• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases September 2006 Security Bulletin for Multiple Vulnerabilities

Security Alerts

September 19, 2006

Microsoft Releases September 2006 Security Bulletin for Multiple Vulnerabilities

Summary

On September 12, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. There were three (3) patches in this bulletin targeting security vulnerabilities in Microsoft Publisher (Critical), Pragmatic General Multicasting (Important), and the Indexing Service (Moderate). The first two vulnerabilities can allow for remote execution (control) of a computer, while the last one can disclose information. Microsoft Publisher is normally a standalone application or bundled with Microsoft Office, and the patch will not be applicable if you do not have this application installed. The other two patches should be installed (see Technical Details below). The affected operating systems and application platforms are:

* Windows Server 2003
* Windows XP
* Windows 2000 SP4
* Publisher 2000/2002/2003

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin except for the Microsoft Publisher patch. Console Operators are to perform these Microsoft Office (and Publisher) updates manually. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. The patches for the vulnerabilities are listed as follow, with those designated with an asterisk (*) delivered via BigFix:

Critical (1):

Microsoft Security Bulletin MS06-054
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)

This update resolves a vulnerability in Publisher that could allow remote code execution. An attacker could exploit this vulnerability when Publisher parses a file with a malformed string. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Important (1)

*Microsoft Security Bulletin MS06-052
Vulnerability in Reliable Multicast Program (PGM) Could Allow Remote Code Execution (919007)

There is a remote code execution vulnerability that could allow an attacker to send a specially crafted multicast message to an affected system and execute code on the affected system. The MSMQ service, which is the Windows service needed to allow PGM communications is not installed by default.

Moderate (1)

* Microsoft Security Bulletin MS06-053
Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)

There is an information disclosure vulnerability in the Indexing Service because of the way that it handles query validation. The vulnerability could allow an attacker to run client-side script on behalf of a user. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

The following operating systems and applications are affected by this Microsoft security bulletin:

Windows Server 2003 Service Pack 1
Windows Server 2003
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows XP Service Pack 2
Windows XP Service Pack 1
Windows XP Professional x64 Edition
Windows 2000 Service Pack 4
Publisher 2000/2002/2003

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-sep.mspx