Hey folks - Mike Reavey here. I wanted to let you know we’ve released our security bulletins for the month of November 2006 here today.
We’re releasing six new security bulletins today:
· Microsoft Windows (MS06-066)
· maximum severity rating of Important
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Windows (MS06-067)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Windows (MS06-068)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Windows (MS06-069)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft Windows (MS06-070)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
· Microsoft XML Core Services (MS06-071)
· maximum severity rating of Critical
· vulnerabilities could allow an attacker to remotely take complete control of an affected system.
Regarding MS06-071, I wanted to call out a couple of things. This update addresses an issue we first discussed in Microsoft Security Advisory (927892).
First, with this month’s release, Microsoft has changed the servicing model for Microsoft XML Core Services to include Windows Update in addition to Microsoft Update. This means that customers will now be able to obtain security updates for Microsoft XML Core Services through Windows Update, and Software Update Services (SUS) in addition to Microsoft Update, and Windows Software Update Services (WSUS).
Now, because this update is on Windows Update for distribution, we don’t want customers to be confused and think this is a vulnerability in any version of Windows: the vulnerability is actually in Microsoft XML Core Services not in Windows.
But we’ve gone ahead and put this update on Windows update to give the broadest possible coverage to protect customers for this issue and any possible future issues in Microsoft XML Core Services.
The other thing I want to mention about MS06-071 is information for our SUS 1.0 customers. Our goal every month is to release all updates through all our deployment channels simultaneously. While we were able to move quickly to release this update, we were not able to complete the work required to make it available through Software Update Services 1.0 today. The update is available through all other channels, and Software Update Services customers can obtain this update directly from the Download Center or through WSUS. We are working to make this update available through SUS as quickly as possible and expect to release it with the next SUS 1.0 update.
On final bit of SUS information: we had announced that SUS 1.0 would be retired on December 6, 2006. In response to customer feedback, and to provide customers with additional time to migrate off Software Update Services (SUS) 1.0, we’ve gone ahead and announced an extension to the end of support date to Tuesday, July 10, 2007. So we want to encourage anyone still running SUS 1.0 to migrated to Windows Server Update Services, (WSUS) before July 2007. There’s information on WSUS here: http://www.microsoft.com/updateservices.
Finally, like we do every month, we’ll be holding our monthly Security Bulletin webcast, where we’ll go over the month’s release and answer your questions on the air. You can register for this month’s webcast here:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032313212&EventCategory=4&culture=en-US&CountryCode=US
Mike
*This posting is provided “AS IS” with no warranties, and confers no rights.*