Ten updates -- and server problems -- on October's Patch Tuesday
Microsoft may have announced eleven updates last Friday for the October Patch Tuesday, but the company has ended up only releasing ten. There were also initial problems with delivery: in a blog entry by the Microsoft security team, Craig Gehre wrote that network problems were preventing the updates from being distributed via Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS) and Windows Update v6 – although technicians were already working on the problem. After a few hours these problems were resolved and automatic updates are working correctly.
Of the ten updates actually released, six close critical holes in Windows and Office. One patch removes a hole in the Server Service that is classified as "important", and two updates remove moderate security holes in ASP.Net and in Windows Object Packager, respectively. Another software patch removes a denial of service hole in the TCP/IP stack, a problem classified by Microsoft as having a low priority.
The patch for Security Bulletin MS06-057 closes the WebView vulnerability in Internet Explorer that is already subject to active exploitation – users who had already applied the unofficial patch should remove it before applying the new one. The hole in the daxctle.ocx multimedia control for DirectAnimation remains open, however. Security Bulletin MS06-058 addresses vulnerabilities in PowerPoint through which attackers could assume control of a system using specially manipulated documents.
Another update removes four errors in Excel through which planted code could be executed. A patch accompanying Security Bulletin MS06-060 closes a security hole that has been present (and actively exploited) in Word for over a month now. It also closes three other previously unannounced security holes. Four appears to be the number of the day for this edition of Patch Tuesday: that's also the number of general holes in Microsoft Office closed by a different update from security bulletin MS06-062.
Holes in the XML Core Server are also classified as critical. A buffer overflow can occur during the processing of Extensible Stylesheet Language Transformations (XSLT) and then execute arbitrary planted program code. The XMLHTTP ActiveX module could also disclose sensitive data.
Microsoft rated two holes in the Server Services as being "important." Attackers could send manipulated packets to the service to paralyse an affected computer. Specially prepared SMB packets could also under certain circumstances lead to a situation where malicious code contained therein was executed.
The Redmond crew also released an update for the .Net-Framework 2.0 categorised as being of "moderate" importance. It closes a cross-site scripting hole. The same importance rating was assigned for a patch for the Object Packager. Prior to the closing of the hole, attackers could falsify dialogue fields. The last of the October patches removes the flaw in the IPv6 implementation of the TCP/IP stack, through which rigged IPv6 packets could lead to denial of service.
Since the updates are currently only being released via Windows Update v4 and SUS, private users who wish to take advantage of the security updates immediately must navigate to the various security bulletins, manually download the patches, and install them manually. Given that in the past malware appeared very shortly after the release of details about the holes, it is highly recommended that users make the effort right away.
- Security Bulletin Summary for October 2006 Summary from Microsoft
- Vulnerability in Windows Shell Could Allow Remote Code Execution, Security Bulletin MS06-057 for WebView security hole
- Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution Security Bulletin MS06-058 for PowerPoint vulnerabilities
- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution Security Bulletin MS06-059 for Excel vulnerabilities
- Vulnerabilities in Microsoft Word Could Allow Remote Code Execution Security Bulletin MS06-060 for Word vulnerabilities
- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution Security Bulletin MS06-062 for Microsoft Office vulnerabilities
- Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Security Bulletin MS06-061 on the security hole in XML Core Services
- Vulnerability in Server Service Could Allow Denial of Service, Security Bulletin MS06-063 on security holes in the Server Service
- Vulnerability in ASP.NET Could Allow Information Disclosure, Security Bulletin MS06-056 on .Net framework 2.0
- Vulnerability In Windows Object Packager Could Allow Remote Code Execution, Security Bulletin MS06-065
- Vulnerabilities in TCP/IP Could Allow Denial of Service, Security Bulletin MS06-064