This Blog
Syndication
Recent Posts
Tags
Calendar
Archives
CA Security Advisor Research Blog
Microsoft November Bulletin Release
For this month's release, Microsoft has issued 6 bulletins addressing 13 vulnerabilities. Five of the six bulletins have a cumulative rating of Critical and one has a rating of Important.
11 days vs 2 months
Patches for the XMLHTTP 4.0 ActiveX Control vulnerability, described in Microsoft advisory 927892 on 11/03/2006, are available today. A quick turnaround, 11 days, for a high profile vulnerability.
Conversely, the vulnerability in the Microsoft DirectAnimation Path ActiveX control 925444, originally published by Microsoft on the 14th of September of this year, has finally been addressed. Just about 2 months have passed while this issue has hung on the line.
Both issues have public exploit code available and are reportedly being exploited in the wild, but judging from the speed at which the XMLHTTP ActiveX Control vulnerability was fixed, it appears Microsoft may have deemed the issue much more urgent than the DirectAnimation vulnerability. If Microsoft did not delay patching, then we should also not delay applying this one.
Open issues
1. The WMI Object Broker control vulnerability 927709 (11/08/2006) affecting installations of Visual Studio 2005.
2. A vulnerability affecting ADODB.Connection noted on the Microsoft Security Response Center blog here (10/27/2006).
The November listing in full:
Bulletin: MS06-066
Title: Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution
Rating: Important
KB: 923980
Affected Technologies: Microsoft Windows 2000, XP, and 2003
Microsoft Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688
NetWare Driver Denial of Service Vulnerability - CVE-2006-4689
Bulletin: MS06-067
Title: Cumulative Security Update for Internet Explorer
Rating: Critical
KB: 922760
Affected Technologies: Microsoft Internet Explorer 5.01, 6 SP1, 6 on XP SP2, 6 on 2003
DirectAnimation ActiveX Controls Memory Corruption Vulnerability - CVE-2006-4777
DirectAnimation ActiveX Controls Memory Corruption Vulnerability - CVE-2006-4446
HTML Rendering Memory Corruption Vulnerability - CVE-2006-4687
Bulletin: MS06-068
Title: Vulnerability in Microsoft Agent Could Allow Remote Code Execution
Rating: Critical
KB: 920213
Affected Technologies: Microsoft Windows 2000, XP, and 2003
Microsoft Agent Memory Corruption Vulnerability - CVE-2006-3445
Bulletin: MS06-069
Title: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution
Rating: Critical
KB: 923789
Affected Technologies: Microsoft Windows XP
Macromedia Flash Player Vulnerabilities - CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
Bulletin: MS06-070
Title: Vulnerability in Workstation Service Could Allow Remote Code Execution
Rating: Critical
KB: 924270
Affected Technologies: Microsoft Windows 2000, XP
Workstation Service Memory Corruption Vulnerability - CVE-2006-4691
Bulletin: MS06-071
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Rating: Critical
KB: 928088
Affected Technologies: XML Core Services 4.0, 6.0
Microsoft XML Core Services Vulnerability - CVE-2006-5745
About Kevin Kotas
Kevin Kotas is a Senior Research Engineer with the CA Vulnerability Research Team. He has over seven years of vulnerability management experience and discovered several vulnerabilities in products from multiple major software providers. Kevin holds a B.S. degree in Computer Science from North Carolina State University.
Print
Email
Rate
Comments