• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases Patches for Multiple Critical Vulnerabilities

Security Alerts

Search Security Alerts:

April 11, 2006

Microsoft Releases Patches for Multiple Critical Vulnerabilities

Summary

On Apr 11, 2006, Microsoft released five new security updates, three of them rated as critical. All current versions of Windows are affected by some of them.

These vulnerabilities can result in system-level compromise if the user opens a maliciously constructed web page, HTML email message, or link in an Instant Messenger request.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches.

Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Detail

Information regarding all five security updates is available at http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx. The following are brief summaries of those rated as critical.

MS06-013 - Cumulative Security Update for Internet Explorer (KB912812)

• Affected platforms:
  
  • Windows 98, 98SE, ME
    
  • Windows 2000, all versions
    
  • Windows XP, all versions
    
  • Windows Server 2003, all versions
    
• Activated by opening a malicious web page.
  

MS06-014 - Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (KB911562)

• Affected platforms:
  
  • Windows 98, 98SE, ME
    
  • Windows 2000, all versions
    
  • Windows XP, all versions
    
  • Windows Server 2003, all versions
    
• Activated by opening a malicious web page.
  

MS06-015 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (KB908531)

• Affected platforms:
  
  • Windows 98, 98SE, ME
    
  • Windows 2000, all versions
    
  • Windows XP, all versions
    
  • Windows Server 2003, all versions
    
• Activated by opening a malicious file, attachment, or web page.

References

Additional information regarding these vulnerabilities is available at

• http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.