Document Actions
Microsoft releases 10 patches for October
Microsoft has published 10 updates (MS06-56 to MS06-65) for its products during its monthly update cycle. Microsoft had initially said that there will be 11 updates in this cycle in an earlier bulletin released on 5 October 2006. Six updates have received the highest severity rating of Critical and primarily affect the Office suite (4 updates out of 6 are for Office). One update has received severity rating Important and it affects Windows OS. Two updates are rated as moderate and they affect the ASP.NET and Windows Object packager products. Finally one patch has been rated as low and it addresses a Vulnerability in TCP/IP that could allow Denial of Service.
The following table lists down the vulnerability details and I give my recommendation on the same
| Bulletin No | Summary | Rating | Software Affected | Impact | Recommendation |
|---|---|---|---|---|---|
| MS06-57 | This update resolves a vulnerability in Windows that could allow remote code
execution | Critical | Windows | RCE | Apply immediately |
| MS06-58 | This update resolves vulnerabilities in PowerPoint that could allow remote code
execution | Critical | Office Powerpoint | RCE | Apply ASAP |
| MS06-59 | This update resolves vulnerabilities in Excel that could allow remote code
execution | Critical | Office Excel | RCE | Apply ASAP |
| MS06-60 | This update resolves several vulnerabilities in Microsoft Word, the most
critical of which could allow remote code execution | Critical | Office Word | RCE | Apply ASAP |
| MS06-61 | This update resolves vulnerabilities in Windows that could allow remote code
execution | Critical | Windwos | RCE | Apply Immediately |
| MS06-62 | This update resolves vulnerabilities in Office that could allow remote code
execution | Critical | Office | RCE | Apply ASAP |
| MS06-63 | This update resolves vulnerabilities in Windows that could allow denial of service | Important | Windows | DoS | Apply ASAP |
| MS06-56 | This update resolves a vulnerability in ASP.NET that could allow information
disclosure. | Moderate | Windows, .NET Framework | ID | Apply as scheduled |
| MS06-65 | This update resolves a vulnerability in Object Packager that could allow remote
code execution | Moderate | Windows | RCE | Apply ASAP |
| MS06-64 | This update resolves several vulnerabilities in Windows, the most critical of
which could allow denial of service | Low | Windows | DoS | Apply ASAP |
Legend:
RCE - Remote Code Execution
DoS - Denial of Service
ID - Information Disclosure
The updates are listed down according to their severity. What do my recommendations mean to you?
Apply immediately means you should schedule an emergency change and apply the update immediately.
Apply ASAP means you should schedule a change and downtime as soon as business allows and apply the update
Apply as scheduled means that you can apply this update during your regular update cycle if you have any.
If you notice the pattern of my recommendation, anything that affects Windows and involves RCE or DoS earns an Apply ASAP recommendation from me. Regardless of what Microsoft says, any person with malicious intent will not see the rating, but just look at the opportunity to cause damage and according to me any vulnerability that can cause RCE is an opportunity.
Also notice the language used in the summaries. Some of the update resolves "several" vulnerabilities as opposed to a single update resolving a single vulnerability. Additional information about the number of vulnerabilities fixed is not available at this time from Microsoft. But I will update as soon as I get any more information.
- Category(s)
- Technology
- Windows
- Information Security
- The URL to Trackback this entry is:
- http://www.dharwadkar.com/weblog/patchtues_oct_rel/tbping
