• Chart: Oct. 2006 Security Communications Summary

Six critical, one important, two moderate, and one low severity patch addressing 26 vulnerabilities were distributed on the Oct. 2006 "Patch Tuesday." The vulnerabilities affect Windows, Office for Windows and the Mac, and any software that might use Microsoft's Core XML Services. In addition, Microsoft used the monthly patch release announcements to update customers on products leaving support, how to block the pending automatic installation of Internet Explorer (IE) 7.0, and pending changes to Microsoft's offline patch detection tools.

Critical Patches

The Oct. 2006 critical patches fix vulnerabilities in Windows, Office for Windows and the Mac, and other products that use Microsoft's XML Core Services. Developers use Microsoft XML Core Services (MSXML) with JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio 6.0 to build XML-based applications. Because developers, including third parties, use these components in their applications, they can be installed in multiple locations on the same computer depending on how many applications the user has installed that use MSXML. All instances must be patched for the system to be completely secured, and MBSA and other detection tools should detect when the patch is needed.

Microsoft also released a critical security update, "MS06-055: Vulnerability in Vector Markup Language (VML) Could Allow Remote Code Execution," on Sept. 26, 2006. The patch was released out of the normal monthly cycle to address a publicly circulating exploit. It fixes an unchecked buffer in the Windows implementation of VML, a seldom-used XML-based protocol for exchanging, editing, and delivering high-quality vector graphics on the Web.

Initially, Microsoft announced its intention to release another bulletin (for a total of 11), but one of the patches was held back for additional testing. In addition, technical difficulties impaired the Microsoft Update platform. Those problems have since been resolved and the patches are again being successfully distributed.

Office, Windows Service Packs Retired

Effective with October's Patch Tuesday, Windows XP SP1 and Office 2003 SP1 are no longer eligible for security updates. Customers are encouraged to update to Windows XP SP2 and Office 2003 SP2.

In addition, Microsoft warned that Software Update Services (SUS) version 1.0 will leave support in December, so customers should transition to Windows Server Update Services (WSUS) with Service Pack 1.

Blocking Internet Explorer 7.0

Microsoft says that to help customers become more secure and up to date, it will distribute IE 7.0 as a high-priority update. Therefore, Windows XP SP2, Windows XP 64-bit Edition, or Windows Server 2003 SP1 customers who have Automatic Update set to automatically download and install updates will automatically be updated to IE 7.0. However, unlike critical security fixes, which can be configured to install automatically and silently, updating to IE 7.0 will require the user's explicit consent before installing.

Microsoft is providing an IE Blocker Toolkit for organizations that want to block users from receiving the new browser. The company recommends that organizations that don't want end-users to be updated to IE7 deploy the IE Blocker Toolkit deployed by November 1.

Scanning File Stuffed

The file that contains all of the information used by Microsoft's offline scanning tools to determine whether a patch is installed on a computer has hit the upper limit of information that a cabinet file can contain. This file, WSSUSCAN.cab, is used by tools such as the Systems Management Server Inventory Tool for Microsoft Updates (SMS ITMU) and Microsoft Baseline Security Analyzer (MBSA). Microsoft has removed duplicate entries and is now having to prune the oldest update definitions from the file on a monthly basis in order to be able to add the latest definitions.

To resolve this, Microsoft has redesigned the file so that it can hold the necessary information. But the redesign means that Microsoft will have to distribute the new cabinet file as well as one-time-only updates to the existing tools so they can read and process the new file format. A new version of the SMS ITMU and MBSA tools will be available for customers in Nov. 2006.

Nonsecurity Updates and Malware Update

The monthly installment of the technology to remove malicious software from users' systems was released on Patch Tuesday as well. This month's update removes Win32/Tibs, Win32/Harnig, and Win32/Passalert.

The nonsecurity updates include the monthly update to the Outlook 2003 Junk E-mail Filter and a currently undocumented update for Office 2003.

Resources

Information about updates released in Oct. 2006 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

Additional information for IT administrators on how to block the automatic installation of IE 7.0 is available at www.microsoft.com/technet/updatemanagement/windowsupdate/ie7announcement.mspx.

The actual IE 7.0 Blocking Toolkit is available at www.microsoft.com/downloads/details.aspx?FamilyId=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en.

The changes being made to the cabinet file for patch detection tools are described at support.microsoft.com/kb/926464.