For August's Patch Tuesday, Microsoft released a dozen security bulletins, rating nine as critical threats. (The remaining three are important threats.) With that many updates in a single month, how do you know which ones to concentrate on first?
Details
Redmond has released so many critical security bulletins this month that space constraints prevent me from addressing them in all one article. For that reason, I'm addressing the ones I find most critical, and will discuss the rest of August's security bulletins in a separate feature.
By the way, Microsoft doesn't number bulletins based on either theoretical or real-world criticality, so the security bulletin numbers are merely placeholders — not a ranking of importance. I'm not debating that these updates are all critical; I'm simply addressing them in what I consider the correct order of significance according to the current threat each poses.
Before we begin, let me give you an idea of the method behind my madness. I first looked at whether anyone is already exploiting the underlying vulnerability. In my opinion, this is the more important factor when it comes to determining the threat level, particularly because these vulnerabilities all contain some remote code execution threats.
Of course, attackers could start exploiting any of the others tomorrow. However, it's unlikely that attacks would take place immediately. In addition, you probably won't want to fix everything at once — at least not before looking over the implications of the patches. In my opinion, the following four security bulletins present the most threat.
MS06-040
Microsoft Security Bulletin MS06-040, "Vulnerability in Server Service Could Allow Remote Code Execution", addresses a buffer-overrun vulnerability (CVE-2006-3439). This is a critical threat for all affected versions, which includes Windows 2000 SP4, all versions of Windows XP, and all versions of Windows Server 2003.
Strangely enough, while the bulletin states that there has been no public disclosure of this vulnerability, it also states that the company has received reports of active exploits. The bulletin emphasises that this is not a replacement for Microsoft Security Bulletin MS06-035, which addressed a similar — but different — problem. Make sure you install both updates.
MS06-042
Microsoft Security Bulletin MS06-042, "Cumulative Security Update for Internet Explorer", is a very important update simply because it affects almost everyone. This bulletin addresses a range of vulnerabilities — some privately reported, some known problems:
- Redirect Cross-Domain Information Disclosure Vulnerability (CVE-2006-3280) — information disclosure
- HTML Layout and Positioning Memory Corruption Vulnerability (CVE-2006-3450) — remote code execution
- CSS Memory Corruption Vulnerability (CVE-2006-3451) — remote code execution
- HTML Rendering Memory Corruption Vulnerability (CVE-2006-3637) — remote code execution
- COM Object Instantiation Memory Corruption Vulnerability — (CVE-2006-3638) remote code execution
- Source Element Cross-Domain Vulnerability (CVE-2006-3639) — remote code execution and information disclosure
- Window Location Information Disclosure Vulnerability (CVE-2006-3640) — information disclosure
- FTP Server Command Injection Vulnerability (CVE-2004-1166) — elevation of privilege
So far, only one of these threats reportedly has exploit code circulating, and there are no reports of any active exploits at this time.
This security bulletin affects IE 5.01 Service Pack 4 on Windows 2000 SP4 and all versions of IE 6 on Windows 2000, Windows XP, and Windows Server 2003. Although the cumulative impact of all of these vulnerabilities…
