Critical Product Vulnerability - January 2006 Microsoft Security Bulletin Release

  • From: "Mark Fugatt" <markfu@xxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 10 Jan 2006 19:47:11 -0000

Microsoft is releasing the following security bulletins for newly
discovered vulnerabilities:

Critical        MS06-002        Microsoft Windows       Remote Code
Execution
Critical        MS06-003        Microsoft Office, Microsoft Exchange
Remote Code Execution

Summaries for these new bulletins may be found at the following pages:
*       http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx


Customers are advised to review the information in the bulletins, test
and deploy the updates immediately in their environments, if applicable.

Microsoft Windows Malicious Software Removal Tool

Microsoft is releasing an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Server Update Services
(WSUS), Windows Update (WU) and the Download Center. Note that this tool
will NOT be distributed using Software Update Services (SUS).
Information on the Microsoft Windows Malicious Software Removal Tool can
be located here:
http://go.microsoft.com/fwlink/?LinkId=40573

High-Priority Non-Security Updates on Microsoft Update (MU), Windows
Update (WU), Windows Server Update Services (WSUS) and Software Update
Services (SUS)
Microsoft is today also making the following High-Priority NON-SECURITY
updates available on WU, MU, SUS and WSUS:

KB870450        Update Rollup for Exchange 2000 Server  MU
KB907747        Update for Intelligent Message Filter   MU

Microsoft will host a webcast to address customer questions on these
bulletins. For more information on this webcast please see below:

Microsoft will host a webcast to address customer questions on these
bulletins. For more information on this webcast please see below:
Information about Microsoft's Security Bulletins

January 11, 2006 11:00 AM (GMT-08:00)
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10322
87360&EventCategory=4&culture=en-US&CountryCode=US 

The on-demand version of the webcast will be available 24 hours after
the live webcast at: 
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=10322
87360&EventCategory=4&culture=en-US&CountryCode=US

**********************************************************************
MS06-002
Title:  Vulnerability in Embedded Web Fonts Could Allow Remote Code
Execution (908519)

Affected Software: 
*       Microsoft Windows 2000 Service Pack 4
*       Microsoft Windows XP Service Pack 1 and Microsoft Windows XP
Service Pack 2
*       Microsoft Windows XP Professional x64 Edition
*       Microsoft Windows Server 2003 and Microsoft Windows Server 2003
Service Pack 1
*       Microsoft Windows Server 2003 for Itanium-based Systems and
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
*       Microsoft Windows Server 2003 x64 Edition
*       Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME) - Review the FAQ section
of the bulletin for details about these operating systems.

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart.
If the required files are being used, this update will require a
restart. If this behavior occurs, a message appears that advises you to
restart. To help reduce the chance that a reboot will be required, stop
all affected services and close all applications that may use the
affected files prior to installing the security update. For more
information about the reasons why you may be prompted to restart your
computer, see Microsoft Knowledge Base Article 887012.

Update can be uninstalled: Yes

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS06-002.mspx 

**********************************************************************
MS06-003
Title:  Vulnerability in TNEF Decoding in Microsoft Outlook and
Microsoft Exchange Could Allow Remote Code Execution (902412)

Affected Software: 
*       Microsoft Office 2000 Service Pack 3
*       Microsoft Office 2000 Software:
*       Microsoft Outlook 2000
*       MultiLanguage Packs
Note Multilingual User Interface Packs are for non- English packages
*       Microsoft Office XP Service Pack 3 -
*       Microsoft Office XP Software:
*       Microsoft Outlook 2002
*       Microsoft Office XP Multilingual User Interface Packs
Note Multilingual User Interface Packs are for non- English packages.
*       Microsoft Office 2003 Service Pack 1 and Service Pack 2
*       Microsoft Office 2003 Software:
*       Microsoft Office Outlook 2003
*       Microsoft Office 2003 Multilingual User Interface Packs
Note Multilingual User Interface Packs are for non- English packages
*       Microsoft Office 2003 Language Interface Packs
*       Microsoft Exchange Server 5.0 Service Pack 2
*       Microsoft Exchange Server 5.5 Service Pack 4
*       Microsoft Exchange 2000 Server Pack 3 with the Exchange 2000
Post-Service Pack 3 Update Rollup of August 2004
Non-Affected Software: 
*       Microsoft Exchange Server 2003
*       Microsoft Exchange Server 2003 Service Pack 1

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Critical

Restart required: In some cases, this update does not require a restart.
If the required files are being used, this update will require a
restart. If this behavior occurs, a message appears that advises you to
restart. To help reduce the chance that a reboot will be required, stop
all affected services and close all applications that may use the
affected files prior to installing the security update. For more
information about the reasons why you may be prompted to restart your
computer, see Microsoft Knowledge Base Article 887012.

Update can be uninstalled: Exchange - Yes, Office - No

More information on this vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS06-003.mspx

PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST
CURRENT INFORMATION ON THESE ALERTS.

Thank you,
Microsoft PSS Security Team


Other related posts:

  • » Critical Product Vulnerability - January 2006 Microsoft Security Bulletin Release