Video Screencast Help
Security Response

Happy Microsoft Patch Day, Everybody!

Created: 10 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:56:11 GMT
Ben Greenbaum's picture
0 0 Votes
Login to vote

This month is a busy one, with 10 updates in total, fixing 27 distinct vulnerabilities. Of the 10 updates, seven of them are listed as “Critical” by Microsoft. Interestingly, all seven of them are intended to patch various client-side vulnerabilities—four of them in the Office suite.

Critical bugs:

The patched Office vulnerabilities are all file-format vulnerabilities that will allow an attacker to run the code of their choice on the victim machine, provided a user on that machine opens the malicious file.

There are patches for Powerpoint (MS06-058: BIDs 20322, 20304, 20325, 20226), Excel (MS06-059: BIDs 20391, 18989, 20344, 18872), Word (MS06-060: BIDs 19835, 20387, 20341, 20358), and core Office components (MS06-062: BIDs 20384, 20383, 20382, 20320).

Obviously, all of this month's Office patches address multiple vulnerabilities. A few of these vulnerabilities were discovered by Symantec, as our antivirus teams investigated actual, real-world attacks and saw that malicious code was already exploiting these previously unpublicized issues. Some of them are new and are being proactively patched by Microsoft before exploits are discovered in the wild. In both cases, the provided patches will probably be quickly reverse-engineered by attackers, and exploits for the vulnerabilities will be added to popular toolkits and will also be used in targeted attacks. For more information on the use of zero-day vulnerabilities in common desktop software, please see my blog entry from July. Also, please see Hon Lau's excellent entry from September regarding the subject.

Also on the Critical list this month:

MS06-057, BID 19030: "Microsoft WebViewFolderIcon ActiveX Control Buffer Overflow Vulnerability". This vulnerability was first disclosed in July and can, like the others above, lead to attacker-supplied code running on the target machine. This is an ActiveX vulnerability and can be mitigated by shutting off the relevant control (WebViewFolderIcon, CLSID {844F4806-E8A8-11d2-9652-00C04FC30871}). This would be most likely attacked via a malicious Web site or potentially an HTML email. Multiple exploits are already in circulation.

MS06-061, BIDs 20338 and 20339: XML Vulnerabilities. One of these is rated “Critical” and the other “Important”, making the single patch of critical importance overall. BID 20339, if exploited, can lead to remote code execution, and 20338 can in some circumstances lead to information disclosure via a buffer overflow.

On the "Moderate" list for this month:
MS06-056, BID 20337. This is a fairly standard cross-site scripting bug affecting the .NET platform, with the usual repurcussions if exploited.

MS06-063, BIDs 19215 and
20373. This is a patch to the SMB handling code that fixes one old and one new issue, both leading to potential denial of service attacks against the target system.

MS06-065, BID 20318. This Windows Object Packager vulnerability can be used to misrepresent file types, and in conjunction with a little social engineering, can be used to entice users to open file types that they normally would not.

And finally, on a semi-humorous note, the lone 'Low' priority patch for the month: Fixes to some age-old vulnerabilities in almost every TCP/IP implementation are now available for the IPv6 stack on Windows. MS06-064 patches the new stacks against BIDs 10183,
13124, and 13658. Land attack, anyone? Good on Microsoft for thinking to test the new technology against yesterday's attacks, however.

More details and the bulletins themselves can be viewed at Microsoft's October Security Bulletin Summary page.

Well, that's "all" for October—although that's plenty, thankyouverymuch. It feels a little like Halloween came early, doesn't it? Get on to your patching, and see you next month!