For June’s Patch Tuesday, Microsoft has released a whopping 12 security bulletins, eight of which it has rated critical. The remaining four bulletins address important to moderate threats.
For most people, the big news this past week was Bill Gates’ announcement of his plans to gradually leave Microsoft in order to concentrate more on his charitable foundation. However, the software giant’s Patch Tuesday overshadowed this momentous news—at least for those of us in the security world, who spent our time updating Microsoft programs.
For June’s Patch Tuesday, Microsoft released 12 security bulletins, patching 21 holes in the process. Before we delve into these bulletins, remember that updates are always possible, so be sure to check the specific bulletins for detailed upgrade and workaround information. Let’s take a look, in order of risk level.
Microsoft Security Bulletin MS06-021 is a cumulative update for Internet Explorer. As such, this bulletin covers a vast array of threats to IE 5.0 and IE 6.0, ranging from low to critical risks. These threats include spoofing, remote code execution, and information disclosure.
For almost all of the vulnerabilities, there have been no reports of exploits of these privately disclosed threats. However, active exploits of the CSS Cross-Domain Disclosure Vulnerability (CVE-2005-4089) are currently circulating.
Microsoft Security Bulletin MS06-022, “Vulnerability in ART Image Rendering Could Allow Remote Code Execution,” addresses CVE-2006-2378. Install this update after you’ve installed the MS06-021 patch.
This is a critical threat to Windows 98, Windows SE, Windows ME, Windows XP Service Pack 1, Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1. It doesn’t affect Windows 2000 without the Windows 2000 AOL Image Support Update Installed, but it’s also critical with this installed update.
Microsoft Security Bulletin MS06-023, “Vulnerability in Microsoft JScript Could Allow Remote Code Execution,” also addresses critical IE threats. This is a newly reported vulnerability, and there are no reports of active exploits. Microsoft recommends installing this patch at the same time as MS06-021.
Designated CVE-2006-1313, the JScript flaw is a critical threat for Windows 98, Windows SE, Windows ME, Windows 2000, Windows XP SP1, and Windows SP2 systems. It is only a moderate threat to Windows Server 2003 and Windows Server 2003 SP1.
Microsoft Security Bulletin MS06-024, “Vulnerability in Windows Media Player Could Allow Remote Code Execution,” affects various versions of Windows Media Player, including those installed on Windows XP (including Windows XP Professional x64 Edition) and Windows Server 2003 (including Windows Server 2003 x64 Edition). It also affects Media Player 9 on Windows 98, Windows SE, and Windows ME.
The vulnerability designation is CVE-2006-0025. According to Microsoft, it has received no reports of active exploits.
Microsoft Security Bulletin MS06-025, “Vulnerability in Routing and Remote Access Could Allow Remote Code Execution,” addresses two separate vulnerabilities: CVE-2006-2370 and CVE-2006-2371. According to Microsoft, there are no reports of active exploits for either vulnerability, and no proof-of-concept code is circulating.
This is a critical threat only for Windows 2000. It is an important threat for Windows XP SP1, Windows XP SP2, Windows Server 2003, and Window Server 2003 SP1.
Microsoft Security Bulletin MS06-026, “Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution,” addresses CVE-2006-2376. This vulnerability only affects Windows 98, Windows SE, and Windows ME, and there are no reports of active exploits.
Microsoft Security Bulletin MS06-027, “Vulnerability in Microsoft Word Could Allow Remote Code Execution,” addresses CVE-2006-2492. This update affects Microsoft Word, Word Viewer, and Microsoft Works Suite beginning with the 2000 versions; it doesn’t affect Word v.X for Mac or Word 2004 for Mac.
This is a critical threat only for Word 2000; it’s an important threat for all other affected versions. This security bulletin replaces MS06-012 for Word 2000 and Word 2002, and it replaces MS05-023 for Word Viewer 2003. There have been reports of active exploits for this vulnerability, so don’t hesitate to apply the patch.
Microsoft Security Bulletin MS06-028,”Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution,” addresses CVE-2006-0022. No proof-of-concept code is circulating, and this is not an active attack vector.
This is a critical threat only for PowerPoint 2000. It is an important threat for PowerPoint 2002, PowerPoint 2003, PowerPoint 2004 for Mac, and PowerPoint v.X for Mac.
Less critical threats
Let’s take a look at the three security bulletins for June that Microsoft has rated important or moderate:
* Microsoft Security Bulletin MS06-029, “Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection,” addresses CVE-2006-1193. No reports of active exploits have surfaced.
* Microsoft Security Bulletin MS06-030, “Vulnerability in Server Message Block Could Allow Elevation of Privilege,” addresses CVE-2006-2373 and CVE-2006-2374. However, malicious users can’t exploit this threat via the Internet, and there are no reports of active exploits.
* Microsoft Security Bulletin MS06-032, “Vulnerability in TCP/IP Could Allow Remote Code Execution,” addresses CVE-2006-2379. No reports of active exploits have surfaced.
* Microsoft Security Bulletin MS06-031, “Vulnerability in RPC Mutual Authentication Could Allow Spoofing,” addresses CVE-2006-2380. This threat only affects Windows 2000 with Service Pack 4 installed, and there have been no reports of active exploits.
While no security vulnerability is good news, most of these security bulletins address relatively minor threats, and Microsoft released them before they became public knowledge. All you need to do is apply the necessary updates to your systems.