The University of Iowa - CIO Office - IT Security

Notices

NSC-060411: Microsoft Security Bulletin April 11th

Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:

• Critical MS06-013 Microsoft Windows Remote Code Execution

• Critical MS06-014 Microsoft Windows Remote Code Execution

• Critical MS06-015 Microsoft Windows Remote Code Execution

• Important MS06-016 Microsoft Windows Remote Code Execution

• Moderate MS06-017 MS Windows, Office Cross-site Scripting

The summary for this month's bulletins can be found at the following page:

• _http://www.microsoft.com/technet/security/bulletin/ms06-Apr.mspx_

Re-released Security BulletinsIn addition, Microsoft is re-releasing the following security bulletin -(NOTE: This list conains ONLY those products affected by the re-release and the severity of the vulnerability for those products affected by the

re-release):

• Critical MS06-005 Microsoft Windows Remote Code Execution

Customers are advised to review the information in the bulletins, test and deploy the updates immediately in their environments, if applicable.Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS). Information on the Microsoft Windows Malicious Software Removal Tool can be located here:

• _http://go.microsoft.com/fwlink/?LinkId=40573_

High-Priority Non-Security Updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS)

Microsoft is today also making the following High-Priority NON-SECURITY updates available on WU, MU, SUS and WSUS:

• 914454 Update for Outlook 2003 Junk E-Mail Filter

TechNet Webcast: Information about Microsoft April 2006 Security Bulletins

• Wednesday, 12 April 2006 11:00 AM (GMT-08:00) Pacific Time (US & Canada)

_http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032292804&Culture=en-US_

<http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032292804&Culture=en-US>

• The on-demand version of the Webcast will be available 24 hours after the live Webcast at:

_http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032292804&Culture=en-US_

<http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032292804&Culture=en-US>

**********************************************************************TECHNICAL DETAILSMS06-013Title: Cumulative Security Update for Internet Explorer (912812)

Affected Software:

• Microsoft Windows 2000 Service Pack 4

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

• Microsoft Windows XP Professional x64 Edition

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

• Microsoft Windows Server 2003 x64 Edition family

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

Affected Components:

• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1

• Internet Explorer 6 for Microsoft Windows XP Service Pack 2

• Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition

• Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition - Review the FAQ section of this bulletin for details about this version.

Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.Impact of Vulnerability: Remote Code ExecutionMaximum Severity Rating: CriticalRestart requirement: You must restart your system after you apply this security update.Update can be uninstalled: Yes. To remove this update, use the Add or Remove Programs tool in Control PanelCaveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812.This security update also replaces the cumulative update for Internet Explorer that was released for Windows XP Service Pack 2, Windows Server2003 Service Pack 1, Windows XP Professional x64 Edition, Windows Server2003 x64 Edition family, and Windows Server 2003 with Service Pack 1 for Itanium-based Systems on February 28, 2006. This update was discussed in Microsoft Security Advisory (912945): Non-Security Update for Internet Explorer. For more information about this update, see Microsoft Knowledge Base Article 912945.Compatibility Patch: To help enterprise customers who need more time to prepare for the ActiveX update discussed in Microsoft Knowledge Base Article 912945, Microsoft is releasing an optional Compatibility Patch.As soon as it is deployed, the optional Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This optional Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This optional Compatibility Patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425.

More information:

• Microsoft Security Bulletin MS06-013 Cumulative Security Update for Internet Explorer

_http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx_

• Microsoft Knowledge Base Article 912945 - Internet Explorer ActiveX update

_http://support.microsoft.com/kb/912945_

• Microsoft Security Advisory (912945)- Non-Security Update for Internet Explorer

_http://www.microsoft.com/technet/security/advisory/912945.mspx_

• Microsoft Knowledge Base Article 917425 - Internet Explorer ActiveX Compatability Patch

_http://support.microsoft.com/kb/917425_*******************************************************************MS06-014Title: Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

Affected Software:

• Microsoft Windows XP Service Pack 1 running Microsoft Data Access Components 2.7 Service Pack 1

• Microsoft Windows XP Service Pack 2 running Microsoft Data Access Components 2.8 Service Pack 1

• Microsoft Windows XP Professional x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2

• Microsoft Windows Server 2003 running Microsoft Data Access Components

2.8

• Microsoft Windows Server 2003 Service Pack 1 running Microsoft Data Access Components 2.8 Service Pack 2

• Microsoft Windows Server 2003 for Itanium-based Systems running Microsoft Data Access Components 2.8

• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems running Microsoft Data Access Components 2.8 Service Pack 2

• Microsoft Windows Server 2003 x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

Affected Components:

• Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.5 Service Pack 3 installed

• Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.7 Service Pack 1 installed

• Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 installed

• Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 Service Pack 1 installed

• Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed

Note: The "Affected Software" section applies to MDAC that shipped with a Microsoft Windows operating system. The "Affected Components" section applies to MDAC that was downloaded and installed onto a Microsoft Windows operating system.Note: Microsoft strongly recommends that all customers who currently use a version of Windows that does not have Microsoft Data Access Components2.7 Service Pack 1 or higher upgrade immediately to Microsoft Data Access Components 2.8 Service Pack 1 or another supported version. The only exception to this notice is customers who currently use Windows 2000 Service Pack 4 running Microsoft Data Access Components 2.5 Service Pack 3. See Knowledge Base Article 915387 for more information.Note: The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2.Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.Impact of Vulnerability: Remote Code ExecutionMaximum Severity Rating: CriticalRestart requirement: This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.Update can be uninstalled: Yes. To remove this update, use the Add or Remove Programs tool in Control PanelMore information on this vulnerability and the update is available at:_http://www.microsoft.com/technet/security/bulletin/MS06-014.mspx_*******************************************************************MS06-015Title: Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

Affected Software:

• Microsoft Windows 2000 Service Pack 4

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

• Microsoft Windows XP Professional x64 Edition

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Microsoft Windows Server 2003 x64 Edition

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

Affected Software:

• Microsoft Windows 2000 Service Pack 4

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

• Microsoft Windows XP Professional x64 Edition

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Microsoft Windows Server 2003 x64 Edition

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Windows Me) - Review the FAQ section of this bulletin for details about these operating systems.

Affected Components:

• Outlook Express 6 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Outlook Express 6 on Microsoft Windows Server 2003 x64 Edition

• Outlook Express 6 Microsoft Windows Server 2003 on Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Outlook Express 6 on Microsoft Windows XP Service Pack 2

• Outlook Express 6 on Microsoft Windows XP Professional x64 Edition

• Outlook Express 6 Service Pack 1 on Microsoft Windows XP Service Pack

1 or when installed on Microsoft Windows 2000 Service Pack 4

• Outlook Express 5.5 Service Pack 2 on Microsoft Windows 2000 Service Pack 4

Note: The security updates for Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, and Microsoft Windows Server 2003x64 Edition also apply to Microsoft Windows Server 2003 R2.Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.Impact of Vulnerability: Remote Code ExecutionMaximum Severity Rating: ImportantRestart requirement: This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.Update can be uninstalled: Yes. To remove this update, use the Add or Remove Programs tool in Control PanelMore information on this vulnerability and the update is available at:_http://www.microsoft.com/technet/security/bulletin/MS06-016.mspx_*******************************************************************MS06-017Title: Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627)

Affected Software:

• Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

• Microsoft FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Microsoft Windows Server 2003 x64 Edition and Microsoft Windows XP Professional x64 Edition

• Microsoft FrontPage Server Extensions 2002 (x 86 Editions) downloaded and installed on Microsoft Windows Server 2000 Service Pack 4, Microsoft Windows XP Service Pack 1, and Microsoft Windows XP Service Pack 2

• Microsoft SharePoint Team Services

Non-Affected Software:

• Microsoft Windows SharePoint Services

• Microsoft FrontPage 2002

• Microsoft FrontPage Server Extensions 2000

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Note: To determine what version of FrontPage Server Extensions that is installed on your system please see " How can I determine if I am running of FrontPage Server Extensions 2002 or SharePoint Team Services"in the FAQ section of this bulletin.Note: Review the FAQ section of this bulletin for information about why you may be prompted to install the SharePoint Team Services security update if you have Microsoft FrontPage 2002 installed.Note: The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2.Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.Impact of Vulnerability: Remote Code ExecutionMaximum Severity Rating: ModerateRestart required: In some cases, this update does not require a restart.The installer stops affected services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if files being updated are in use by some other service or application, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.To help reduce the chance that a reboot will be required, close all applications prior to installing the security update.For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.Note: if you are prompted for a reboot, you will not be secure until you restart your machine.Update can be uninstalled: This depends on which version of the security Update you are installing. Please see the Security Bulletin for more details.More information on this vulnerability and the update is available at:_http://www.microsoft.com/technet/security/bulletin/MS06-017.mspx_*******************************************************************MS06-005Title: Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)

Affected Software:

• Windows Media Player for XP on Microsoft Windows XP Service Pack 1

• Windows Media Player 9 on Microsoft Windows XP Service Pack 2

• Windows Media Player 9 on Microsoft Windows Server 2003

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

Affected Components:

• Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4

• Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1

• Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2

Note: The re-release of this security update on April 11th 2006 affects Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 specifically.Note: The "Affected Software" section applies to Windows Media Player that shipped with a Microsoft Windows operating system. The "Affected Components" section applies to Windows Media Player that was downloaded and installed onto a Microsoft Windows operating system.Note: The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2 severity.Note: The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.Reason for Re-release:Microsoft updated this bulletin on April 11th to advise customers that revised versions of the security update are available for Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2, listed in the "Affected Components" section.

For more information, see the following two questions in the in the FAQ section of the Bulletin:

• "What are the known issues that customers may experience when they install this security update?"

• "Why did Microsoft reissue this bulletin on April 11, 2006?"

More information on this re-released bulletin is available at:_http://www.microsoft.com/technet/security/bulletin/MS06-005.mspx_**********************************************************************If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.Thank you,

Microsoft PSS Security Team

IT Security Office at The University of Iowa

Notices