Nov. 2006 Security Updates

Five critical and one important patch addressing multiple vulnerabilities were distributed on the Nov. 2006 “Patch Tuesday.” The patches repair vulnerabilities in Windows, Internet Explorer (IE), and Adobe’s Macromedia Flash Player. In addition, for the second time in two months, the patches include an update for any software that might use Microsoft’s Core XML Services. Microsoft also used the monthly patch release announcement to tell customers that it would extend support for its Software Update Services (SUS), which has been replaced by Windows Server Update Service (WSUS), until July 2007.

Critical Patches

The Nov. 2006 critical patches fix vulnerabilities in Microsoft’s XML Core Services, as well as Windows, IE, and Adobe’s Macromedia Flash Player. The updates for Windows and IE are not needed on the recently released Windows Vista and IE 7.0. Exploit code is already circulating for one problem, MS06-070.

The critical patch to XML Core Services (MSXML) fixes the XMLHTTP ActiveX control that could, if passed unexpected data, cause an application (including IE) to fail in a way that could allow malicious code execution. The MSXML code library is used in pre-.NET programming languages, such as VBScript and Visual Basic 6.0, to build XML-based applications. Because developers sometimes redistribute MSXML with applications, copies can be installed in multiple locations on the same computer. All copies must be patched for the system to be completely secured, and Microsoft Baseline Security Analyzer (MBSA) and other detection tools should detect when the patch is needed.