• Chart: Nov. 2006 Security Communications Summary

Five critical and one important patch addressing multiple vulnerabilities were distributed on the Nov. 2006 "Patch Tuesday." The patches repair vulnerabilities in Windows, Internet Explorer (IE), and Adobe's Macromedia Flash Player. In addition, for the second time in two months, the patches include an update for any software that might use Microsoft's Core XML Services. Microsoft also used the monthly patch release announcement to tell customers that it would extend support for its Software Update Services (SUS), which has been replaced by Windows Server Update Service (WSUS), until July 2007.

Critical Patches

The Nov. 2006 critical patches fix vulnerabilities in Microsoft's XML Core Services, as well as Windows, IE, and Adobe's Macromedia Flash Player. The updates for Windows and IE are not needed on the recently released Windows Vista and IE 7.0. Exploit code is already circulating for one problem, MS06-070.

The critical patch to XML Core Services (MSXML) fixes the XMLHTTP ActiveX control that could, if passed unexpected data, cause an application (including IE) to fail in a way that could allow malicious code execution. The MSXML code library is used in pre-.NET programming languages, such as VBScript and Visual Basic 6.0, to build XML-based applications. Because developers sometimes redistribute MSXML with applications, copies can be installed in multiple locations on the same computer. All copies must be patched for the system to be completely secured, and Microsoft Baseline Security Analyzer (MBSA) and other detection tools should detect when the patch is needed.

Microsoft is also distributing a patch for the Macromedia Flash Player, as it has done several times in the past, because Microsoft distributed the Flash Player with some versions of Windows.

Other Patch Tuesday Announcements

The monthly installment of the technology to remove malicious software from users' systems was released on Patch Tuesday as well. This month's update removes Win32/Brontok.

The nonsecurity updates include the monthly update to the Outlook 2003 Junk E-mail Filter and a currently undocumented update for Office 2003.

Previously, Microsoft had announced that it would end support for its free SUS version 1.0 on Dec. 6, 2006, as SUS has been replaced with Windows Server Update Services (WSUS). However, customers told Microsoft that more time was needed to upgrade from SUS to WSUS, so Microsoft will support SUS until July 10, 2007.

Resources

Information about updates released in Nov. 2006 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.