十月份資訊安全公告 Oct 12, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security, CISSP) 資深技術支援工程師 台灣微軟技術支援處

Questions last time 是否有簡報可以預先下載預習?

Questions and Answers Submit text questions using the “Ask a Question” button

What We Will Cover Last time Known issues Review Oct. releases 10+1New security bulletins (1 Out-of-band) 2 High-priority non-security updates 1 re-release on Sep.25 (Out-of-band) Other security resources Windows Malicious Software Removal Tool Resources Questions and answers

Sep. known issues MS06-045 “Security” tab missing after apply MS06-045 but Not an identified regression. Resolutions steps: Uninstall MS06-045 Reinstall MS06-015 Reinstall MS06-045

Sep. known issues Continue.. MS06-049 NTFS file compression failure If ALL conditions are true: Windows 2000 SP4 Create or Modify files where NTFS is enabled (file or folder level) Install MS06-049 (KB920958) Modify the file The new/modified compression files are close to a multiple of 4K in size. RUN chkdsk /f Resolutions (either one) Install both MS06-049 + hotfix925308 BEFOREHAND Install re-released MS06-049 (on Sep. 25)

Oct 2006 Security Bulletins Summary On Sep. 25, 2 Out-Of-Band releases MS06-055 (Critical) MS06-049 re-release (Important) On Oct. 11, 10 New Security Bulletins 7 new Critical 2 new Moderate 2 new Important 1 new Low

Oct 2006 Security Bulletins Overview Bulletin Number Title Maximum Severity Rating Products Affected MS06-055 Vulnerability in Vector Markup Language Allow Remote Code Execution (925486) Critical All currently supported versions of Windows MS06-049 Vulnerability in Windows Kernel could result in Elevation of Privilege (920958) Important MS06-056 Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure (922770) Moderate .NET Framework 2.0 MS06-057 Vulnerability in Windows Shell Could Allow Remote Code Execution 923191 MS06-058 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163) All current supported versions of PowerPoint (including Mac)

Oct 2006 Security Bulletins continue.. Bulletin Number Title Maximum Severity Rating Products Affected MS06-059 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164) Critical All current supported versions of Excel (including Mac) MS06-060 Vulnerability in Microsoft Word Could Allow Remote Code Execution (924554) All current supported versions of Word (including Mac) MS06-061 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) All currently supported versions of XML Core Services (Windows, Office, SQL Server) MS06-062 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) All current supported versions of Office (including Mac) MS06-063 Vulnerability in Server Service could Allow Denial of Service (923414) Important All currently supported versions of Windows MS06-064 Vulnerabilities in TCP/IP Could Allow Denial of Service (922819) Low Windows XP, Windows Server 2003 MS06-065 Vulnerability in Windows Object Packager Could Allow Remote Execution (924496) Moderate

MS06-055: VML vulnerability - Critical Title & KB Article: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (KB925488) Affected Software: IE 5.01 SP4 on Microsoft Windows 2000 Service Pack 4 IE 6 SP1 on Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Replaced Updates: On Windows 2000 SP4 with IE installed this update replaces MS04-028 Vulnerabilities: Buffer Overrun vulnerability, CVE-2006-4868 Publicly Disclosed: Yes Known Exploits?:

MS06-055: Windows - Critical Issue Summary: There is an Stack Buffer Overrun vulnerability. Application that consume VGX.DLL to render VML are vulnerable when maliciously crafted VML is rendered. Fix Description: The update removes the vulnerability by preventing malicious VML from causing a Stack Buffer Overrun. Attack Vectors: Malicious Email Malicious Web Page Mitigations: E-mail read in plain text format is not vulnerable Exploit only gives logged on user context so least privilege may help Outlook Express, Windows XP SP2, and Windows Server 2003 SP1, the binary and script behaviors are disabled by default Users have to visit a malicious web site or view a malicious email where the VML is rendered. Workaround: E-mail read in plain text format Disable access to VGX.DLL by NTFS ACLs or un-registering VGX.DLL Disable binary and script behaviors in IE Block VML at the firewall. Restart Requirement: A reboot might be required if the files being updated are in use. Installation and Removal: Add/Remove Programs Command line uninstall option Scriptable Deployment More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-055.mspx

Questions about MS06-055?

MS06-056: ASP.Net - Moderate 14 Title & KB Article: Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure (922770) Affected Software: Microsoft .Net Framework 2.0 on all Platforms Replaced Updates: None Vulnerabilities: .NET Framework 2.0 Cross-Site Scripting Vulnerability - CVE-2006-3436 Publicly Disclosed: No Known Exploits?: 14

MS06-056: ASP.Net - Moderate 15 Issue Summary: A cross-site scripting vulnerability exists in ASP.NET that could allow an attacker to run client-side script on behalf of a user. Fix Description: The update removes the vulnerability by modifying the way that .ASP.NET validates the value on a HTTP request. Attack Vectors: Malicious Web Page Malicious Email containing URL to malicious web site Mitigations: A user would have to be persuaded to visit a malicious Web site By default ASP.NET 2.0 controls do not set the AutoPostBack property to “true”. Workaround: Disable AutoPostBack controls on web page Restart Requirement: No Installation and Removal: Add/Remove Programs More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-056.mspx 15

Questions about MS06-056?

MS06-057: Windows - Critical Title & KB Article: Vulnerability in Windows Shell Could Allow Remote Code Execution (KB923191) Affected Software: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Replaced Updates: None Vulnerabilities: CVE-2006-4690 Publicly Disclosed: Yes Known Exploits?: 17

MS06-057: Windows - Critical Issue Summary: The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View. Fix Description: The update removes the vulnerability by resolving the code issue. Attack Vectors: Malicious Email Malicious Web Page Mitigations: A user would have to be persuaded to visit a malicious Web site Workaround: Set IE security to High for Internet and Intranet zones Read e-mail messages in plain text format Set killbit for WebViewFolderIcon ActiveX control Configure IE to prompt before running ActiveX controls Restrict browsing to trusted web sites Restart Requirement: Yes Installation and Removal: Add/Remove Programs Command line uninstall option Scriptable Deployment More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-057.mspx 18

Questions about MS06-057? 19

MS06-058: PowerPoint - Critical Title Vulnerabilities in Microsoft PowerPoint Could Lead to Remote Code Execution (924163) The Problem This PowerPoint update addresses four 'Remote Code Execution' PowerPoint vulnerabilities. An attacker could exploit one of these vulnerabilities by constructing a specially crafted file that could potentially allow remote code execution if a user visited a web site or opened an affected email attachment. An attacker who successfully exploited this vulnerability could potentially take complete control of an affected system. Affected versions Microsoft PowerPoint 2000 Service Pack 3 Microsoft PowerPoint 2002 Service Pack 3 Microsoft Office PowerPoint 2003 Service Pack 1 or Service Pack 2 Microsoft Office 2004 for Macintosh Microsoft PowerPoint v.X for Macintosh Attack Vectors/Impact In a Web-based attack scenario, an attacker would have to host a Web site that contains a PowerPoint file that is used to attempt to exploit this vulnerability. An attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. This Security Update replaces MS06-028. CVE-2006-4694 - PowerPoint Malformed Record Vulnerability has been publicly disclosed. When this security bulletin was released, Microsoft had received information that the CVE-2006-4694 vulnerability was being exploited.

MS06-058: PowerPoint - Critical Title Vulnerabilities in Microsoft PowerPoint Could Lead to Remote Code Execution (924163) The Fix PowerPoint Malformed Object Pointer Vulnerability - CVE-2006-3435 - Modifies the way that PowerPoint parses the file and validates the object pointer before passing it to the allocated buffer. PowerPoint Malformed Data Record Vulnerability - CVE-2006-3876, PowerPoint Malformed Record Memory Corruption Vulnerability - CVE-2006-3877, and PowerPoint Malformed Record Vulnerability - CVE-2006-4694 – Modifies the way that PowerPoint parses the file and validates the record before passing it to the allocated buffer. Mitigations In a Web-based attack scenario, an attacker would have to host a Web site that contains a PowerPoint file that is used to attempt to exploit this vulnerability. An attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. Workaround Do not open or save PowerPoint files that you receive from un-trusted sources or that you received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.

MS06-058: PowerPoint - Critical Title Vulnerabilities in Microsoft PowerPoint Could Lead to Remote Code Execution (924163) Other information To help reduce the chance that a restart will be required, exit PowerPoint prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. For PowerPoint 2000 and Macintosh versions, this update cannot be uninstalled. For PowerPoint 2002 and 2003, typically there is an uninstall option, but see see Microsoft Knowledge Base Article 903771 for typical Office uninstall issues. More Information For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-058.mspx

Questions about MS06-058?

MS06-059: Microsoft Excel - Critical Title & KB Article: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (KB924164) Affected Software: Microsoft Office 2000 Service Pack 3 Microsoft Excel 2000 - Critical Microsoft Office XP Service Pack 3 Microsoft Excel 2002 - Important Microsoft Office 2003 Service Pack 1 or Service Pack 2 Microsoft Office Excel 2003 - Important Microsoft Office Excel Viewer 2003 - Important Microsoft Office 2004 for Mac Microsoft Excel 2004 for Mac - Important Microsoft Office v. X for Mac - Microsoft Excel v. X for Mac - Important Microsoft Works Suites: Microsoft Works Suite 2003 – 2006 : Important Replaced Updates: MS06-037 (All versions) Vulnerabilities: CVE-2006-2387: Excel Malformed DATETIME Record Vulnerability Publicly Disclosed: No Known Exploits?:

MS06-059: Microsoft Excel - Critical Vulnerabilities: CVE-2006-3431: Excel Malformed STYLE Record Vulnerability Publicly Disclosed: Yes. While the initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly. This security bulletin addresses the publicly disclosed vulnerability as well as additional issues discovered through internal investigations. Known Exploits?: No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. Vulnerabilities: CVE-2006-3867: Excel Handling of Lotus 1-2-3 File Vulnerability Publicly Disclosed: Yes. While the initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly. This security bulletin addresses the publicly disclosed vulnerability as well as additional issues discovered through internal investigations Known Exploits?: No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

MS06-059: Microsoft Excel - Critical Vulnerabilities: CVE-2006-3875: Excel Malformed COLINFO Record Vulnerability Publicly Disclosed: No Known Exploits?:

MS06-059: Microsoft Excel - Critical Issue Summary: A remote code execution vulnerability exists in Excel. An attacker could exploit this vulnerability when Excel parses a file and processes a malformed DATETIME, STYLE, and/or COLINFO record or when Excel handles a Lotus 1-2-3 file. Fix Description: The update removes the vulnerability by modifying the way that Excel parses the file and validates a record before passing it to the allocated buffer. The update also removes the vulnerability by modifying the way that Excel validates the length of a record before it passes the message to the allocated buffer. Attack Vectors: Malicious Email Malicious Web Page Mitigations: A user would have to be persuaded to visit a malicious Web site Can not be exploited automatically through e-mail Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Workaround: Do not open or save Microsoft Excel files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.

MS06-059: Microsoft Excel - Critical Restart Requirement: No. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. Installation and Removal: Office Update/Microsoft Update Add/Remove Programs Office for Mac updates cannot be uninstalled More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-059.mspx

Questions about MS06-059?

MS06-060: Microsoft Word - Critical Title & KB Article: Vulnerability in Microsoft Word Could Allow Remote Code Execution (KB924554) Affected Software: Microsoft Word 2000 Microsoft Word 2002 Microsoft Office Word 2003 Microsoft Office Word 2003 Viewer Microsoft Works Suite 2004 Microsoft Works Suite 2005 Microsoft Works Suite 2006 Microsoft Office 2004 for Mac Microsoft Office v.X for Mac Replaced Updates: This bulletin replaces MS06-027 on Windows versions of Word & Office Vulnerabilities: CVE-2006-3647: CVE-2006-3651: CVE-2006-4534: CVE-2006-4693: Publicly Disclosed: No Known Exploits?:

MS06-060: Microsoft Word - Critical Issue Summary: This update addresses several issues. The most serious of these is when Microsoft Word opens a specially crafted Word file, it may corrupt system memory in such a way that an attacker could execute arbitrary code. Fix Description: The update removes the vulnerability by modifying the way that Microsoft Word parses the file and validates the string before it passes the message to the allocated buffer. Attack Vectors: Malicious Email Malicious Web Page Mitigations: A user would have to visit a malicious Web site and open a file Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Can not be exploited automatically through e-mail Workaround: Do not open or save Microsoft Word files that you receive from untrusted sources or that you received unexpectedly from trusted sources.

MS06-060: Microsoft Word - Critical Restart Requirement: No. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. Installation and Removal: Office Update/Microsoft Update Add/Remove Programs (not removable on Office 2000 and Word for Mac) Scriptable Deployment More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-060.mspx

Questions about MS06-060?

MS06-061: XMLHTTP - Critical Title Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) The Problem CVE-2006-4685 A vulnerability exists in Microsoft XML Core Services that could allow for information disclosure because it incorrectly interprets a server-side redirect in the XMLHTTP control. CVE-2006-4686 A vulnerability exists in XLST processing that could allow remote code execution on an affected system. Affected versions • Microsoft XML Core Services 3.0 on Windows 2000 SP4 • Microsoft XML Core Services 3.0 Service Pack 3 on Windows XP SP1 • Microsoft XML Core Services 3.0 Service Pack 5 on Windows XP SP2 • Microsoft XML Core Services 3.0 Service Pack 4 on Windows Server 2003 • Microsoft XML Core Services 3.0 Service Pack 7 on Microsoft Windows Server 2003 SP1 • Microsoft Office 2003 with Microsoft XML Core Services 5.0 SP1 (KB924424) • Microsoft SQL Server 2000 SP4 with Microsoft XML Core Services 4.0 (KB925672) • Microsoft SQL Server 2005 SP1 with Microsoft XML Core Services 4.0 (KB925672) This update replaces MS02-008 The vulnerability is publicly known There are no known exploits

MS06-061: XMLHTTP - Critical Title Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) Attack Vectors/Impact CVE-2006-4685: An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially lead to information disclosure if a user visited that page or clicked a link in a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could access content from another domain retrieved using the credentials of the user browsing the Web at the client. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. However, user interaction is required to exploit this vulnerability. CVE-2006-4686: An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. The Fix CVE-2006-4685 The update removes the vulnerability by correcting the behavior of XML Core Services. XML Core Services will now interpret a server-side redirect in the XMLHTTP control differently and abort properly in previously unhandled circumstances CVE-2006-4686 The update removes the vulnerability by correcting the issue within the affected string buffer.

MS06-061: XMLHTTP - Critical Title Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) Mitigations attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site. Workaround CVE-2006-4685: Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls and active scripting in the Internet zone and in the Local intranet zone. You will be prompted frequently when you enable this workaround CVE-2006-4686: None Other information Restart is required Uninstall using Add/Remove Programs or Spuninst.exe

MS06-061: XMLHTTP - Critical Title Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191) Detection and Deployment SUS / WSUS MBSA Windows Update / Microsoft Update Office Update SMS Caveats For Windows 2000, this security update requires Service Pack 4 (SP4). For Small Business Server 2000, this security update requires Small Business Server 2000 Service Pack 1a (SP1a) or Small Business Server 2000 running with Windows 2000 Server Service Pack 4 (SP4). Not offered to XP RTM make sure that the following requirements have been met: To update Office 2003, Office 2003 Service Pack 1 or Office 2003 Service Pack 2 must be installed. Before you install this update, install Office 2003 SP1 or Office 2003 SP2. More Information For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-061.mspx

MS06-061: XMLHTTP - Critical Installation fail issue Try install MSI 3.1v2 then reinstall the patch http://support.microsoft.com/?kbid=893803 If still fail to install, contact Microsoft CSS support. http://support.microsoft.com/contactus/?ws=support

Questions about MS06-061?

MS06-062: Office - Critical Title Vulnerabilities in Microsoft Office Could Lead to Remote Code Execution (922581) The Problem This Office update addresses three 'Remote Code Execution' Office vulnerabilities. An attacker could exploit one of these vulnerabilities by constructing a specially crafted file that could potentially allow remote code execution if a user visited a web site or opened an affected email attachment. An attacker who successfully exploited this vulnerability could potentially take complete control of an affected system. Affected versions Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 1 and Service Pack 2 Microsoft Excel 2003 Viewer Microsoft Word 2003 Viewer Microsoft Office 2004 for Macintosh Microsoft Office v.X for Macintosh Microsoft Visio 2002 and Microsoft Visio 2003 Microsoft Project 2000, Microsoft Project 2002, and Microsoft Project 2003 Attack Vectors/Impact In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. An attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. This Security Update replaces MS06-038 These vulnerabilities have not been reported to Microsoft as publicly disclosed. There have been no reported exploits.

MS06-062: Office - Critical Title Vulnerabilities in Microsoft Office Could Lead to Remote Code Execution (922581) The Fix Office Improper Memory Access Vulnerability - CVE-2006-3434 – Modifies the way that Office parses the file and validates the length of a string before passing it to the allocated buffer. Office Malformed Chart Record Vulnerability - CVE-2006-3650 – Modifies the way that Office parses the length of a record before it passes the message to the allocated buffer. Office Malformed Record Memory Corruption Vulnerability - CVE-2006-3864 - Modifies the way that Office parses the file and validates the length of a string before passing it to the allocated buffer. Mitigations In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. An attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. Workaround Do not open or save Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.

MS06-062: Office - Critical Title Vulnerabilities in Microsoft Office Could Lead to Remote Code Execution (922581) Other information Is a Restart required? If Office is not running, no restart should be required. see Microsoft Knowledge Base Article 887012 for known reasons why you may be prompted to restart. Is there an uninstall option? This Security Update cannot be uninstalled from Office 2000 or from Macintosh versions of Office. More Information For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-062.mspx

Questions about MS06-062?

MS06-063: Windows - Important Title Vulnerability in Server Service Could Allow Denial of Service or Remote Code Execution (KB 923414) The Problem A DoS vulnerability (CVE-2006-3942) exists in the Server service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service, causing the computer to stop responding. A RCE vulnerability (CVE-2006-4696) exists in the Server service because of the way it handles certain network messages. An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service as an authenticated user, taking complete control of the affected system. Affected versions Both vulnerabilities affect all currently supported versions of Windows: Win 2000 SP4 Win XP SP1, XP SP2, XP x64 Win 2003, 2003 SP1, 2003 Itanium, 2003 Itanium SP1, 2003 x64 Attack Vectors/Impact Any anonymous attacker could exploit the Denial of Service vulnerability (CVE-2006-3942) by creating a specially crafted message and sending the message to an affected system. Any authenticated attacker could exploit the Remote Code Execution vulnerability (CVE-2006-4696) by creating a specially crafted message and sending the message to an affected system. This update supersedes MS06-035 on all supported platforms. DoS vulnerability (CVE-2006-3942): This vulnerability had been publicly disclosed when this bulletin was originally issued. Proof of Concept code had been published publicly, but Microsoft had not received reports of attacks exploiting this vulnerability when this bulletin was originally issued. RCE vulnerability (CVE-2006-4696): This vulnerability had not been publicly disclosed when this bulletin was originally issued. PoC code had not been published publicly, and MS had not received reports of attacks exploiting this vulnerability when this bulletin was originally issued.

MS06-063: Windows - Important Title Vulnerability in Server Service Could Allow Denial of Service or Remote Code Execution (KB 923414) The Fix The update removes the DoS vulnerability (CVE-2006-3942) by initializing a buffer before it is used. The update removes the RCE vulnerability (CVE-2006-4696) by removing the faulty code. Mitigations Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Workaround Block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593 These ports can be blocked at dedicated border firewalls, or individual machines can be protected with the Internet Connection Firewall / Windows Firewall in Windows XP and Windows 2003 As an alternative, IPSEC can be used to filter TCP and UDP ports per KB 313190 & KB 813878 Other information A restart is required. The update can be uninstalled. More Information For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-063.mspx

Questions about MS06-063?

MS06-064: TCP/IP - Low Title & KB Article: Vulnerabilities in TCP/IP Could Allow Denial of Service (KB922819) Affected Software: Microsoft Windows XP SP1 and SP2, x64 Edition Microsoft Windows Server 2003 RTM & SP1, x64 Edition Microsoft Windows Server 2003 for RTM & SP1 for Itanium-based Systems Replaced Updates: None Vulnerabilities: CAN-2004-0790:ICMP Connection Reset Vulnerability CAN-2004-0230:TCP Connection Reset Vulnerability CAN-2005-0688 Spoofed Connection Request Vulnerability Publicly Disclosed: Yes Known Exploits?: No

MS06-064: TCP/IP - Low Issue Summary: This update addresses several issues. Two denial of service vulnerabilities exists that could allow an attacker to send a specially crafted ICMP or TCP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections A denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP/IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding. Fix Description: The update removes the vulnerability by modifying the way that the affected operating systems validate ICMP and TCP packets. Attack Vectors: Affected versions of systems using IPv6 on networks which are not protected by a firewall Mitigations: A user would have to be on a network that did not block unsolicited external ICMP/TCP traffic IPv6 is not installed by default on any version of Windows Attacker would have to be on the same IPv6 network Block IPv6 ICMP and TCP ports at the firewall ICMP Reset vuln. would require attacker to predict/learn connection information Spoofed Connection vuln. would require router to forward malformed packets Workaround: Block IPv6 at firewall Block ICMP using IPSec Use SynAttackProtect registry value on Windows Server 2003 Remove IPv6 if not needed

MS06-064: TCP/IP - Low Restart Requirement: Yes Installation and Removal: Add/Remove Programs Command line uninstall option Scriptable Deployment More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-064.mspx

Questions about MS06-064?

MS06-065: Windows Object Packager - Moderate Title & KB Article: Vulnerability in Windows Object Packager Could Allow Remote Execution (KB924496) Affected Software: Windows XP SP1, SP2 and x64 Edition Windows Server 2003 RTM, SP1, Itanium and x64 Edition Replaced Updates: None Vulnerabilities: CVE-2006-4692: Object Packager Dialogue Spoofing Vulnerability Publicly Disclosed: No Known Exploits?:

MS06-065: Windows Object Packager - Moderate Issue Summary: A remote code execution vulnerability exists in Object Packager because of the way that it handles file extensions. Fix Description: The update removes the vulnerability by modifying the way that Windows Explorer handles Object Packager files so that the file type of the packaged file is accurately displayed. Attack Vectors: Malicious Email Malicious Web Page Mitigations: A user would have to be persuaded to visit a malicious Web site Workaround: None Restart Requirement: Yes Installation and Removal: Add/Remove Programs Command line uninstall option Scriptable Deployment More Information: For more Information, please review the FAQ at: http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-065.mspx

Questions about MS06-065?

Oct 2006 Non-Security Updates NUMBER TITLE Distribution 912580 Update for Outlook 2003 Junk Email Filter MU 923097 Update for Office 2003

Detection and Deployment Bulletin Component Office Update Windows Update Microsoft Update MBSA 1.2 and ODT MBSA 2.0 SUS WSUS EST SMS SUIT SMS ITMU   Detect and deploy Detect only MS06-057 Shell N/A Yes MS06-058 PowerPoint Partially, see KB926017 MS06-059 Excel MS06-060 Word MS06-061 XML MS06-062 Office MS06-063 Server Service MS06-064 TCP/IP MS06-065 Object Packager MS06-056 ASP.NET No Yes, ESUIT

Other Update Information Bulletin Restart Uninstall Replaces On products MS06-055 Maybe Yes Windows 2000+IE: Replace MS04-028 Others: None All currently supported versions of Windows MS06-056 No None .Net Framework 2.0 on all Platforms MS06-057 MS06-058 *Maybe MS06-028 All current supported versions of PowerPoint (including Mac) MS06-059 MS06-037 All current supported versions of Excel (including Mac) MS06-060 MS06-027 All current supported versions of Word (including Mac) MS06-061 MS02-008 All currently supported versions of XML Core Services (Windows, Office, SQL Server) MS06-062 MS06-038 All current supported versions of Office (including Mac) MS06-063 MS06-035 MS06-064 Windows XP, Windows Server 2003 MS06-065 * The reboot/uninstallation might be required base on the version of the products

Windows Malicious Software Removal Tool Twenty-second monthly incremental update. The Oct update adds the ability to remove: Win32/Tibs Win32/Harnig Win32/Passalert Available as priority update through Windows Update or Microsoft Update for Windows XP users Offered through WSUS; not offered through SUS 1.0 Also as an ActiveX control or download at www.microsoft.com/malwareremove

Lifecycle Support Information ENDED of public security support for Windows XP SP 1 10 October 2006 Support EOL for Software Update Services (SUS) 1.0 6 December 2006 www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/default.mspx See www.microsoft.com/lifecycle for more information

Prepare for IE 7 over AU Prepare for AU distribution of Internet Explorer 7 by 1 November 2006 Internet Explorer 7 Blocker Toolkit available for enterprise customers Blocks automatic delivery of Internet Explorer 7 For additional information see: http://www.microsoft.com/technet/updatemanagement/windowsupdate/ie7announcement.mspx

Resources September Security Bulletin Webcast (US) http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032305653&Culture=en-US Security Bulletins Summary http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-aug.mspx Security Bulletins Search www.microsoft.com/technet/security/current.aspx Security Advisories www.microsoft.com/taiwan/technet/security/advisory/ MSRC Blog http://blogs.technet.com/msrc Notifications www.microsoft.com/technet/security/bulletin/notify.mspx TechNet Radio www.microsoft.com/tnradio SearchSecurity Column http://searchsecurity.techtarget.com/news/0,289141,sid14,00.html IT Pro Security Newsletter www.microsoft.com/technet/security/secnews/ TechNet Security Center www.microsoft.com/taiwan/technet/security

Questions and Answers Submit text questions using the “Ask a Question” button Don’t forget to fill out the survey For upcoming and previously recorded webcasts: http://www.microsoft.com/taiwan/technet/webcast/default.aspx Webcast content suggestions: twwebst@microsoft.com