Dec. 2006 Security Updates

Three critical and four important patches addressing multiple vulnerabilities were distributed on the Dec. 2006 “Patch Tuesday.” The patches repair vulnerabilities in Windows, Internet Explorer (IE), Outlook Express, and Visual Studio 2005, and a critical patch for Excel was reissued. The patch for Visual Studio addresses a zero-day vulnerability, (that is, a vulnerability that has already been exploited when it’s publicly revealed) for which Microsoft previously issued a security advisory. However, the patches do not address another zero-day vulnerability in Word that Microsoft has identified in a separate security advisory.

Critical Patches

Although none of the critical patches released on Dec. 2006 affects either Windows Vista or IE 7.0, users of older versions should install the cumulative patch for IE, which addresses a number of vulnerabilities in the browser.

The critical patch for Visual Studio addresses a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The patch resolves a problem in the way that the controls instantiated by the WMI Object Broker are validated. The WMI Object Broker is an ActiveX control in Visual Studio 2005 which is used internally by the WMI Wizard feature to instantiate other controls.