Microsoft patch tuesday - October 2006 STATUS

Diary

Share |

Published: 2006-10-10,
Last Updated: 2006-10-12 13:02:19 UTC
by John Bambenek (Version: 2)

Overview of the October 2006 Microsoft patches and their status.

IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.

Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.

#	Affected	Known Problems	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Known Problems	Known Exploits	Microsoft rating	clients	servers
MS06-056	ASP.NET cross-site scripting CVE-2006-3436	Information Disclosure KB 922770	No known exploits, privately reported to MS	Moderate	Less Urgent	Important
MS06-057	WebFolderView ActiveX (setSlice) CVE-2006-3730	Remote code execution KB 923191	Exploits available, publicly reported	Critical	PATCH NOW	Important
MS06-058	4 remote code execution problems in PowerPoint CVE-2006-3435 CVE-2006-3876 CVE-2006-3877 CVE-2006-4694	Replaces MS06-028 KB 924163	Actively being exploited, privately reported to MS	Critical	Critical	Less Urgent
MS06-059	4 remote code execution problems in Excel CVE-2006-2387 CVE-2006-3431 CVE-2006-3867 CVE-2006-3875	Replaces MS06-037 KB 924164	Proof of concept available, no exploits yet, publicly disclosed	Important	Important	Less Urgent
MS06-060	4 remote code execution problems in Word CVE-2006-3651 CVE-2006-3647 CVE-2006-4534 CVE-2006-4693	Replaces MS06-027 KB 924554	Proof of concept available, no exploits yet, publicly disclosed	Important	Important	Less Urgent
MS06-061	Remote code execution in XSLT (MSXML) CVE-2006-4685 CVE-2006-4686	Replaces MS02-008 KB 924191	No known exploits, privately reported to MS	Critical	Critical	Less Urgent
MS06-062	3 remote code execution problems in Office & Publisher CVE-2006-3434 CVE-2006-3650 CVE-2006-3864 CVE-2006-3868	Replaces MS06-048 KB 922581	No known exploits, privately reported to MS	Important (new versions) / Critical (old versions)	Important	Less Urgent
MS06-063	Buffer overflow / Denial of service in Server Service CVE-2006-4696 CVE-2006-3942	Replaces MS06-035 KB 923414	Proof of concept available, no exploits yet, publicly disclosed	Important	Important	Important
MS06-064	Denial of service attacks in IPv6 CVE-2004-0230 CVE-2004-0790 CVE-2005-0688	Denial of Service in IPv6 KB 922819	Proof of concept available, no exploits yet, publicly disclosed	Low	Less Urgent **	Less Urgent **
MS06-065	Remote code execution in Object Packager CVE-2006-4692	Remote code execution KB 924496	No known exploits, privately reported to MS	Moderate	Important	Less Urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): If you are running an IPv6 network, this probably is more important to you.

--
John Bambenek , bambenek/at/gmail/dot/com
with the help of: Johannes Ullrich, Joel Esler, Pedro Bueno, Kyle Haugsness

Keywords: blacktuesday Microsoft status

0 comment(s)

Handler's Diary: February 2010 Black Tuesday Overview;Oracle has an unscheduled security ...

Diary

Comments