• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases October 2006 Security Bulletin for Multiple Vulnerabilities

Security Alerts

Search Security Alerts:

November 15, 2006

Microsoft Releases October 2006 Security Bulletin for Multiple Vulnerabilities

Summary

On October 10, 2006, Microsoft released their monthly security bulletin with the latest security updates for workstations and servers. There were three (3) patches in this bulletin targeting security vulnerabilities in the Windows Shell (Critical), Web XML Core Services (Critical), and the Server Service (Important). There were also four critical patches for PowerPoint, Excel, Word, and MS Office. It is recommended all patches of this bulletin be applied immediatedly, except for the IPV6 TCP/IP vulnerability patch (low) which can be optionally applied but not required since Windows IPV6 is not adopted on campus hosts yet. The Server Service vulnerability is of particular concern since it can be exploited directly from the Internet via the well published Microsoft ports. The affected operating systems and application platforms are:

*Windows 2000 Service Pack 4
*Windows XP Service Pack 1 and 2
* Windows Server 2003
* Microsoft XML Core Services 4.0/6.0
*Office 2000/2003
*Excel/PowerPoint/Word
*Microsoft Works Suites 2004, 2005, and 2006
*Office XP Service Pack 3
*Project 2000/2002
*Visio 2002 Service Pack 2
*Microsoft Office 2004 for Mac
*Microsoft Office v.X for Mac

It is imperative patches with critical and important designations be applied due to the serious nature of remote execution vulnerabilities which can allow for complete compromise and control of systems originating from within campus and the Internet.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. A customized update will be delivered to workstations and servers via BigFix if you subscribed to this service. The BigFix deliverable includes all of the patches of this bulletin except for the four critical Microsoft Office patches. Console Operators are to perform these Microsoft Office (and Publisher) updates manually. Individual updates can be downloaded by going to the Summary section of this Microsoft website. Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Details

It is important all patches designated as critical or important be applied. They are listed and broken down by severity below, with those designated with an asterisk (*) delivered via BigFix.

Critical (6)

*Microsoft Security Bulletin MS06-057
Vulnerability in Windows Shell Could Allow Remote Code Execution (923191)

Windows Shell Remote Code Execution Vulnerability - CVE-2006-3730:
A remote code execution vulnerability exists in Windows Shell due to improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control (Web View). This vulnerability could potentially allow remote code execution if a user visited a specially crafted Web site or viewed a specially crafted e-mail message. An attacker could exploit the vulnerability by hosting a web site that contained a web page that was used to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft Security Bulletin MS06-058
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)

PowerPoint Malformed Object Pointer Vulnerability - CVE-2006-3435:
A remote code execution vulnerability exists in PowerPoint. An attacker could exploit this vulnerability when PowerPoint parsed a file that included a malformed object pointer. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

PowerPoint Malformed Data Record Vulnerability - CVE-2006-3876:
A remote code execution vulnerability exists in PowerPoint. An attacker could exploit this vulnerability when PowerPoint parsed a file that included a malformed Data record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

PowerPoint Malformed Record Memory Corruption Vulnerability - CVE-2006-3877:
A remote code execution vulnerability exists in PowerPoint and could be exploited when PowerPoint opened a specially crafted file. Such a file might be included in an e-mail attachment or hosted on a malicious web site. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

PowerPoint Malformed Record Vulnerability - CVE-2006-4694:
A remote code execution vulnerability exists in PowerPoint and could be exploited when PowerPoint opened a specially crafted file. Such a file might be included in an e-mail attachment or hosted on a malicious web site. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Microsoft Security Bulletin MS06-059
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)

Excel Malformed DATETIME Record Vulnerability - CVE-2006-2387:
A remote code execution vulnerability exists in Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed DATETIME record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Excel Malformed STYLE Record Vulnerability - CVE-2006-3431:
A remote code execution vulnerability exists in Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed STYLE record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Excel Handling of Lotus 1-2-3 File Vulnerability - CVE-2006-3867:
A remote code execution vulnerability exists in Excel. An attacker could exploit this vulnerability when Excel handles a Lotus 1-2-3 file. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Lotus 1-2-3 file which Excel opens that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Malformed COLINFO Record Vulnerability - CVE-2006-3875:
A remote code execution vulnerability exists in Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed COLINFO record. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Microsoft Security Bulletin MS06-060
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554)
This update resolves several vulnerabilities in Microsoft Word, the most critical of which could allow remote code execution.

Microsoft Word Vulnerability – CVE-2006-3647:
A remote code execution vulnerability exists in Word. An attacker could exploit this vulnerability when Word parsed a file that contains a malformed string. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in Outlook could not lead to exploitation of this vulnerability. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Microsoft Word Mail Merge Vulnerability - CVE-2006-3651:
A remote code execution vulnerability exists in Microsoft Word, and could be exploited when Word opens a specially crafted mail merge file. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Microsoft Word Malformed Stack Vulnerability - CVE-2006-4534:
A remote code execution vulnerability exists in Microsoft Word, and could be exploited when Word opens a specially crafted file. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Microsoft Word for Mac Vulnerability - CVE-2006-4693:
A remote code execution vulnerability exists in Word for Mac. An attacker could exploit this vulnerability when Word for Mac parses a specially crafted file that contains a malformed string. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

*Microsoft Security Bulletin MS06-061
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191)

Microsoft XML Core Services Vulnerability - CVE-2006-4685:
A vulnerability exists in Microsoft XML Core Services that could allow for information disclosure because the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side redirect. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially lead to information disclosure if a user visited that page or clicked a link in a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could access content from another domain retrieved using the credentials of the user browsing the Web at the client. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. However, user interaction is required to exploit this vulnerability. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit the page. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.

Microsoft Security Bulletin MS06-062
Microsoft Office Could Allow Remote Code Execution (922581)
This update resolves vulnerabilities in Office that could allow remote code execution.

Office Improper Memory Access Vulnerability - CVE-2006-3434:
A remote code execution vulnerability exists in Office. An attacker could exploit this vulnerability when Office parses a file with a malformed string.

Office Malformed Chart Record Vulnerability - CVE-2006-3650:
A remote code execution vulnerability exists in Office. An attacker could exploit this vulnerability when Office parses a file with a malformed chart record.

Office Malformed Record Memory Corruption Vulnerability - CVE-2006-3864:
A remote code execution vulnerability exists in Office. An attacker could exploit this vulnerability when Office parses a file with a malformed record.

Microsoft Office Smart Tag Parsing Vulnerability - CVE-2006-3868:
A remote code execution vulnerability exists in Microsoft Office, and could be exploited when Office opens a specially crafted file and parses a malformed Smart Tag. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Important (1)

*Microsoft Security Bulletin MS06-063
Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution (923414)

Server Service Denial of Service Vulnerability- CVE-2006-3942:
A denial of service vulnerability exists in the Server service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could cause the computer to stop responding. Microsoft has tested a workaround by blocking the following with a firewall: UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, and 445. To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003. The cause of this vulnerability is an uninitialized buffer in the Server service. The Server service provides remote procedure cal (RPC) support, file and print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer. An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to stop responding. This vulnerability has been publicly disclosed. It also has been named “Mailslot DOS” by the larger security community.

SMB Rename Vulnerability - CVE-2006-4696:
A remote code execution vulnerability exists in the Server service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a system running the Server service as an authenticated user. While an attacker who successfully exploited this vulnerability could take complete control of the affected system, attempts to exploit this vulnerability will most probably result in a Denial of Service condition.

Moderate (2)

*Microsoft Security Bulletin MS06-056
Vulnerability in ASP.NET Could Allow Information Disclosure (922770)

.NET Framework 2.0 Cross-Site Scripting Vulnerability - CVE-2006-3436:
A cross-site scripting vulnerability exists in a server running a vulnerable version of the .Net Framework 2.0 that could inject a client side script in the user's browser. The script could spoof content, disclose information, or take any action that the user could take on the affected web site. Attempts to exploit this vulnerability require user interaction.

*Microsoft Security Bulletin MS06-065
Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496)

Object Packager Dialogue Spoofing Vulnerability - CVE-2006-4692:
A remote code execution vulnerability exists in Windows Object Packager because of the way that file extensions are handled. An attacker could exploit the vulnerability by constructing a specially crafted file that could potentially allow remote code execution if a user visited a specially crafted Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.

Low (1)

Microsoft Security Bulletin MS06-064
Vulnerabilities in TCP/IP Could Allow Denial of Service (922819)
This update resolves several vulnerabilities in Windows IPv6 implementation of TCP/IP.

ICMP Connection Reset Vulnerability - CVE-2004-0790:
A denial of service vulnerability exists in the IPv6 Windows implementation of the Internet Control Message Protocol (ICMP). An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.

TCP Connection Reset Vulnerability - CVE-2004-0230:
A denial of service vulnerability exists in the IPv6 Windows implementation of TCP. An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.

Spoofed Connection Request Vulnerability - CVE-2005-0688:
A denial of service vulnerability exists in Windows in the IPv6 implementation of TCP/IP. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.

The following operating systems and applications are affected by this Microsoft security bulletin:

Windows 2000 Service Pack 4
Windows XP Service Pack 1
Windows XP Service Pack 2
Windows XP Professional x64 Edition
Windows Server 2003
Windows Server 2003 Service Pack 1
Windows Server 2003 for Itanium-based Systems
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 64-Bit Edition
Microsoft XML Core Services 4.0
Microsoft XML Core Services 6.0
Office 2003 Service Pack 1 and Office 2003 Service Pack 2
Excel 2000
Excel 2002
Excel 2003
Excel Viewer 2003
PowerPoint 2000
PowerPoint 2002
PowerPoint 2003
Word 2000
Word 2002
Word 2003
Word Viewer 2003
Microsoft Works Suites 2004, 2005, and 2006
Office 2000 Service Pack3
Office XP Service Pack 3
Project 2000 Service Pack 1
Project 2002 Service Pack 1
Visio 2002 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office v.X for Mac

References

Detailed information about specific affected platforms and applications can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx