Apr. 2006 Security Updates

Three critical and one important patch were released on the Apr. 2006 “Patch Tuesday.” One critical patch is a cumulative update for Internet Explorer (IE) that includes both a patch for an exploit that is already circulating publicly as well as other changes that affect how ActiveX controls work with IE to comply with the latest legal ruling in a patent dispute. Because customers need the security patch, but may not be ready to implement the ActiveX functionality changes, a second patch is also available to restore the ActiveX functionality until the next cumulative security update.

Three Critical Patches

The critical cumulative security update for IE patches a total of ten vulnerabilities, including eight remote code-execution vulnerabilities that could allow an attacker to take complete control of a system, an information-disclosure vulnerability, and a spoofing vulnerability.

Customers will want to deploy this patch as soon as possible, as it fixes the Create Text Range vulnerability, for which an exploit is already circulating. However, customers need to be aware that the patch changes how IE works with ActiveX controls to comply with a legal ruling in a lawsuit brought by Eolas. After installing this update, users cannot interact with ActiveX controls until they manually enable each ActiveX control, either by clicking on it or by pressing a key on the keyboard. Because some customers will want to fix the security vulnerability without the ActiveX functionality change, a separate patch will disable the ActiveX update until the next cumulative security update (expected in June).