Microsoft Black Tuesday Patches for Oct 2006
Microsoft's official overview can be found here.
ISC's gridtastic overview can be found here.
This patch cycle was pretty bad for components of MS Office, but not as bad for the components we're concerned with. That said, there were a couple 0days found after it was released, as has become the trend.
MS06-057 deals with the Windows Shell Vulnerability which had a browser-based ActiveX exploit going around. This vulnerability is rated critical.
MS06-061 on the other hand deals with two privately reported vulnerabilities in MSXML. CVE-2006-4685 is related to a problem in the XMLHTTP ActiveX control which doesn't handle server-side redirects correctly and allows attackers to exploit a victim's credentials. This actually looks like it is a Cross-site Request Forgery attack, though they don't say so specifically. This vulnerability is rated from low to important. CVE-2006-4686 is a buffer overflow in the actual XML parser which can lead to direct code execution if a malicious XML file is parsed. This vulnerability is rated as critical.
MS06-065 This one is a little difficult to gauge whether it applies to us or not, so I will include it to be on the safe side. This vulnerability is rates as low to moderate because of the high amount of user interaction it requires. It basically appears that at it's root it is a spoofing vulnerability. It is possible to trick users into executing a file of one type which in fact includes another type. While this requires a user to also explicitly execute the program, this is outside of what the current HoneyClient can deal with. However, because so many trojans are installed on PCs by simply bundling them with other programs, one of the components which we are going to be potentially looking at in the future is one level of fake user interaction in the form of opening what should be non-executable documents. Were we to integrate this capability it would thus give us the ability to detect many other vectors such as the recent spat of Word/Excel/PowerPoint vulnerabilities. Since I haven't written about this previously, here is the direct link to CVE-2006-4692 for this vulnerability.
