Windows Security Updates for August (MS MS06-051)

Transcription

1 Windows Security Updates for August (MS MS06-051) Original Release Date: August 8, 2006 Last Revised: November 22, 2006 Number: ASA Risk Level: High Advisory Version: 3.0 Advisory Status: Final 1. Overview: Microsoft issued a security bulletin summary for August 2006 which contained twelve security advisories: MS06-040, MS06-041, MS06-042, MS06-043, MS06-044, MS06-045, MS06-046, MS06-047, MS06-048, MS06-049, MS06-050, and MS The advisories describe vulnerabilities in various Microsoft Windows Operating Systems. A description of the vulnerabilities can be found at: ***UPDATE*** On September 26, Microsoft released a new patch regarding MS Certain Avaya products utilize Microsoft Operating Systems and may be affected by these vulnerabilities. 2. Avaya System Products Avaya system products include an Operating System with the product when it is delivered. The system products described below are delivered with a Microsoft Operating System. Actions to be taken with these products are also described below. Product: Unified Communications Center (UCC) - S3400 Affected S/W Version(s): All Recommended Actions: Follow Microsoft's recommendation for installing the Operating System patches: MS MS MS MS06-044

2 Modular Messaging - Messaging Application Server (MAS) S8100/DefinityOne/IP600 Media Servers All R10 and greater MS MS MS MS The Unified Communications Center product is deployed with the Microsoft Windows 2000 Operating System. Follow Microsoft's recommendation for installing the Operating System patches: MS MS MS MS06-043(MAS 3.0) MS MS MS MS MS The Modular Messaging - Messaging Application Server (MAS) is deployed with the Microsoft Windows 2000 or Microsoft Windows 2003 Operating System. Follow Microsoft's recommendation for installing the Operating System patches: MS MS MS MS MS MS MS MS These products are deployed with either the Microsoft Windows 2000 Operating System or the Microsoft Windows NT Operating System.

3 3. Avaya Software-Only Products Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform. In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Microsoft Windows platform may be. For affected Microsoft Operating Systems, Microsoft recommends installing patches. Detailed instructions for patching the Operating System are given by Microsoft at the following links: Software-Only Products: Product: Avaya Agent Access Avaya Basic Call Management System Reporting Desktop - server Avaya Basic Call Management System Reporting Desktop - client Avaya CMS Supervisor Avaya Computer Telephony Avaya CVLAN Client Software Version(s):

4 Avaya Enterprise Manager Avaya Integrated Management Avaya Interaction Center (IC) Avaya Interaction Center - Voice Quick Start Avaya IP Agent Avaya IP Softphone Avaya Modular Messaging Avaya Network Reporting Avaya OctelAccess(r) Server Avaya OctelDesignerTM Avaya Operational Analyst Avaya Outbound Contact Management> Avaya Speech Access Avaya Unified Communication Center (UCC) Avaya Unified Messenger (r) Avaya Visual Messenger TM Avaya Visual Vector Client Avaya VPNmanagerTM Console Avaya Web Messenger Recommended Actions: Avaya recommends that the Microsoft patches and/or workaround solutions are applied. Although certain Avaya system products utilize Microsoft Operating Systems and may be affected by these vulnerabilities, Avaya recommends that the use of clients and Internet browsers be restricted on Avaya system products (i.e. Outlook Express and Internet Explorer). The use of browsers should be restricted to authorized users-only as well as limited to the operational-needs of the product. Unrestricted access to the Intranet or Internet should be prohibited beyond the necessary functions of the product's web administration interface and to obtaining patches. This reduces the risk of vulnerabilities in these applications.

5 5. Additional Information: MS Vulnerability in Server Service Could Allow Remote Code Execution (921883) : Windows was found to have a vulnerability that could allow an attacker to take complete control of a system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to the issue. MS Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683): Two vulnerabilities have been found, the most severe of which could allow an attacker to take complete control of the affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE , and CVE to these issues. MS Cumulative Security Update for Internet Explorer (918899): A number of vulnerabilities have been discovered in Internet Explorer that could allow an attacker to take control of the system as the user that is logged in. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE , CVE , CVE , CVE , CVE , CVE , CVE , and CVE to these issues. MS Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214) : A vulnerability has been discovered in Outlook Express that could allow an attacker to take control of the system as the user that is logged, if they could be tricked into clicking a malicious link. The Avaya Modular Messaging Message Application Server 3.0 is vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008): A vulnerability has been discovered with the Microsoft Management Console which could allow an attacker to take complete control of an affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398): A vulnerability has been discovered in Windows Explorer which an attacker could potentially trick a user to click a malicious link, and could take complete control of an affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common

6 Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerability in HTML Help Could Allow Remote Code Execution (922616): A vulnerability has been identified in HTML Help ActiveX that could allow remote code execution on the affected system if an attacker could trick a user into visiting a malicious web site. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645): A vulnerability has been discovered in Microsoft Visual Basic for Applications that could allow remote code execution on the affected system as the user that is logged in. Avaya system products do not utilize Microsoft Visual Basic for Applications, and are therefore not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968): Two vulnerabilities have been discovered in Microsoft PowerPoint. An attacker who tricked a user into opening a malicious object could execute code as the user that is logged in. Avaya system products do not utilize Microsoft PowerPoint, and are therefore not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE and CVE to these issues. MS Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958) : ***UPDATE*** On September 26, Microsoft released a new patch for this vulnerability. Avaya recommends installing the updated patch. A privilege escalation vulnerability has been discovered in the Windows 2000 Kernel. The Avaya Modular Messaging Message Application Server R2, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE to this issue. MS Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670): Two vulnerabilities have been discovered in the Microsoft Windows Hyperlink Object Library. These vulnerabilities could be exploited by an attacker who tricked a user into clicking a malicious hyperlink, allowing the attacker to take control of the system as the user that is logged in. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE and CVE to these issues.

7 MS Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422): Two vulnerabilities have been discovered in the Windows Kernel that could allow for privilege escalation for a user that is already logged in, or for a remote user to execute code, respectively. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE and CVE to these issues. Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial , with any questions. 6. Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. 7. Revision History: V August 8, Initial Statement issued. V October 4, Updated information for MS V November 22, Updated MS description to say that only Avaya Modular Messaging Message Application Server 3.0 is affected and updated MS description to say that all Avaya System Products are affected. Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

8 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the or are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.