Security Alerts
June 16, 2006
Microsoft Releases June 2006 Security Bulletin for Multiple Critical Vulnerabilities
Summary
On June 13, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. These updates are patches to correct remote execution vulnerabilities within Internet Explorer, Windows Media Player, Routing and Remote Access, Microsoft JScript, Microsoft Office applications, and the graphics rendering engine for Microsoft Windows. This bulletin lists twelve (12) security vulnerabilities, with eight (8) listed as critical and three (3) listed as important. The affected operating system platforms are:
* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Microsoft Exchange Server 2003 SP1 or SP2
* Microsoft Exchange 2000 SP3 with the August 2004 Exchange 2000 Server Post-SP3 Update Rollup
It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. Details are in the Technical Detail section of this post.
What to Do
Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin except for the three (3) updates involving Microsoft Word, PowerPoint, and Exchange OWA. Console Operators are to perform the Microsoft Word and PowerPoint updates manually. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
Technical Detail
It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, with those designated with an asterisk (*) delivered via BigFix:
Critical (8):
*
Microsoft Security Bulletin MS06-021
Cumulative Security Update for Internet Explorer (916281)
This update resolves several vulnerabilities in Internet Explorer that could allow remote code execution.
*
Microsoft Security Bulletin MS06-022
Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
This update resolves a vulnerability that could allow remote code execution when using Internet Explorer.
*
Microsoft Security Bulletin MS06-023
Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
This update resolves a vulnerability in JScript that could allow remote code execution when using Internet Explorer.
* Microsoft Security Bulletin MS06-024
Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
This update resolves a vulnerability in Windows Media Player that could allow remote code execution.
* Microsoft Security Bulletin MS06-025
Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
This update resolves vulnerabilities in Windows that could allow remote code execution.
* Microsoft Security Bulletin MS06-026
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
This update resolves a vulnerability in Windows that could allow remote code execution.
- Microsoft Security Bulletin MS06-027
Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
This update resolves a vulnerability in Word that could allow remote code execution.
- Microsoft Security Bulletin MS06-028
Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
This update resolves a vulnerability in PowerPoint that could allow remote code execution.
Important (3):
- Microsoft Security Bulletin MS06-029
Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
This update resolves a vulnerability in Outlook Web Access that could allow script execution. User interaction is required for an attacker to exploit this vulnerability.
* Microsoft Security Bulletin MS06-030
This update resolves several vulnerabilities in Windows. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
* Microsoft Security Bulletin MS06-032
Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
This update resolves a vulnerability in Windows. By default, the Routing and Remote Access Service is disabled on any affected operating system version.
Moderate (1):
* Microsoft Security Bulletin MS06-031
This update resolves a vulnerability in Windows. A user would need to connect to a malicious RPC server for any spoofing to occur. An attacker would have no way to force users to connect to a malicious RPC server. Windows 2000 Service Pack 4 is the only affected version.
The following operating systems and applications are affected by this Microsoft security bulletin:
Windows Server 2003 SP (service pack) 1
Windows Server 2003
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows XP SP1 or SP2
Windows XP Professional x64 Edition
Windows 2000 SP4
Internet Explorer
Windows Media Player
MS JScript 5.6
Microsoft Word and PowerPoint
Microsoft Exchange Server 2003 SP1 or SP2
Exchange 2000 S 3 with the August 2004 Exchange 2000 Server Post-SP 3 Update Rollup
Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx
References
Detailed information about this Microsoft June 2006 security bulletin is available at
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx