Microsoft Security Bulletins for September 2006

Microsoft Security Bulletins for September 2006
Download the September security updates for Microsoft Windows and Microsoft Office.
Posted on Tue, 12 Sep 2006


Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms06-Sep.mspx


Critical (1)
Bulletin Identifier Microsoft Security Bulletin MS06-054
Bulletin Title
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)
Executive Summary
This update resolves a vulnerability in Publisher that could allow remote code execution.
http://www.microsoft.com/technet/security/Bulletin/ms06-054.mspx



Important (1)
Bulletin Identifier Microsoft Security Bulletin MS06-052
Bulletin Title
Vulnerability in Reliable Multicast Program (PGM) Could Result in Denial of Service (919007)
Executive Summary
This update resolves a vulnerability in Reliable Multicast Program (PGM) that could cause a denial of service condition.
http://www.microsoft.com/technet/security/Bulletin/ms06-052.mspx


Moderate (1)
Bulletin Identifier Microsoft Security Bulletin MS06-053
Bulletin Title
Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685)
Executive Summary
This update resolves a vulnerability in the Indexing Service that could allow information disclosure
http://www.microsoft.com/technet/security/Bulletin/ms06-053.mspx


Re-Released Bulletins:
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx


Cumulative Security Update for Internet Explorer (918899)
http://www.microsoft.com/technet/security/Bulletin/ms06-042.mspx


Security Advisories:
Microsoft Security Advisory (922582)
Update for Windows
http://www.microsoft.com/technet/security/advisory/922582.mspx


Microsoft Security Advisory (925143)
Adobe Security Bulletin: APSB06-11 Flash Player Update to Address Security Vulnerabilities
http://www.microsoft.com/technet/security/advisory/925143.mspx

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Webcast:
Microsoft will host a webcast tomorrow. The webcast focuses on addressing your questions and concerns about the security bulletins. Therefore, most of the live webcast is aimed at giving you the opportunity to ask questions and get answers from their security experts.

Start Time: Wednesday, september 13th, 2006 11:00 AM Pacific Time (US & Canada)
End Time: Wednesday, september 13th, 2006 12:00 PM Pacific Time (US & Canada)

Presenter: Christopher Budd, CISA, CISM, CISSP, ISSMP Security Program Manager, PSS Security, Microsoft Corporation and Mike Reavey, Lead Security Program Manager, Microsoft Corporation

Security Tool:
Find out if you are missing important Microsoft product updates by using MBSA.

 

Microsoft Security Advisory (925444)
Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Code Execution
Published: September 14, 2006

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly but we are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

The ActiveX control is the Microsoft DirectAnimation Path ActiveX control, which is included in Daxctle.ocx.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.

Mitigating Factors:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

http://www.microsoft.com/technet/security/advisory/925444.mspx

 

To add to Septembers Security Updates, Microsoft have released a special one ahead of the October updates to fix the VML potential issue.

Affected Software
• Microsoft Windows XP Service Pack 1

• Microsoft Windows XP Service Pack 2

• Microsoft Windows XP Professional x64 Edition

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Microsoft Windows Server 2003 x64 Edition

Affected Components:
• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4


Either download from Microsoft/Windows Update or via the below link to the TechNet Document, the TechNet Doc also supplies full info on this update.

http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx