two
Volume 3, Number 40 -- November 15, 2006

Microsoft Delivers Five Critical Security Patches

Published: November 15, 2006

by Alex Woodie

Microsoft published six patches for security problems in its software yesterday, including five patches fixing seven critical vulnerabilities in Windows and IE. Considering that two of the patches fix critical vulnerabilities that are being actively used to infect Windows users over the Internet, customers are encouraged to download and apply the updates as soon as possible.

Leading off this month's round of patches is Microsoft Security Bulletin MS06-067, a cumulative update for Internet Explorer that fixes a pair of critical vulnerabilities in the besieged browser, including the HTML Rendering Memory Corruption Vulnerability, which was being actively exploited over the Internet, and the DirectAnimation ActiveX Controls Memory Corruption Vulnerabilities. The two vulnerabilities were privately reported and aren't currently being harnessed for evil by malware writers.

Both of these vulnerabilities could lead to a computer being taken over entirely by a criminal; they affect IE 6 running on all current versions of Windows, except Windows Vista. IE 7 is not affected by this bug. Microsoft credits Sam Thomas, working with Zero Day Initiative and its parent company, TippingPoint (a subsidiary of 3COM) for alerting it to the presence of the HTML Rendering Memory Corruption Vulnerability.

Microsoft Security Bulletin MS06-068 fixes the critical Microsoft Agent Memory Corruption Vulnerability, which could lead to remote code execution on all versions of Windows, except Vista. Microsoft Agent is a technology provided to developers to enable them to embed "interactive personalities in the form of animated characters" into their applications or Web sites. Apparently, it also allowed ne'er-do-wells to corrupt the memory of unwitting victims who stumbled across the wrong Web page, but this is just a potential problem, as Microsoft says it was privately reported and not being actively exploited.

Users of Windows XP SP2 and Windows XP Pro X64 Edition should be especially aware of Microsoft Security Bulletin MS06-069, which fixes several critical problem in the way that Adobe Macromedia Flash files are consumed. Microsoft is fixing the problem, which is present in Macromedia Flash Player version 6.0.84.0 and earlier, because it distributes the program with new copies of Windows; Adobe, for its part, addressed the vulnerabilities with a patch more than two months ago. Microsoft credits Stuart Pearson of the UK security research and product development firm Computer Terrorism for helping it with this fix.

Users of Windows XP SP2 and Windows XP Pro X64 Edition should be especially aware of Microsoft Security Bulletin MS06-069, which fixes several critical problem in the way that Adobe Macromedia Flash files are consumed. Microsoft is fixing the problem, which is present in Macromedia Flash Player version 6.0.84.0 and earlier, because it distributes the program with new copies of Windows; Adobe, for its part, addressed the vulnerabilities with a patch more than two months ago. Microsoft credits Stuart Pearson of the UK security research and product development firm Computer Terrorism for helping it with this fix.

Microsoft Security Bulletin MS06-071 shuts down the potential for remote code execution on systems susceptible to the Microsoft XML Core Services Vulnerability, which is any version of Windows running XML Core Services versions 4 and 6 (versions 3 and 5 are not susceptible). The details of this vulnerability are publicly known, and exploit code is active in the wild. Microsoft credits Robert Freeman of IBM's Internet Security Systems subsidiary and Dror Shalev and Moti Jospeh of firewall maker Check Point for helping with this vulnerability.

Microsoft also included one security fix it deems important in the November bout of Patch Tuesday. Microsoft Security Bulletin MS06-067 fixes two problems related to Novell Netware-Windows interoperability, including the Client Service for NetWare Memory Corruption Vulnerability and the NetWare Driver Denial of Service Vulnerability. Both of these problems, which impact Windows 2000 SP4, Windows XP SP2, and Windows Server 2003 and its SP1 variant, were privately reported.

Microsoft will be hosting a Webcast today at 11 a.m. PST to discuss the current round of patches and to answer questions from customers. The Webcast is open to anybody and pre-registration is not required. For information on how to attend the Webcast, visit Microsoft's TechNet Security Center at www.microsoft.com/technet/security/default.mspx.

Sponsored By
MKS

Stay on top of your game with MKS.

IT dashboards help you call the right plays, delivering real-time visibility, metrics and reporting across all of your System i5 and cross-platform development projects.

With Implementer and MKS Integrity for application lifecycle management,
you'll always know the score.

FREE White paper:
Metrics Matter - MKS Prescribes
Five Essential IT Metrics for Success
www.mks.com/go/windowsmetrics
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus:  Develop, extend and deploy applications with Server Express and Enterprise Server
OpenLogic:  Install, integrate, test, manage, and learn over 120 open source projects with BlueGlue
COMMON:  Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California

 
THIS ISSUE SPONSORED BY:

Vision Solutions
World Data Products
MKS
Lakeview Technology
Wolf Computer Consulting



TABLE OF CONTENTS
Product Announcements Galore from TechEd Europe

Intel Delivers Quasi Quad Core Xeon 5300 Server Chips

Microsoft Delivers Five Critical Security Patches

Financial Details Emerge in Microsoft-Novell Deal

But Wait, There's More:

Windows CCS Falls Off Top 500 Supercomputer List . . . Microsoft Launches 'Banking Integration Factory' . . . Microsoft Advocates Vendor-to-Vendor Sharing, for the Good of Windows . . . Bill Gates Sells 11 Million Microsoft Shares . . . Tango/04 Boosts BSM Capabilities of VISUAL Message Center . . . IBM Lowers Interest Rates on Low Rate Financing Deal . . .

The Windows Observer

BACK ISSUES

The Four Hundred
Sirius Gets Equity Investment from Thoma Cressey

Power6 Ups the Ante for Virtualization, Power Management

Interest in WDSc Indicates Small but Steady Change in App Dev

As I See It: The Workplace Politician

The Linux Beacon
Intel Delivers Quasi Quad Core Xeon 5300 Server Chips

Cray Announces XT4, XMT Supercomputers

Dual-Core Processors Begin Takeover of Top 500 Super Ranking

As I See It: The Workplace Politician

Big Iron
Sirius Gets Equity Investment from Thoma Cressey

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Unix Guardian
Avnet Buys GE's Access Server Distribution Biz for $412.5 Million

HP Taps Fink to Run Business Critical Servers Division

Sun Chases Web 2.0 Boom with Discounts for Startups

IBM Creates Virtualization Dashboard, Merges Server and Storage Management


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement