|
|
|
Security...
Microsoft Security Bulletin
Update
August 2006
The monthly Microsoft security updates for August 2006
were released on Tuesday August 8th. 12 security
updates were released, addressing 23 separate issues in
supported Windows operating systems and related
components.
The August bulletin includes MS06-040
through MS06-044; MS06-046 through MS06-048; and
MS06-051 which Microsoft rates at a critical level,
and MS06-045, MS06-049, and MS06-050 which are rated at
an important level.
The potential
impact to RALS customers are color coded as follows:
Red (immediate
threat/urgent action needed)
Green
(routine process or no action needed)
Black
(action needed/recommended)
NOTE: Since
Microsoft has ended support for Windows NT based
systems; the potential for the following vulnerabilities
to affect Windows NT based systems was not addressed or
reviewed nor was any patch provided by Microsoft for NT
systems.
Back to top
MS06-040 Critical
Vulnerability
in Server Service Could Allow Remote Code Execution
(921883)
This update
addresses a remote code execution vulnerability in
Server Service that could allow an attacker who
successfully exploited this vulnerability to take
complete control of the affected system.
This affects
Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2
systems.
An
attacker could try to exploit the vulnerability by
creating and sending a specially crafted message to the
affected system.
Exploiting this vulnerability could lead to code
execution. An anonymous user could potentially exploit
this issue remotely, with no user interaction needed.
As Windows based systems, all RALS systems are
potentially at risk as are related systems such as the
iStat DE system. While most RALS systems are protected
from direct Internet access by customer firewalls, the
systems would not be protected from remote attacks from
inside the customer network. Network attacks may be
based on access to TCP ports 139 and/or 445.
Recommend this
update be tested against supported versions of RALS
products and if successful, be approved, released, and
applied as a critical RALS security update. The update
appears to change one file on Windows 2000 systems, four
files on Windows 2003 systems, and three files on
Windows XP systems. The expected risk for adverse
effects on RALS operations should be low.
Back to top
MS06-041 Critical
Vulnerabilities in DNS
Resolution Could Allow Remote Code Execution (920683)
This update
resolves several newly discovered, privately reported
vulnerabilities in Windows Sockets and the way Windows
handles DNS resolution.
This affects
Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2
systems.
The Winsock hostname vulnerability could be exploited by
an attacker who persuaded a user to open a specially
crafted file or view a specially crafted website. There
is no way for an attacker to force a user to open a
specially crafted file. An attacker who successfully
exploited this vulnerability could take complete control
of an affected system.
The DNS client vulnerability could be exploited by an
anonymous user; however an attacker would either have to
be on a subnet between the host and the DNS server.
This vulnerability can not be exploited over the
internet.
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low. The update appears to change ten files on
Windows 2003 systems, six on Windows XP systems, and
three on Windows 2000 systems.
Back to top
MS06-042 Critical
Cumulative Security Update for Internet Explorer
(918899)
This update
resolves a newly-discovered public vulnerability and
other privately-reported variations of the same
vulnerability in Internet Explorer.
This affects
Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2
systems running IE 6.
As a
cumulative update to IE this update replaces previous IE
cumulative updates including MS06-021.
An attacker
could exploit the vulnerabilities by hosting a malicious
web page and enticing the user to visit this site or
delivering the malicious HTML content by other means
such as email. These issues can NOT be exploited
without user interaction. The impact of successful
exploit could be remote code execution. If the logged
in user had administrative rights, the code execution
could take complete control over the system.
Typical RALS
systems do have IE installed and require its use for the
web based system components of RALS. This vulnerability
cannot be exploited without user interaction. The user
cannot be forced to visit the malicious web page and the
intended use for the RALS systems does not support users
using the RALS systems for non-RALS related
"web-surfing" activities.
Recommend
this update be included with the next regular RALS
product test and release cycle. The expected risk for
adverse effects on RALS operations from this update is
low.
Back to top
MS06-043 Critical
Vulnerability in Microsoft Windows Could Allow Remote
Code Execution (920214)
-
This update
addresses a newly discovered, privately reported
vulnerability in the MHTML protocol used in Outlook
Express 6.
-
This affects
Outlook Express 6 on Windows 2003 SP1, and Windows XP
SP2.
-
An a
Web-based attack scenario, an attacker could host a Web
site that contains a Web page that is used to exploit
this vulnerability. In addition, compromised Web sites
and Web sites that accept or host user-provided content
or advertisements could contain specially crafted
content that could exploit this vulnerability. In all
cases, however, an attacker would have no way to force
users to visit these Web sites or open a HTML e-mail
message.
-
Typical RALS
systems do have IE installed and require its use for the
web based system components of RALS. This vulnerability
cannot be exploited without user interaction. The user
cannot be forced to visit the malicious web page and the
intended use for the RALS systems does not support users
using the RALS systems for non-RALS related
"web-surfing" activities.
-
Recommend
that the update for be included with the next regular
RALS product test and release cycle. This update
appears to change two files on Windows 2003 systems, and
Windows XP systems. The expected risk for adverse
effects on RALS operations from this update is low.
Back to top
MS06-044 Critical
Vulnerability in Microsoft Management Console Could
Allow Remote Code Execution (917008)
This update
resolves a newly discovered, privately reported
vulnerability in Microsofts Management Console.
This affects
Windows 2000 SP4, systems only.
An attacker
would have to host a Web site that contains a Web page
that is used to exploit this vulnerability. An attacker
would have no way to force users to visit a specially
crafted Web site. Instead, an attacker would have to
persuade them to visit the Web site, typically by
getting them to click a link that takes them to the
attacker's Web site.
Typical RALS
systems do have IE installed and require its use for the
web based system components of RALS. This vulnerability
cannot be exploited without user interaction. The user
cannot be forced to visit the malicious web page and the
intended use for the RALS systems does not support users
using the RALS systems for non-RALS related
"web-surfing" activities.
Recommend
this update be included with the next regular RALS
product test and release cycle. The expected risk for
adverse effects on RALS operations from this update is
low.
Back to top
MS06-045 Important
Vulnerability in Windows Explorer Could Allow Remote
Code Execution (921398)
This update
resolves a newly-discovered, publicly-reported
vulnerability in Windows Explorer.
This affects
Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2
systems.
This update
replaces the update that is included with Microsoft
Security Bulletin MS05-016.
An attacker
could exploit the vulnerability by constructing a
malicious Web page that could potentially allow an
attacker to save a file on the users system if a user
visited a malicious Web site or viewed a malicious
e-mail message. User interaction is required to exploit
this vulnerability an attacker would have no way to
force users to visit a specially crafted Web site.
Typical RALS
systems do have IE installed and require its use for the
web based system components of RALS. This vulnerability
cannot be exploited without user interaction. The user
cannot be forced to visit the malicious web page and the
intended use for the RALS systems does not support users
using the RALS systems for non-RALS related
"web-surfing" activities.
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low.
The update appears to
change five files on Windows 2003 systems, nine on
Windows XP systems, and one on Windows 2000 systems.
Back to top
MS06-046 Critical
Vulnerability in HTML Help Could Allow Remote Code
Execution (922616)
-
This update resolves a newly discovered, publicly
reported HTML vulnerability.
-
This affects
Windows 2000 SP4, Windows 2003 SP1 and Windows XP SP2
systems.
-
This update
replaces the update that is included with Microsoft
Security Bulletin MS05-001.
-
An attacker
could exploit the vulnerability by constructing a
malicious Web page that could potentially allow an
attacker to save a file on the users system if a user
visited a malicious Web site or viewed a malicious
e-mail message. User interaction is required to exploit
this vulnerability an attacker would have no way to
force users to visit a specially crafted Web site.
-
Typical RALS
systems do have IE installed and require its use for the
web based system components of RALS. This vulnerability
cannot be exploited without user interaction. The user
cannot be forced to visit the malicious web page and the
intended use for the RALS systems does not support users
using the RALS systems for non-RALS related
"web-surfing" activities.
-
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low.
The update appears to
change four files on Windows 2003 systems, three on
Windows XP systems, and one on Windows 2000 systems.
Back to top
MS06-047
Critical
Vulnerability in Microsoft Visual Basic for Applications
Could Allow Remote Code Execution (921645)
This affects
only Microsoft Visual Basic for Applications, Microsoft
Office 2000, Microsoft Project 2000, Microsoft Access
2000, Microsoft Office XP, Microsoft Project 2002,
Microsoft Visio 2002 and Microsoft Works Suites. These
products are not provided with any RALS product
configuration.
Recommendation is no action needed for this update since
the affected software is not provided with any RALS
installations.
Back to top
MS06-048 Critical
Vulnerabilities in Microsoft Office Could Allow Remote
Code Execution (922968)
-
This affects
only Microsoft Office 2000, 2003, 2004 and Office XP.
These products are not provided with any RALS product
configuration.
-
Recommendation is no action needed for this update since
the affectedsoftware is not provided with any RALS
installations
Back to top
MS06-049
Important
Vulnerability in Windows Kernel Could Result in
Elevation of Privilege (920958)
This update
resolves a newly discovered, privately reported
vulnerability in Microsofts Windows Kernel.
This affects Windows 2000 SP4, systems only.
This update replaces the update that is included with
Microsoft Security Bulletin MS05-055.
An attacker must have valid logon credentials and be
able to log on locally to exploit this vulnerability.
The vulnerability could not be exploited remotely or by
anonymous users.
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low.
The update appears to
change five files on Windows 2000 systems.
Back to top
MS06-050 Important
Vulnerabilities in Microsoft Windows Hyperlink Object
Library Could Allow Remote Code Execution (920670)
This update resolves two newly discovered
vulnerabilities in the Windows Hyperlink Object Library.
This affects Windows 2000 SP4, Windows 2003 SP1 and
Windows XP SP2 systems.
This update replaces the update that is included with
Microsoft Security Bulletin MS05-015.
For an attack to be successful an attacker must persuade
a user to click a link in e-mail message or open an
Office file and click a link within that file. The
vulnerability could not be exploited automatically
through e-mail. User interaction is required to exploit
this vulnerability.
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low. The update appears to change four files on
Windows 2003 systems, three on Windows XP systems, and
one on Windows 2000 systems.
Back to top
MS06-051
Critical
Vulnerability in Windows Kernel Could Result in Remote
Code Execution (917422)
This update resolves two newly discovered, privately
reported vulnerabilities in Windows Kernel.
This affects Windows 2000 SP4, Windows 2003 SP1 and
Windows XP SP2 systems.
For an attacker to exploit the User Profile Elevation
vulnerability they must have valid logon credentials and
be able to log on locally. The vulnerability could not
be exploited remotely or by anonymous users.
For the Unhandled Exception vulnerability, an attacker
would have to host a Web site that contains a Web page
that is used to exploit this vulnerability. An attacker
would have no way to force users to visit a specially
crafted Web site. Typical RALS systems do have IE
installed and require its use for the web based system
components of RALS. This vulnerability cannot be
exploited without user interaction. The user cannot be
forced to visit the malicious web page and the intended
use for the RALS systems does not support users using
the RALS systems for non-RALS related "web-surfing"
activities.
Recommend this update be included with the next regular
RALS product test and release cycle. The expected risk
for adverse effects on RALS operations from this update
is low. The update appears to change six files on
Windows 2003 systems, three on Windows XP systems, and
three on Windows 2000 systems.
Back to top
MS Patches
Critical
to RALS Functionality
If it is determined that the security vulnerability as
described in a Microsoft bulletin is critical to the RALS
functionality, MAS will notify customers via a broadcast
email from
SecurityUpdates@rals.com and by notice on the
MAS website
http://www.rals.com.
Medical Automation Systems reviews all Microsoft
security patches when they are released. No problems
with the RALS systems have been found by our internal
testing or reported by customers following the
application of these security updates.
The application of these updates to the standard RALS
system configuration has been approved. Microsoft rates
some of these as 'critical' but the vulnerabilities may
in fact pose no risk to the RALS system if customers
adhere to the intended use of RALS.
MS Patches NOT Critical to RALS Functionality
If
MAS determines that the vulnerability as described in a
Microsoft bulletin should not adversely affect the
RALS functionality when the system is used as intended,
the security patch will be tested and included in the next
routine product version release. Should the user apply
the patches, MAS cannot guarantee or warrant its operation
or impact on the RALS system. In this situation there
will be no routine customer notification.
MS Patches Critical to RALS Functionality
If
it is determined that the security vulnerability as
described in a Microsoft bulletin is critical to the RALS
functionality, MAS will notify customers via a broadcast
email from
SecurityUpdates@rals.com and by notice on the MAS
website
http://www.rals.com .
|
|
|
|
|
|
|
|
|
RALS-Plus
I
RALS-Web
I
RALS-eQuiz
I
RALS-TGCM
I
RALS-Report
I
Device Interfacing
Customer Support
I
Clinical Questions
I
MS Vulnerabilities
I
MS Updates
I
RRC Password of the Day
RRC Installation
I
RALS-Dataports
I
MAS News
I
About MAS
I
Case Studies
Contact Us
I
POC Links
I
Home
I
Legal Notice |
|
|
© 2005 Medical Automation Systems,
Inc., Charlottesville, VA USA. All rights reserved.
|
|
|
|
|
|
