• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases July 2006 Security Bulletin for Multiple Vulnerabilities

Security Alerts

Search Security Alerts:

July 12, 2006

Microsoft Releases July 2006 Security Bulletin for Multiple Vulnerabilities

Summary

On July 11, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. These updates are patches to correct remote code execution vulnerabilities from the Server service, DHCP Client service, ASP.NET, and IIS with Active Server pages. In addition, there are updates to correct remote execution vulnerabilities from Microsoft Office products. This bulletin lists seven (7) security vulnerabilities, with five (5) listed as critical and two (2) listed as important. The affected operating system platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* .NET Framework 2.0

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet. Details are in the Technical Detail section of this post.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin except for the three (3) updates involving Microsoft Office (MS06-037, MS06-038, MS06-039). Console Operators are to perform the Microsoft Office updates manually. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Detail

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, with those designated with an asterisk (*) delivered via BigFix:

Critical (5):

* Microsoft Security Bulletin MS06-035
Vulnerability in Server Service Could Allow Remote Code Execution (917159)
This update resolves two vulnerabilities in the Server service, the most serious of which could allow remote code execution.

* Microsoft Security Bulletin MS06-036
Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
This update resolves a vulnerability in the DHCP Client service that could allow remote code execution.

- Microsoft Security Bulletin MS06-037
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
This update resolves several vulnerabilities in Excel, the most serious of which could allow remote code execution.

- Microsoft Security Bulletin MS06-038
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.

- Microsoft Security Bulletin MS06-039
Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
This update resolves two vulnerabilities in Office, the most serious of which could allow remote code execution.

Important (2):

* Microsoft Security Bulletin MS06-033
Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
This vulnerability could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folder explicitly by name. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.

* Microsoft Security Bulletin MS06-034
Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
This vulnerability could allow an attacker to take complete control of an affected system. Note that the attacker must have valid logon credentials, but if a server has been purposely configured to allow users, either anonymous or authenticated, to upload web content such as .ASP pages to web sites, the server could be exploited by this vulnerability.

The following operating systems and applications are affected by this Microsoft security bulletin:

Windows Server 2003 SP (service pack) 1
Windows Server 2003
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows XP SP1 or SP2
Windows XP Professional x64 Edition
Windows XP Home SP1 or SP2
Windows 2000 SP4
.NET Framework 2.0
Microsoft Office 2003 SP1 or SP2
Microsoft Office XP 2003 SP3
Microsoft Office 2000 SP3
Microsoft Office v.X for Mac
Microsoft Office 2004 for Mac
Excel 2003
Excel Viewer 2003
Excel 2002
Excel 2000
Excel v.X for Mac
Excel 2004 for Mac
Project 2002
Project 2000
Visio 2002
Microsoft Works Suite 2006/2005/2004

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx