Alert Type:
Security - April 14, 2006

Alert Summary:
Released on April 11, Microsoft's April 2006 security updates address Critical, Important and Moderate vulnerabilities in all supported versions of Microsoft Windows, including Critical updates for Internet Explorer (IE) and Microsoft Data Access Components; an Important update for Outlook Express; and a Moderate update for FrontPage server extensions. In addition to patching security flaws that include the createTextRange() vulnerability actively exploited since late March, the Internet Explorer update also modifies behaviors related to ActiveX-related embedded active content for compliance with a court order related to a patent lawsuit filed by Eolas Technologies. Taken as a group, the security flaws addressed could allow remote attackers to run arbitrary code on an affected computer and gain complete control of the system. Users of affected systems are urged to update their installations immediately. Windows Server 2003, XP, and 2000 users who obtain the patches via Automatic Update, Windows Update, or Microsoft Update may also receive the April 2006 version of the Windows Malicious Software Removal Tool.

How May These Issues Affect Your Subscribers and Users?
Successful exploits of these vulnerabilities could allow remote attackers to read, modify, and delete files; run arbitrary programs; and/or disrupt the operation of system processes on a compromised computer. Loss of data, privacy, and/or system function could result.

The modification to Internet Explorer's embedded-active-content-behavior changes how the browser handles some Web pages that contain active content, such as Adobe Reader, Apple QuickTime Player, Macromedia Flash, Microsoft Windows Media Player, Real Networks RealPlayer, and Sun Java Virtual Machine. Once this update has been installed, Internet Explorer cannot interact with ActiveX controls in certain Web pages until the user clicks the controls.

How May These Issues Affect Your Operations and Help Desk?
Your help desk may potentially experience an increase in call volume as a result of these issues. If unauthorized access or malicious programs cause damage to files or settings necessary for maintaining connectivity to your network, subscribers may contact your support desk for assistance in restoring their connections. Computer processes under the control of an attacker could be used to send spam or launch attacks against other computers inside and outside of your network. Disruption of system processes could result in computer malfunctions that drive calls to your help desk.

The modifications to ActiveX behavior in Internet Explorer may change how your users and subscribers interact with some websites, including service or enterprise websites that use active content. These behavior changes may drive calls to your help desk.

What Can You Do About Them?
Help desk staff should familiarize themselves with the details of these vulnerabilities and modifications, the bulletins and support pages that describe them, the patches that fix them, and the use and behavior of Automatic Update, Windows Update, and Microsoft Update, Microsoft's preferred means of delivering patches to end users.

Technical coverage of these Windows Security updates begins at http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx. End-user coverage begins at http://www.microsoft.com/athome/security/update/bulletins/200604.mspx. Details on Windows Update and Microsoft Update are available from the Windows Update site at http://windowsupdate.microsoft.com/. For current Microsoft operating systems, an upgrade to Microsoft Update, which provides single-source access to updates for Windows, Office, and other Microsoft software, is available via the Windows Update homepage.

A known issue in Automatic Update functionality may delay for up to several days notification and download of patches via Automatic Update as described at http://support.microsoft.com/?kbid=910340.

Details of the Internet Explorer ActiveX update are covered in the Microsoft Knowledge Base at http://support.microsoft.com/kb/912945/ and a security advisory at http://www.microsoft.com/technet/security/advisory/912945.mspx. Information for developers involved with ActiveX controls affected by the Internet Explorer ActiveX update begins at http://msdn.microsoft.com/ieupdate/.

Especially for enterprise users who still need more time to update applications for proper operation with Internet Explorer's modified ActiveX behavior, Microsoft also released on April 11 a "compatibility patch" that can be used temporarily to roll back the effects of the ActiveX patch until Microsoft's June security updates are released. This patch is described at http://support.microsoft.com/kb/917425.

Mission Critical Messenger customers can copy the source code of the following message into an HTML file for import into Mission Critical Messenger Server:

If you would like to learn more about Mission Critical Messenger, please contact Fine Point Technologies at +1.212.962.7410 or sales@finepoint.com for more information.

You are receiving this SupportPoint Alert email because you are a member of the Fine Point Technologies SupportPoint Partner Program. If you would like to opt out of this mailing list, please send an email to supportpoint@finepoint.com with your request to be removed. This document is intended for informational purposes only. Fine Point Technologies, Inc., assumes no responsibility or liability for damages resulting from errors or misuse of information contained herein. Copyright © 2006 Fine Point Technologies, Inc. All rights reserved.

Fine Point Technologies and SupportPoint are trademarks or registered trademarks of Fine Point Technologies, Inc. Microsoft, Windows, and ActiveX are registered trademarks of Microsoft Corporation in the United States and/or other countries.

Eolas is a registered trademark of Eolas Technologies Inc.

Other registered trademarks used herein are the property of their respective owners.