Microsoft windows update issues ms06-042 deployment

Note It cannot be ruled out that this vulnerability could be used in an exploit without Active Scripting. However, using Active Scripting significantly increases the chances of a successful exploit. As a result, this vulnerability has been given a severity rating of Critical on Windows Server Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. This will allow the site to work correctly. Impact of Workaround: There are side effects to prompting before running Active Scripting.

Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites.

For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements.

Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. Read e-mail messages in plain text format if you are using Outlook or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail attack vector.

Microsoft Outlook users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook , see Microsoft Knowledge Base Article Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content.

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

These Web sites could contain specially crafted content that could exploit this vulnerability. This vulnerability requires that a user is logged on and reading HTML e-mail messages or that a user is logged on and visits a Web site for any malicious action to occur. Therefore, any systems where HTML e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.

The update removes the vulnerability by modifying the way that Internet Explorer decodes certain layout combinations in HTML. When this security bulletin was issued, had this vulnerability been publicly disclosed? Microsoft received information about this vulnerability through responsible disclosure. When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

For information about the specific security update for your affected software, click the appropriate link:. Note You can combine these switches into one command.

For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article For more information about the Update.

To install the security update without any user intervention, use the following command at a command prompt for Windows Server This includes suppressing failure messages. Administrators should also review the KB To install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server For information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.

This security update will also be available through the Microsoft Update Web site. This security update does not support HotPatching. System administrators can also use the Spuninst. The Spuninst. The English version of this security update has the file attributes that are listed in the following table.

The dates and times for these files are listed in coordinated universal time UTC. When you view the file information, it is converted to local time. Notes When you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article For more information about the terminology that appears in this bulletin, such as hotfix , see Microsoft Knowledge Base Article MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations.

File Version Verification Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps. Note This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the security update into the Windows installation source files.

For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. To install the security update without any user intervention, use the following command at a command prompt for Microsoft Windows XP:.

The revised update fully resolves the security vulnerability we discussed in the Advisory. We also have resolved the issues that we discovered prior to the planned release on Tuesday.

We are now urging IE 6. This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Why did Microsoft reissue this bulletin on September 26, ? Microsoft updated this bulletin and the associated security updates to address and resolve the issues identified in Microsoft Knowledge Base Article There are no additional security benefits as a result of reinstalling this update.

What are the known issues that customers may experience when they install this security update? Microsoft Knowledge Base Article documents the currently known issues that customers may experience when they install this security update. I am still using one of these operating systems; what should I do?

Windows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site. Windows NT Workstation 4.

Customers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.

Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site , select the country, and then click Go to see a list of telephone numbers.

When you call, ask to speak with the local Premier Support sales manager. What updates does this release replace? This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.

The following table provides the MBSA detection summary for this security update. For more detailed information, see Microsoft Knowledge Base Article The following table provides the SMS detection summary for this security update. For SMS 2. There is a privilege elevation vulnerability in Windows caused by improper validation of system inputs. This vulnerability could allow a logged on user to take complete control of the system. What is the scope of the vulnerability? This is a privilege elevation vulnerability.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program. What causes the vulnerability? An unchecked buffer in the Windows Kernel. What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of the affected system. Who could exploit the vulnerability? When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.

For information about the specific security update for your affected software, click the appropriate link:. Important: Before you install this update, make sure that the following requirements have been met:. Windows Installer 2. For more information about how to determine the version of Office XP that is installed on your computer, see Microsoft Knowledge Base Article For more information about the version information displayed in the About dialog box, see Microsoft Knowledge Base Article To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update.

For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article To revert to an installation before the update was installed; you must remove the application, and then install it again from the original CD-ROM.

This update will be available through the Microsoft Update Web site. Microsoft Update consolidates updates that are provided by Windows Update and Office Update into one location and lets you choose automatic delivery and installation of high-priority and security updates.

We recommend that you install this update by using the Microsoft Update Web site. The Microsoft Update Web site detects your particular installation and prompts you to install exactly what you must have to make sure that your installation is completely up to date. To have the Microsoft Update Web site detect the required updates that you must install on your computer, visit the Microsoft Update Web site. You will be given the choice of Express Recommended or Custom.

After detection is complete, you will receive a list of recommended updates for your approval. For detailed information about how to manually install this update, review the following section.

Note These switches do not necessarily work with all updates. If a switch is not available, that functionality is required for the correct installation of the update. If the installation is unsuccessful, you should contact your support professional to understand why it could not install. For more information about the supported setup switches, see Microsoft Knowledge Base Article Note The full file office update is intended for both client and administrative deployment scenarios.

Note If the security update is already installed on your computer, you see the following error message: This update has already been applied or is included in an update that has already been applied.

The English version of this update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time UTC.

When you view the file information, it is converted to local time. If you installed your application from a server location, the server administrator must update the server location with the administrative update and deploy that update to your computer. The following setup switches are relevant to administrative installations as they allow an administrator to customize how the files are extracted from within the security update. At this point, your administrative installation point is updated.

Next, you must update the workstation configurations that were originally installed from this administrative installation. Any new installations that you run from this administrative installation point will include the update. To deploy the update to the client workstations, click Start , click Run , type the following command, and then click OK :. Note Administrators working in managed environments can find complete resources for deploying Office updates in an organization on the Office Admin Update Center.

On the home page of that site, look under the Update Strategies section for the software version you are updating. The Windows Installer Documentation also provides more information about the parameters supported by the Windows Installer. File Version Verification Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer.

If they are, see your product documentation to complete these steps.