Microsoft Black Tuesday Patches for Nov 2006

I've decided to begin a new "feature" where when MS releases it's monthly patches I point to the articles which we have discussing the issues. While I plan on posting notes for all of 2006 (since, after all, this was the year with the WMF vulnerability at the beginning of it), in the future I will post them the day of, instead of waiting. In my defense, that was the week that we were getting the site up and running. ;) All of my subsequent ones which deal with past months will not be posted to the front page, so use the BlackTuesday tag or check the blog.

Microsoft's official overview can be found here.
ISC's gridtastic overview can be found here.

I am just going to highlight the patches which directly relate to the scope of the type of client-side vulnerabilities which we are concerned with.

MS06-067 addresses the two issues with the recent DirectAnimation ActiveX problems. These issues are rated as critical for all platforms except IE6 on Windows Server 2003 with and without SP1, where it is rated moderate. It also addresses CVE-2006-4687 which is called a "HTML Rendering Memory Corruption Vulnerability" in the MS advisory. This was a previously unknown problem which was disclosed to MS by TippingPoint as part of their Zero Day Initiative, which is just a program to pay for exploits. This vulnerability is rated critical.

MS06-069 is the deployment of an updated Adobe Flash Player, which addresses many of the CVEs I discussed in an article about Flash and Shockwave vulnerabilities. Therefore, this one isn't MS specifically, except the one which deals with Excel that I didn't talk about since it wasn't exploiting a browser ;). This vulnerability is rated critical.

MS06-071 deals with the flaw in MSXML which was being exploited via a 0day in the XMLHTTP ActiveX control. This vulnerability is rated critical.