In association with heise online

11 October 2006, 09:47

Ten updates -- and server problems -- on October's Patch Tuesday

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft may have announced eleven updates last Friday for the October Patch Tuesday, but the company has ended up only releasing ten. There were also initial problems with delivery: in a blog entry by the Microsoft security team, Craig Gehre wrote that network problems were preventing the updates from being distributed via Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS) and Windows Update v6 – although technicians were already working on the problem. After a few hours these problems were resolved and automatic updates are working correctly.

Of the ten updates actually released, six close critical holes in Windows and Office. One patch removes a hole in the Server Service that is classified as "important", and two updates remove moderate security holes in ASP.Net and in Windows Object Packager, respectively. Another software patch removes a denial of service hole in the TCP/IP stack, a problem classified by Microsoft as having a low priority.

The patch for Security Bulletin MS06-057 closes the WebView vulnerability in Internet Explorer that is already subject to active exploitation – users who had already applied the unofficial patch should remove it before applying the new one. The hole in the daxctle.ocx multimedia control for DirectAnimation remains open, however. Security Bulletin MS06-058 addresses vulnerabilities in PowerPoint through which attackers could assume control of a system using specially manipulated documents.

Another update removes four errors in Excel through which planted code could be executed. A patch accompanying Security Bulletin MS06-060 closes a security hole that has been present (and actively exploited) in Word for over a month now. It also closes three other previously unannounced security holes. Four appears to be the number of the day for this edition of Patch Tuesday: that's also the number of general holes in Microsoft Office closed by a different update from security bulletin MS06-062.

Holes in the XML Core Server are also classified as critical. A buffer overflow can occur during the processing of Extensible Stylesheet Language Transformations (XSLT) and then execute arbitrary planted program code. The XMLHTTP ActiveX module could also disclose sensitive data.

Microsoft rated two holes in the Server Services as being "important." Attackers could send manipulated packets to the service to paralyse an affected computer. Specially prepared SMB packets could also under certain circumstances lead to a situation where malicious code contained therein was executed.

The Redmond crew also released an update for the .Net-Framework 2.0 categorised as being of "moderate" importance. It closes a cross-site scripting hole. The same importance rating was assigned for a patch for the Object Packager. Prior to the closing of the hole, attackers could falsify dialogue fields. The last of the October patches removes the flaw in the IPv6 implementation of the TCP/IP stack, through which rigged IPv6 packets could lead to denial of service.

Since the updates are currently only being released via Windows Update v4 and SUS, private users who wish to take advantage of the security updates immediately must navigate to the various security bulletins, manually download the patches, and install them manually. Given that in the past malware appeared very shortly after the release of details about the holes, it is highly recommended that users make the effort right away.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit