Microsoft patch tuesday - October 2006 STATUS
Overview of the October 2006 Microsoft patches and their status.
IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.
Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.
# | Affected | Known Problems | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS06-056 | ASP.NET cross-site scripting CVE-2006-3436 |
Information Disclosure KB 922770 |
No known exploits, privately reported to MS |
Moderate | Less Urgent |
Important |
MS06-057 | WebFolderView ActiveX (setSlice) CVE-2006-3730 |
Remote code execution KB 923191 |
Exploits available, publicly reported |
Critical | PATCH NOW |
Important |
MS06-058 | 4 remote code execution problems in PowerPoint CVE-2006-3435 CVE-2006-3876 CVE-2006-3877 CVE-2006-4694 |
Replaces MS06-028 KB 924163 |
Actively being exploited, privately reported to MS |
Critical | Critical | Less Urgent |
MS06-059 | 4 remote code execution problems in Excel CVE-2006-2387 CVE-2006-3431 CVE-2006-3867 CVE-2006-3875 |
Replaces MS06-037 KB 924164 |
Proof of concept available, no exploits yet, publicly disclosed |
Important | Important | Less Urgent |
MS06-060 | 4 remote code execution problems in Word CVE-2006-3651 CVE-2006-3647 CVE-2006-4534 CVE-2006-4693 |
Replaces MS06-027 KB 924554 |
Proof of concept available, no exploits yet, publicly disclosed | Important | Important | Less Urgent |
MS06-061 | Remote code execution in XSLT (MSXML) CVE-2006-4685 CVE-2006-4686 |
Replaces MS02-008 KB 924191 |
No known exploits, privately reported to MS |
Critical | Critical | Less Urgent |
MS06-062 | 3 remote code execution problems in Office & Publisher CVE-2006-3434 CVE-2006-3650 CVE-2006-3864 CVE-2006-3868 |
Replaces MS06-048 KB 922581 |
No known exploits, privately reported to MS |
Important (new versions) / Critical (old versions) |
Important | Less Urgent |
MS06-063 | Buffer overflow / Denial of service in Server Service CVE-2006-4696 CVE-2006-3942 |
Replaces MS06-035 KB 923414 |
Proof of concept available, no exploits yet, publicly disclosed |
Important | Important |
Important |
MS06-064 | Denial of service attacks in IPv6 CVE-2004-0230 CVE-2004-0790 CVE-2005-0688 |
Denial of Service in IPv6 KB 922819 |
Proof of concept available, no exploits yet, publicly disclosed |
Low | Less Urgent ** |
Less Urgent ** |
MS06-065 | Remote code execution in Object Packager CVE-2006-4692 |
Remote code execution KB 924496 |
No known exploits, privately reported to MS |
Moderate | Important | Less Urgent |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
John Bambenek , bambenek/at/gmail/dot/com
with the help of: Johannes Ullrich, Joel Esler, Pedro Bueno, Kyle Haugsness
×
Diary Archives
Comments