Medical Automation Systems

Microsoft Security Bulletin Update

January 2006

Medical Automation Systems reviews all Microsoft security patches when they are released. MAS has evaluated and completed reviews for the security patches listed below for January 2006. Microsoft rates some of these as 'critical' but the vulnerabilities may in fact pose no risk to the RALS system if customers adhere to the intended use of RALS.

The potential impact to RALS customers are Color Coded as follows:

Red (immediate threat/urgent action needed)
Green (routine process or no action needed)
Black (action needed/recommended)

MS06-001 - Critical
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (91219)

This update resolves a newly-discovered, public vulnerability in the way the Graphics Rendering Engine handles Windows Metafile (WMF) images.
- Note: This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.
This affects Windows 2000 systems [and other Windows operating systems].
An attacker could exploit this vulnerability by hosting a malicious web page and enticing the user to visit this site or delivering the malicious content by other means such as email. This issue can NOT be exploited without user interaction when RALS is being used as intended. The impact of successful exploit could be remote code execution. If the logged in user had administrative rights, the code execution could take complete control over the system.
Typical RALS systems do have IE installed and require its use for the web based system components of RALS. This vulnerability cannot be exploited without user interaction. The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.
Note: No patch is being provided for Windows NT based systems as these systems are beyond the extended security support lifecycle from Microsoft.
Recommend this update be tested against supported versions of RALS products and if successful, be approved, released, and applied as a critical RALS security update. The update appears to change 2 files on Windows 2000 systems. The expected risk for adverse effects on RALS operations should be low.

MS06-002 - Critical

Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

This update resolves a newly-discovered, privately-reported vulnerability in Windows because of the way that it handles malformed embedded Web fonts.
This affects Windows 2000 systems [and other Windows operating systems].
An attacker could exploit this vulnerability by hosting a malicious web page and enticing the user to visit this site or delivering the malicious content by other means such as email. This issue can NOT be exploited without user interaction. The impact of successful exploit could be remote code execution. If the logged in user had administrative rights, the code execution could take complete control over the system.
Typical RALS systems do have IE installed and require its use for the web based system components of RALS. This vulnerability cannot be exploited without user interaction. The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.
- Note: Since Microsoft has ended support for Windows NT based systems, the potential for this vulnerability to affect Windows NT based systems was not addressed nor was any patch provided by Microsoft for NT systems.
Recommend this update be included with the next regular RALS product test and release cycle. The expected risk for adverse effects on RALS operations from this update is low. The update appears to change 2 files on Windows 2000 systems.

MS06-003 - Critical

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

This affects only Microsoft Office Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Packs 1 and 2, and Microsoft Exchange Server. These products are not provided with any RALS product configuration.
Recommendation is no action needed for this update since the affected software is not provided with any RALS installations

MS Patches NOT Critical to RALS Functionality If MAS determines that the vulnerability as described in a Microsoft bulletin should not adversely affect the RALS functionality when the system is used as intended, the security patch will be tested and included in the next routine product version release. Should the user apply the patches, MAS cannot guarantee or warrant its operation or impact on the RALS system. In this situation there will be no routine customer notification.

MS Patches Critical to RALS Functionality If it is determined that the security vulnerability as described in a Microsoft bulletin is critical to the RALS functionality, MAS will notify customers via a broadcast email from SecurityUpdates@rals.com and by notice on the MAS website http://www.rals.com.

Medical Automation Systems reviews all Microsoft security patches when they are released. No problems with the RALS systems have been found by our internal testing or reported by customers following the application of these security updates. The application of these updates to the standard RALS system configuration has been approved. Microsoft rates some of these as 'critical' but the vulnerabilities may in fact pose no risk to the RALS system if customers adhere to the intended use of RALS.

RALS-Plus I RALS-Web I RALS-eQuiz I RALS-TGCM I RALS-Report I Device Interfacing
Customer Support I Clinical Questions I MS Vulnerabilities I MS Updates I RRC Password of the Day
RRC Installation I RALS-Dataports I MAS News I About MAS I Case Studies
Contact Us I POC Links I Home I Legal Notice