Introduction

It's holiday season and Microsoft has allowed the IT administrators some breathing space, even thoughts of vacation I might add. Microsoft released just 6 security bulletins aimed at fixing 12 vulnerability that would affect Windows or software running on Windows. Of the bulletins, one is a cumulative security update for Internet Explorer 6 and the vulnerabilities fixed in that do not affect IE7.0.

Details:

Bulletin MS06-67: This is a cumulative security update for Internet Explorer 6 that is aimed at fixing 3 vulnerabilities that could possibly result in remote code execution. The vulnerabilities are recorded in the CVE database.

DirectAnimation ActiveX Controls Memory Corruption Vulnerability - CVE-2006-4777: Heap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.

DirectAnimation ActiveX Controls Memory Corruption Vulnerability - CVE-2006-4446: Heap-based buffer overflow in DirectAnimation.PathControl COM object (daxctle.ocx) in Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a Spline function call whose first argument specifies a large number of points.

HTML Rendering Memory Corruption Vulnerability - CVE-2006-4687: Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via crafted layout combinations involving DIV tags and HTML CSS float properties that trigger memory corruption, aka "HTML Rendering Memory Corruption Vulnerability."

All these vulnerabilities could be avoided by practising safe browsing techniques by browsing the medium / high security mode in the Internet zone. In addition the first two vulnerabilities can be fixed by modifying the registry to set the kill bit for the ActiveX control.

Prevent the Microsoft DirectAnimation Path ActiveX control from running in Internet Explorer

For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.
To set the kill bit for a CLSID with a value of {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.
My recommendation: You could probably get by with not installing the update as long as you practice safe browsing and use the work around. Also if you upgrade to IE7.0, these vulnerabilities will not affect your computer.

Bulletin MS06-68: This update resolves a newly discovered, privately reported vulnerability.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights

Microsoft Agent Memory Corruption Vulnerability - CVE-2006-3445: Microsoft Agent on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via a crafted .ACF file that triggers memory corruption.
Again this vulnerability can be avoided by browsing the medium / high security mode. This can also be prevented by setting the kill bit for this control in the registry. That will prevent this control from running.
For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

To set the kill bit for a CLSID with a value of {CLSID}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.
My recommendation: Although there exists a work-around and prevention by using safe browsing habits, I recommend strongly that you apply this patch.

Bulletin MS06-69: This update resolves privately reported vulnerabilities in Macromedia Flash Player from Adobe, version 6.0.84.0 and earlier. Macromedia Flash Player is a third party software application that also was redistributed with Microsoft Windows XP Service Pack 2 and Microsoft Windows XP Professional x64 Edition. The Adobe Security Bulletin APSB06-11, issued September 12, 2006, describes the vulnerabilities and provides the download locations for customers who have installed Flash Player 7 and higher so that you can install the appropriate update based on the version of Flash Player you are using. Customers that have followed the guidance in the Adobe Security Bulletin are not at risk from these vulnerabilities.
If a user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This update addresses the following CVEs.
Macromedia Flash Player Vulnerabilities - CVE-2006-3014: Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet.

Macromedia Flash Player Vulnerabilities - CVE-2006-3311: Buffer overflow in Adobe Flash Player 8.0.24.0 and earlier, Flash Professional 8, Flash MX 2004, and Flex 1.5 allows user-assisted remote attackers to execute arbitrary code via a long, dynamically created string in a SWF movie.

Macromedia Flash Player Vulnerabilities - CVE-2006-3587: Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors.

Macromedia Flash Player Vulnerabilities - CVE-2006-3588: Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to cause a denial of service (browser crash) via a malformed, compressed .swf file, a different issue than CVE-2006-3587.

Macromedia Flash Player Vulnerabilities - CVE-2006-4640: Unspecified vulnerability in Adobe Flash Player before 9.0.16.0 allows user-assisted remote attackers to bypass the allowScriptAccess protection via unspecified vectors.

My recommendation: There are work arounds available to prevent this vulnerability from affecting your computer. However, the impact of the workarounds would be undesirable in the sense that the Flash player would not work in the browser. And with so many website running Flash (your own could be running Flash), it is not something you want. I would strongly recommend applying this patch as soon as possible.

Bulletin: MS06-70: This update resolves a newly discovered, privately reported, vulnerability.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Workstation Service Memory Corruption Vulnerability - CVE-2006-4691: Buffer overflow in the Workstation service in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via crafted messages.

This vulnerbility can be prevented from working by the following workaround.

Block TCP ports 139 and 445 at the firewall: These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.

Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below.

Applications that uses SMB (CIFS)
Applications that uses mailslots or named pipes (RPC over SMB)
Server (File and Print Sharing)
Group Policy
Net Logon
Distributed File System (DFS)
Terminal Server Licensing
Print Spooler
Computer Browser
Remote Procedure Call Locator
Fax Service
Indexing Service
Performance Logs and Alerts
Systems Management Server
License Logging Service

My recommendation: Although the workaround is a pretty simple and straight forward, I would recommend that you apply this patch as soon as you can as this workaround might prevent some critical Windows services from functioning correctly.

Bulletin MS06-71: This update resolves a newly discovered, publicly disclosed vulnerability. A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft XML Core Services Vulnerability - CVE-2006-5745: Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685.

Workaround 1 : You can disable attempts to instantiate these ActiveX controls in Internet Explorer by setting the kill bit for the controls in the registry.

For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer:

1. To set the kill bit for a CLSID with a value of {88d969c5-f192-11d4-a65f-0040963251e5} (XMLHTTP 4.0 contained within Microsoft XML Core Services 4.0) and {88d96a0a-f192-11d4-a65f-0040963251e5} (XMLHTTP 6.0 contained within Microsoft XML Core Services 6.0) paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}] "Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d96a0a-f192-11d4-a65f-0040963251e5}] "Compatibility Flags"=dword:00000400

2. You can apply this .reg file to individual systems by double-clicking it

Workaround 2: Deny Access to the affected CLSID's for Microsoft XML Core Services 4.0 ({88D969C5-F192-11D4-A65F-0040963251E5}) and Microsoft XML Core Services 6.0 ({88D96A0A-F192-11D4-A65F-0040963251E5}) in the registry

To modify access to the affected CLSIDs for Windows 2000, follow these steps:

1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
2. Expand HKEY_CLASSES_ROOT, and expand CLSID.
3. For Microsoft XML Core Services 4.0 click: {88D969C5-F192-11D4-A65F-0040963251E5}
For Microsoft XML Core Services 6.0 click: {88D96A0A-F192-11D4-A65F-0040963251E5}
4. Click Security, and then click Permissions.
Note Make a note of the permissions that are listed in this dialog box so that you can restore them to their original values at a later time.
5. Click to clear the Allow Inheritable Permissions form the parent to propagate to this object check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then click OK.
6. A message will display stating that no one will be able to access this registry key. Click Yes when prompted to do so.

To modify access to the affected CLSIDs for Windows XP Service Pack 2 and later operating systems, follow these steps:
1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
2. Expand HKEY_CLASSES_ROOT, and expand CLSID.
3. For Microsoft XML Core Services 4.0 click: {88D969C5-F192-11D4-A65F-0040963251E5}
For Microsoft XML Core Services 6.0 click: {88D96A0A-F192-11D4-A65F-0040963251E5}
4. Click Edit, and then click Permissions.
Note Make a note of the permissions that are listed in this dialog box so that you can restore them to their original values at a later time.
5. Click Advanced.
6. Click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then check OK.
7. A message will display stating that no one will be able to access this registry key. Click Yes when prompted to do so and then click OK to close the Permissions for {88D969C5-F192-11D4-A65F-0040963251E5} or Permissions for {88D96A0A-F192-11D4-A65F-0040963251E5} (depending on which CLSID was chosen) dialog box.

My recommendation: I would strongly suggest that you apply this update although workarounds exist for this vulnerability

Bulletin MS06-66: This update resolves several newly discovered, privately reported vulnerabilities.
The Client Service for NetWare is also called the Gateway Service for NetWare on Windows 2000 Server.
On vulnerable versions of Microsoft Windows, an attacker who successfully exploited these vulnerabilities could remotely take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688: Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka "Client Service for NetWare Memory Corruption Vulnerability."

NetWare Driver Denial of Service Vulnerability - CVE-2006-4689: Unspecified vulnerability in the driver for the Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to cause a denial of service (hang and reboot) via has unknown attack vectors, aka "NetWare Driver Denial of Service Vulnerability."

My recommendation: If you don't have NetWare in your environment, then you can safely ignore this update. However, if you have NetWare in your environment and use CSNW, I would suggest that you apply this update as soon as you can.