Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Microsoft patch tuesday - October 2006 STATUS InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft patch tuesday - October 2006 STATUS

Published: 2006-10-10
Last Updated: 2006-10-12 13:02:19 UTC
by John Bambenek (Version: 2)
0 comment(s)

Overview of the October 2006 Microsoft patches and their status.


IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.

Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.

# Affected Known Problems Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-056 ASP.NET cross-site scripting

CVE-2006-3436
Information Disclosure

KB 922770
No known exploits, privately reported to MS
Moderate Less Urgent
Important
MS06-057 WebFolderView ActiveX (setSlice)

CVE-2006-3730
Remote code execution

KB 923191
Exploits available, publicly reported
Critical PATCH NOW
Important
MS06-058 4 remote code execution problems in PowerPoint

CVE-2006-3435
CVE-2006-3876
CVE-2006-3877
CVE-2006-4694
Replaces MS06-028

KB 924163
Actively being exploited, privately reported to MS
Critical Critical Less Urgent
MS06-059 4 remote code execution problems in Excel

CVE-2006-2387
CVE-2006-3431
CVE-2006-3867
CVE-2006-3875
Replaces MS06-037

KB 924164
Proof of concept available, no exploits yet, publicly disclosed
Important Important Less Urgent
MS06-060 4 remote code execution problems in Word

CVE-2006-3651
CVE-2006-3647
CVE-2006-4534
CVE-2006-4693
Replaces MS06-027

KB 924554
Proof of concept available, no exploits yet, publicly disclosed Important Important Less Urgent
MS06-061 Remote code execution in XSLT (MSXML)

CVE-2006-4685
CVE-2006-4686
Replaces MS02-008

KB 924191
No known exploits, privately reported to MS
Critical Critical Less Urgent
MS06-062 3 remote code execution problems in Office & Publisher

CVE-2006-3434
CVE-2006-3650
CVE-2006-3864
CVE-2006-3868
Replaces MS06-048

KB 922581
No known exploits, privately reported to MS
Important (new versions) / Critical (old versions)
Important Less Urgent
MS06-063 Buffer overflow / Denial of service in Server Service

CVE-2006-4696
CVE-2006-3942
Replaces MS06-035

KB 923414
Proof of concept available, no exploits yet, publicly disclosed
Important Important
Important
MS06-064 Denial of service attacks in IPv6

CVE-2004-0230
CVE-2004-0790
CVE-2005-0688
Denial of Service in IPv6

KB 922819
Proof of concept available, no exploits yet, publicly disclosed
Low Less Urgent **
Less Urgent **
MS06-065 Remote code execution in Object Packager

CVE-2006-4692
Remote code execution

KB 924496
No known exploits, privately reported to MS
Moderate Important Less Urgent

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): If you are running an IPv6 network, this probably is more important to you.

--
John Bambenek , bambenek/at/gmail/dot/com
with the help of: Johannes Ullrich, Joel Esler, Pedro Bueno, Kyle Haugsness

0 comment(s)
Diary Archives