This month's Patch Tuesday summary from Microsoft addressed a relatively small set of vulnerabilities, the most
notable of which is an Internet Explorer 6 security update. It's interesting (and a bit heartening) to notice that none of the vulnerabilities listed affected Windows Vista.
Here's a breakdown of what's in Microsoft's December 2006 security bulletin.
- Cumulative Security Update for Internet Explorer (925454): This addresses a problem in Internet Explorer 6 where one of four vulnerabilities -- a weakness in script handling, a DHTML scripting vulnerability and two problems (1, 2) with TIF image processing -- could be exploited to cause a remote code execution. Internet Explorer 7 and Windows Vista are not affected, but IE5.01 and IE6 on all platforms that can run both of them are.
- Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674): This fixes a problem with the WMI Object Broker that could allow remote code execution. Not all versions of Visual Studio are affected; only Visual Studio 2005 Standard, Professional, Team Suite and Team Editions for Developers, Architects and Teachers are vulnerable. Visual Studio .NET, for instance, is not affected.
- Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689): Addresses a problem with Windows Media Player and the Windows Media Format runtimes that could allow remote code execution, involving the parsing of ASF and ASX files. Windows Media 11 services (including WMP 11) and Windows Vista are not affected, but the Windows Media runtimes versions 7.1 through 9.5 and Windows Media Player 6.4 are.
- Vulnerability in SNMP Could Allow Remote Code Execution (926247): A potential memory corruption vulnerability in the Simple Network Management Protocol could allow remote code execution. All versions of Windows are affected except for Windows Vista.
- Vulnerability in Windows Could Allow Elevation of Privilege (926255): A specially crafted file manifest could allow a user to create an elevation-of-privilege attack. Only Windows XP Service Pack 2 and Windows Server 2003 (pre-SP1) are affected by this problem.
- Cumulative Security Update for Outlook Express (923694): Resolves issues with Outlook Express that could allow remote code execution in all current versions of Windows (2000, XP, 2003). Windows Vista is not affected.
- Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121): A vulnerability in the Remote Installation Service (RIS) could allow remote code execution. Only Windows 2000 Service Pack 4 and above are affected.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!