Get the details on Microsoft's June security bulletins
John McCormick
Published: 20 Jun 2006 12:45 BST
For most people, the big news this past week was Bill Gates' announcement of his plans to gradually leave Microsoft in order to concentrate more on his charitable foundation. However, the software giant's Patch Tuesday overshadowed this momentous news — at least for those of us in the security world, who spent our time updating Microsoft programs.
For June's Patch Tuesday, Microsoft released 12 security bulletins, patching 21 holes in the process. Before we delve into these bulletins, remember that updates are always possible, so be sure to check the specific bulletins for detailed upgrade and workaround information. Let's take a look, in order of risk level.
Critical threats
MS06-021
Microsoft Security Bulletin MS06-021 is a cumulative update for Internet Explorer. As such, this bulletin covers a vast array of threats to IE 5.0 and IE 6.0, ranging from low to critical risks. These threats include spoofing, remote code execution, and information disclosure.
For almost all of the vulnerabilities, there have been no reports of exploits of these privately disclosed threats. However, active exploits of the CSS Cross-Domain Disclosure Vulnerability (CVE-2005-4089) are currently circulating.
MS06-022
Microsoft Security Bulletin MS06-022, "Vulnerability in ART Image Rendering Could Allow Remote Code Execution", addresses CVE-2006-2378. Install this update after you've installed the MS06-021 patch.
This is a critical threat to Windows 98, Windows SE, Windows ME, Windows XP Service Pack 1, Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1. It doesn't affect Windows 2000 without the Windows 2000 AOL Image Support Update Installed, but it's also critical with this installed update.
MS06-023
Microsoft Security Bulletin MS06-023, "Vulnerability in Microsoft JScript Could Allow Remote Code Execution", also addresses critical IE threats. This is a newly reported vulnerability, and there are no reports of active exploits. Microsoft recommends installing this patch at the same time as MS06-021.
Designated CVE-2006-1313, the JScript flaw is a critical threat for Windows 98, Windows SE, Windows ME, Windows 2000, Windows XP SP1, and Windows SP2 systems. It is only a moderate threat to Windows Server 2003 and Windows Server 2003 SP1.
MS06-024
Microsoft Security Bulletin MS06-024, "Vulnerability in Windows Media Player Could Allow Remote Code Execution", affects various versions of Windows Media Player, including those installed on Windows XP (including Windows XP Professional x64 Edition) and Windows Server 2003 (including Windows Server 2003 x64 Edition). It also affects Media Player 9 on Windows 98, Windows SE, and Windows ME.
The vulnerability designation is CVE-2006-0025. According to Microsoft, it has received no reports of active exploits.
MS06-025
Microsoft Security Bulletin MS06-025, "Vulnerability in Routing and Remote Access Could Allow Remote Code Execution", addresses two separate vulnerabilities: CVE-2006-2370 and CVE-2006-2371. According to Microsoft, there are no reports of active exploits for either vulnerability, and no proof-of-concept code is circulating.
This is a critical threat only for Windows 2000. It is an important threat for Windows XP SP1, Windows XP SP2, Windows Server 2003, and Window Server 2003 SP1.
Previous
Did you find this article useful?
111 out of 235 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
