Microsoft patch day - Windows and IE just got safer
On the November patch day, Microsoft has, as forecast, released six updates. Five of these are rated as 'critical', one as 'important'. Each of the vulnerabilities could potentially enable an attacker to infiltrate arbitrary malicious code via the internet and take control of an unpatched system.
As expected, Microsoft has fixed the XML Core Services vulnerability (MS06-071), which could potentially turn Internet Explorer into an entry point for malicious software. According to the security bulletin, version 4.0, which is not installed by default, and version 6.0 are affected. The Windows developers have also fixed an apparently unknown vulnerability in the Workstation Service (MS06-070) under Windows 2000 and XP.
Only XP users (both 32- and 64-bit) are affected by the security vulnerability in the Macromedia Flash Player (MS06-069). The vulnerability in the Microsoft Agent (MS06-68) is present across the board in all versions of Windows except for Windows Vista. The cumulative security update for Internet Explorer 5 and 6 (MS06-067) fixes two bugs which have been actively exploited since September in the DirectAnimation Control daxctle.ocx plus an HTML rendering vulnerability.
The only November update to receive the second highest severity rating 'important' is the update for the NetWare client (MS06-066). It only affects 32-bit Windows 2000, XP and Server 2003 installations in which the affected network service is activated.
As an aside to the patch day, and unannounced, Microsoft has released a patched version 18.104.22.168 of the Broadcom WLAN driver. If an older version is used, an attacker could potentially gain complete control of a system over wireless network. To obtain the new driver, users must select the "Custom" update option on the Windows Update website and then select "Hardware, optional" from the left hand column.
The update to Internet Explorer 7 is also not part of the November patch day. Microsoft has announced that the new version of the browser will be delivered to all users automatically as a security update, a process which has already started. Users who wish to specify the date of the update themselves do not need to disable automatic updates to do so. An article on heise Security describes how to prevent the IE upgrade.
- Microsoft Security Bulletin – Summary for November 2006, information on the November patch day from Microsoft
- Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution, security bulletin MS06-071
- Vulnerability in Workstation Service Could Allow Remote Code Execution, security bulletin MS06-070
- Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution, security bulletin MS06-069
- Vulnerability in Microsoft Agent Could Allow Remote Code Execution, security bulletin MS06-068
- Cumulative Security Update for Internet Explorer, security bulletin MS06-067
- Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution, security bulletin MS06-066