Yesterday afternoon Microsoft released 5 security bulletins. The first 4 of these bulletins are primarily workstation risks. I recommend deploying MS06-013 and MS06-015 as soon as possible.

MS06-013 is especially urgent since the details of this exploit and attackers are already using it. You may consider the published workaround MS06-014 and a workaround I developed for MS06-016 rather than deploying the updates for these 2 bulletins.

The final bulletin, MS06-017, impacts IIS servers running FrontPage Server Extensions or Sharepoint Team Services.

Although Microsoft rates the severity of this bulletin as only moderate, I recommend loading this update on all affected servers as soon as possible.

MS06-013 – Cumulative Security Update for Internet Explorer (912812)This update contains fixes for a slew of newly discovered critical IEvulnerabilities affecting all supported
versions of Windows. These vulnerabilities eight remote code exploits some of which are public andalready being exploited. Most organizations will want to deploy this updateto all workstations as soon as possible. Be aware that this update includesthe change to ActiveX handling in IE released last month (MSKB 917425). Ifyou need more time to prepare for the ActiveX change you can install the”compatibility patch” which delays activation of the ActiveX change untilnext month. Be sure to read MSKB 917425 before
deciding what to do about this update and test this update in a limited rollout.

MS06-014 – Vulnerability in the Microsoft Data Access Components (MDAC)Function Could Allow Code Execution (911562)This update fixes a critical remote code vulnerability in Remote Data Services that can be exploited by malicious html content in a web page
ore-mail and most organizations will want to deploy this update to allworkstations and end-user accessible Terminal Services servers as soon as possible or use the workaround provided in the bulletin which disables use of the RDS.Dataspace ActiveX control by Internet Explorer. This workaround will disable web based applications that directly access ODBC databases fromthe client web browser. Most web based applications perform all databaseaccess from the server in ASP but some intranet applications such as
data access pages created through Access use client side scripts to accessdatabases. If you choose to use the workaround you should test it againstall web based applications that are important to your users.

MS06-015 – Vulnerability in Windows Explorer Could Allow Remote CodeExecution (908531) This critical update addresses a remote code vulnerability in WindowsExplorer in which an attacker, who successfully directs Windows Explorer toaccess a rogue or compromised file server, succeeds in getting WindowsExplorer to execute arbitrary code under the authority of the current user.The file server could be on the local network
or on the Internet. Theattacker would probably attempt this attack through a link to the rogue fileserver embedded in an email or web page. The workarounds and mitigating factors on this bulletin are confusing and/or incomplete but I believe you could prevent this vulnerability from being exploited by remote file serverson the Internet by disabling the Web Client service on desktop workstationsand blocking outgoing connections to TCP ports 139 and 445 at the firewall.Disabling the Web Client disables WebDAV functionality which is used by some Sharepoint sites. Blocking outgoing connections to TCP ports 139 and 445 will only protect computers when they are behind your firewall. Most home,hot spot or other Internet accessible networks where your laptop users mayconnect will not be blocking any type of outgoing connections.

Most organizations will want to take steps to protect against this exploit as soon as possible.

MS06-016 – Cumulative Security Update for Outlook Express (911567)This important update fixes a remote code vulnerability in Outlook Express and should be deployed to all systems using Outlook Express. It would bepreferable to simply disable Outlook Express for the typical environment that uses Outlook instead. However Outlook 2000 and Outlook 2002 both require Outlook Express. Outlook 2003 does not appear to share this requirement and I have verified basic Outlook 2003 functionality afteradding a Deny
Everyone Full Control permission entry to c:programfilesoutlook express. Most organizations will want to deploy this update ortest my workaround as soon as possible for workstations and user accessible Terminal Services computers.

MS06-017 – Vulnerability in Microsoft FrontPage Server Extensions CouldAllow Cross-Site Scripting (917627) This is a weird vulnerability. I expect to receive clarifying informationon this which I will pass on to you in a special update. For now myunderstanding is this: This vulnerability allows an attacker to executearbitrary client-side script against an IIS server with FrontPage Server Extensions or Sharepoint Team Services. Microsoft rates this as a moderaterisk but for vulnerable servers I rate it critical. If you have run serverswith FPSE or SPTS, load this patch.