Get up to speed on Microsoft's October security bulletins

by John McCormick | Oct 23, 2006 9:13:00 PM

Tags: .NET, John McCormick, Microsoft Corp., security bulletin, Microsoft Security Bulletin, security, Microsoft Security, Microsoft Windows, IT Locksmith Newsletter

Takeaway: October has been a busy month for Microsoft. The software giant released 10 security bulletins, six of which it rated critical, and it unveiled the long-awaited Internet Explorer 7. Last time, John McCormick reviewed Microsoft's six critical security bulletins for October. This time, he'll bring you to speed on the remaining four bulletins, which address two moderate threats, one important threat, and one low threat.

October's Patch Tuesday was a busy one for Microsoft. The software giant released 10 security bulletins, six of which it rated critical. The remaining four updates address two moderate threats, one important threat, and one low threat.

Details

Microsoft's release of 10 security bulletins for October—six of them rated critical—means a lot of updates to cover. Last time, I detailed the six critical security bulletins; let's round out this month's coverage by looking at the remaining four updates.

However, let's focus first on Microsoft Security Bulletin MS06-061, originally covered in last week's article. Microsoft has updated MS06-061, "Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution," to Version 2.0 for Windows 2000 Service Pack 4 users.

Affected users need to reinstall the update to ensure proper protection. Users of other affected versions can ignore the recent update. Read the entire security bulletin for more details.

(I posted information about this update in the column's discussion as well as TechRepublic's Security blog. Remember to periodically check article discussions and blog posts to stay abreast of the most recent security developments.)

Now, let's wrap up this month's security bulletins. Please remember that Microsoft usually doesn't provide any patches for Windows 98, Windows SE, and Windows ME—especially for those rated less than critical—because it has discontinued all support for these versions.

MS06-056

Microsoft Security Bulletin MS06-056, "Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure," addresses the .NET Framework 2.0 Cross-Site Scripting Vulnerability (CVE-2006-3436). This affects .NET Framework 2.0 and is a moderate threat. This is a newly disclosed threat, and there had been no reports of active exploits at the time of publication.

MS06-063

Microsoft Security Bulletin MS06-063, "Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution," addresses the Server Service Denial of Service Vulnerability (CVE-2006-3942) and the SMB Rename Vulnerability (CVE-2006-4696). This is an important threat for all affected versions.

This bulletin affects Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003. It replaces Microsoft Security Bulletin MS06-035.

These are privately reported threats, and there had been no reports of active exploits at the time of publication. Firewall best practices will block most attack attempts. In addition, the most likely consequence of a successful attack would be a denial-of-service event, not system penetration.

MS06-064

Microsoft Security Bulletin MS06-064, "Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service," addresses three separate problems in the basic Internet protocol files for many Microsoft OS versions:

• ICMP Connection Reset Vulnerability (CVE-2004-0790)
• TCP Connection Reset Vulnerability (CVE-2004-0230)
• Spoofed Connection Request Vulnerability (CVE-2005-0688)

This bulletin affects all versions of Windows XP and all versions of Windows Server 2003. It is a low threat for all affected platforms. While these vulnerabilities were already public, there had been no reports of active exploits at the time of publication.

MS06-065

Microsoft Security Bulletin MS06-065, "Vulnerability in Windows Object Packager Could Allow Remote Execution," addresses the Object Packager Dialogue Spoofing Vulnerability (CVE-2006-4692). This is a newly disclosed threat, and there had been no reports of active exploits at the time of publication. This is a moderate threat for all versions of Windows XP; it is a low threat for all versions of Windows Server 2003.

Final word

That does it for October's Patch Tuesday. The flurry of critical security updates has somewhat obscured another recent Redmond release—Internet Explorer 7, which the company unveiled last week. (A minor security flaw surfaced a day after the release.) In an obvious push to match the long-awaited IE7, Mozilla plans to release Firefox 2.0 this week.

Both browser versions boast many new features, including enhanced phishing protection. Personally, I caution against the rapid adoption of either one—let others discover the bugs and vulnerabilities!

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.