Patch Tuesday Analysis for September 2006
This month we have the dubious privilege of witnessing a 2nd Patch Tuesday. Today Microsoft released MS06-055 to address the Vector Markup Language vulnerability that reared its ugly head last week. Read on for the usual chart providing need-to-know information at-a-glance for this critical vulnerability.
Also, released today is a re-release of MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958). Don’t worry about it unless you’ve already installed MS06-049 on a Windows 2000 computer (XP and 2003 were never impacted by this one) where you are using NTFS compression. If so you will definitely want to install this new version of the update to prevent corruption of compressed files larger than 4k.
Finally, be aware of a yet-to-be-patched vulnerability in an ActiveX control called Microsoft DirectAnimation Path which is part of daxctle.ocx. This is a publicly disclosed vulnerability but Microsoft says they have no reports of exploitation in actual attacks. The security advisory at http://www.microsoft.com/technet/security/advisory/925444.mspx provides a number of workarounds you may consider until a update is released. I recommend the “Modify the Access Control List on Daxctle.ocx to be more restrictive” workaround as the most effective and easiest to push out and later remove since you can use group policy.
|System Types Affected||Exploit|
/ Being exploited?
|MS severity rating||Products Affected||Notes||Randy's recommendation|
|Arbitrary code |
/ Office Publisher
|No/No||No||Critical ||Office 2000 |
|Publisher||A bad guy can create a malicious Publisher file and email or otherwise get the victim to open it and thereby execute arbitrary code on the victim’s PC under the victim user’s authority. I recommend thoroughly testing this update on sample workstations and then deploying.|
|Denial of service |
|Servers ||No/No||No||Important ||XP ||Absence of MSMQ service is a mitigating factor. See recommendation||For XP computers with MSMQ installed I recommend testing and applying this patch as soon as possible; otherwise I believe you can avoid this patch.|
|Information disclosure |
|No/No||No||Moderate ||XP |
Small Business Server 2003
Small Business Server 2000
|Indexing Service. May be possible to avoid. See recommendation.||A malicious website or a insecure website that allows posting of untrusted content hosts a page that exploits a vulnerability in the Indexing Service on the local client computer of a user that browses across said page. For a successful attack the user’s PC must be running IIS, the Indexing Service and the Indexing Service must be accessible to IIS. This is primarily a Windows 2000 Professional vulnerability since neither XP nor 2003 have IIS installed by default. Additionally, this is only a vulnerability on systems where you might be browsing the web and you deserve to get whacked if you indiscriminately browse the web from servers! Well, by a ruler anyway. Bottom-line: don’t browse the web from servers and use the workarounds on vulnerable workstations and you can avoid loading the patch.|
|Arbitrary code |
|Workstations ||Yes/Yes||No||Critical ||XP |
Small Business Server 2003
|Vector Markup Language (VML)||The vulnerability would allow an attacker who creates a malformed web page or email with VML content to take control of the computer of a user who reads the email or views web page.|
Receive Randy's same-day, independent analysis each Patch Tuesday
We will not share your address. Unsubscribe anytime.
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.