IGMP functionality.Servers exposed to the IGMP traffic from the Internet should receive this patch to prevent denial of service attacks in which the system "stops responding".

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.