• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases Patches for Multiple Critical Vulnerabilities

Security Alerts

Search Security Alerts:

January 10, 2006

Microsoft Releases Patches for Multiple Critical Vulnerabilities

Summary

On Jan 10, 2006, Microsoft released two new security updates, both of them rated as critical. All current versions of Windows are affected by some of them.

Some of these vulnerabilities can result in system-level compromise without direct user interaction. Others can result in compromise if the user opens a maliciously constructed HTML email message or web page.

What to Do

Windows users can visit Microsoft Update at http://update.microsoft.com to download and install current operating system and Office patches.

Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

Some of the patches in these updates are for Microsoft Office components that are not part of the base operating system. These updates are covered by Microsoft Update. The Windows Update web page will offer you the chance to upgrade to Microsoft Update if you need it (look on the right side, under the "News" icon).

Please remember to reboot your machine after patching manually, or when prompted to do so by Microsoft Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Detail

Information regarding this month's security updates is available at http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx. Note that the site also contains a reiteration of the MS06-001 update issued last week. The following are brief summaries of the new updates.

MS06-002 - Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (KB908519)

• Affected platforms:
  • Windows 98, 98SE, ME
  • Windows 2000, all versions
  • Windows XP, all versions
  • Windows Server 2003, all versions
• Activated by opening a malicious web page or HTML email.

MS06-003 - Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (KB902412)

• Affected platforms:
  • Office 2000, Service Pack 3
  • Outlook 2000
  • Office XP, Service Pack 3
  • Outlook 2002
  • Office 2003, Service Pack 1 and Service Pack 2
  • Outlook 2003
  • Exchange Server 5.0, Service Pack 2
  • Exchange Server 5.5, Service Pack 4
  • Exchange 2000, Service Pack 3 with August 2004 Update Rollup
• Activated by opening or previewing a maliciously crafted email message (not necessarily HTML).
• No credentials or user interaction required on systems running Exchange Server.

References

• http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx

The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.