
	Home > Enterprise Desktop Tips > > IE6 vulnerability included in Patch Tuesday update

Enterprise Desktop Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

IE6 vulnerability included in Patch Tuesday update

Serdar Yegulalp, Contributor
12.13.2006
Rating: --- (out of 5)

Advice for securing Windows

Digg This! StumbleUpon Del.icio.us

This month's Patch Tuesday summary from Microsoft addressed a relatively small set of vulnerabilities, the most notable of which is an Internet Explorer 6 security update. It's interesting (and a bit heartening) to notice that none of the vulnerabilities listed affected Windows Vista.

Patch management learning guide

Check out SearchWindowsSecurity.com's most comprehensive patch management resource.

One item that didn't make it to this month's list, but which has definitely attracted the attention of Microsoft's security team, is a zero-day vulnerability in Microsoft Word. All versions from 2000 through 2003, including the standalone Word Viewer, are affected -- but Word 2007 is not. The vulnerability seems to involve a code exploit delivered through a malicious Word document, so it would require that you download and open a document for it to take hold. Microsoft classifies it as being "very limited" in nature.

Here's a breakdown of what's in Microsoft's December 2006 security bulletin.

Critical vulnerabilities:

Cumulative Security Update for Internet Explorer (925454): This addresses a problem in Internet Explorer 6 where one of four vulnerabilities -- a weakness in script handling, a DHTML scripting vulnerability and two problems (1, 2) with TIF image processing -- could be exploited to cause a remote code execution. Internet Explorer 7 and Windows Vista are not affected, but IE5.01 and IE6 on all platforms that can run both of them are.
Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674): This fixes a problem with the WMI Object Broker that could allow remote code execution. Not all versions of Visual Studio are affected; only Visual Studio 2005 Standard, Professional, Team Suite and Team Editions for Developers, Architects and Teachers are vulnerable. Visual Studio .NET, for instance, is not affected.
Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689): Addresses a problem with Windows Media Player and the Windows Media Format runtimes that could allow remote code execution, involving the parsing of ASF and ASX files. Windows Media 11 services (including WMP 11) and Windows Vista are not affected, but the Windows Media runtimes versions 7.1 through 9.5 and Windows Media Player 6.4 are.

Important vulnerabilities:

Vulnerability in SNMP Could Allow Remote Code Execution (926247): A potential memory corruption vulnerability in the Simple Network Management Protocol could allow remote code execution. All versions of Windows are affected except for Windows Vista.
Vulnerability in Windows Could Allow Elevation of Privilege (926255): A specially crafted file manifest could allow a user to create an elevation-of-privilege attack. Only Windows XP Service Pack 2 and Windows Server 2003 (pre-SP1) are affected by this problem.
Cumulative Security Update for Outlook Express (923694): Resolves issues with Outlook Express that could allow remote code execution in all current versions of Windows (2000, XP, 2003). Windows Vista is not affected.

Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121): A vulnerability in the Remote Installation Service (RIS) could allow remote code execution. Only Windows 2000 Service Pack 4 and above are affected.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Rate this Tip

To rate tips, you must be a member of SearchEnterpriseDesktop.com.
Register now to start rating these tips. Log in if you are already a member.

Submit a Tip

Digg This! StumbleUpon Del.icio.us

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2008, TechTarget \| Read our Privacy Policy