Patch Tuesday Analysis for August 2006

Update on MS06-042 problems; if you haven't loaded MS06-040 install it YESTERDAY

 

Update on MS06-042 and MS06-040

MS06-042, the cumulative security patch for Internet Explorer (918899), has caused some real headaches for all of us in the user community and Microsoft.  Actually, the real culprit may lie with the security researcher who broke with responsible disclosure.  Here's what happened.  After the release of MS06-042 some researchers discovered and privately reported to Microsoft a defect in the patch that causes a crash on IE 6.0 SP1 systems with MS06-042 installed. Worse still the crash was exploitable meaning that installation of the security update introduced a new security hole.  Microsoft decided to hold off reporting this new vulnerability until they developed a fix.  One of the researchers disagreed and went public about the defect and its exploit details.  Microsoft is apparently having a difficult time fixing the problem which has forced them to delay the re-release of MS06-042.

So what should you do about MS06-042?  Read on.

What to do about MS06-042

Continue applying it.  If you are/have applied it to IE 6.0 SP1 computers you should also implement the work around described in the latest security advisory - Microsoft Security Advisory (923762): Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit.  This workaround has you disable http 1.1 protocol in IE.  You can use group policy to automate this change.  Disabling http 1.1 won't impact the browsing of most sites.

Now, let's talk about MS06-040 which is the update to the nasty vulnerability in the Server service.  Sometimes I hate being right.  On Patch Tuesday I said MS06-040 "would be a prime candidate for a worm infection vector" and sure enough, along came Graweg Saturday night.  The good news, if you are an XP and 2003 shop, is that Graweg only affected Windows 2000 systems but there's no reason to assume another exploit won't come along that spreads faster and does more damage.  So I strongly encourage you to scan your network with MBSA and patch any systems missing MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution (921883) before it's too late.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS06-044

917008
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
Datacenter Server 2000
Advance Server 2000
Small Business Server 2000
MMCPatch after full testing or work around
MS06-051

917422
Arbitrary code
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoCritical XP
Server 2003
Small Business Server 2003
Small Business Server 2000
Microsoft WindowsPatch after testing
MS06-042

918899
Arbitrary code

/ IE
Workstations
Terminal Servers
Yes/YesNoCritical Win2000
XP
Server 2003
Datacenter Server 2000
Advance Server 2000
Internet ExplorerPatch after full testing
MS06-043

920214
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoNoCritical XP
Server 2003
Outlook ExpressPatch or disable Outlook Express
MS06-050

920670
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
WinNT
KernelPatch after testing in high security environments
MS06-041

920683
Arbitrary code

/ Windows
Workstations
Terminal Servers
Servers
No/YesNoCritical XP
Server 2003
Small Business Server 2003
Small Business Server 2000
WindowsPatch after testing or use workaround
MS06-049

920958
Privilege elevation

/ Windows
Workstations
Terminal Servers
Yes/NoNoImportant Win2000
Small Business Server 2000
Windows 2000Patch after testing
MS06-045

921398
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoYesImportant XP
Server 2003
Small Business Server 2003
Small Business Server 2000
Web Client ServicePatch after testing or work around
MS06-047

921645
Arbitrary code

/ Office and/or Visual Basic
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Visual Basic 6.0
Visio 2002
Project 2000
Project 2002
Works 2005
Works 2004
Works 2006
Office 2002
Microsoft Office and VBAPatch ASAP after testing
MS06-040

921883
Arbitrary code
Information disclosure

/ Windows
Servers
No/YesNoCritical XP
Server 2003
Small Business Server 2003
Small Business Server 2000
WindowsPatch after moderate testing
MS06-046

922616
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoNoCritical XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
HTML HelpPatch after testing
MS06-048

922968
Arbitrary code

/ PowerPoint
Workstations
Terminal Servers
Yes/NoNoCritical Office 2000
Office 2003
Office 2004 for Mac
Office X for Mac
Office 2002
Microsoft PowerPointInstall ASAP after minimal testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.