Patch Tuesday

Microsoft today released a number of hotfixes for Win Me, quite possibly
the last.

Patches released include:
Cumulative Security Update for Internet Explorer 6 Service Pack 1
(KB916281)
For more details see KB916281 "MS06-021: Cumulative security update for
Internet Explorer" (http://support.microsoft.com?kbid=916281) and
Microsoft Security Bulletin MS06-021
(http://www.microsoft.com/technet/sec.../ms06-021.mspx).

Security Update for Internet Explorer 6 Service Pack 1 (KB918439)
For more details see KB918439 "MS06-022: Vulnerability in ART image
rendering could allow remote code execution"
(http://support.microsoft.com?kbid=918439) and Microsoft Security Bulletin
MS06-022
(http://www.microsoft.com/technet/sec.../ms06-022.mspx).

Security Update for Windows Millennium (KB918547)
For more details see KB918547 "MS06-026: Vulnerability in the Graphics
Rendering Engine could allow remote code execution"
(http://support.microsoft.com?kbid=918547) and Microsoft Security Bulletin
MS06-026
(http://www.microsoft.com/technet/sec.../ms06-026.mspx).

Security Update for Windows Millennium (KB917344)
For more details see KB917344 "MS06-023: Vulnerability in Microsoft
JScript could allow remote code execution "
(http://support.microsoft.com?kbid=917344) and Microsoft Security Bulletin
MS06-023
(http://www.microsoft.com/technet/sec.../ms06-023.mspx).

Security Update for Windows Media Player 9 for Windows 98 and Windows ME
(KB917734)
For more details see KB917734 "MS06-024: Vulnerability in Windows Media
Player could allow remote code execution"
(http://support.microsoft.com?kbid=917734) and Microsoft Security Bulletin
MS06-024
(http://www.microsoft.com/technet/sec.../ms06-024.mspx).

Patches were also released for Word 2000 & 2002 and PowerPoint 2000 &
2002.
Word: KB917336 "MS06-027: Vulnerability in Microsoft Word could allow
remote code execution" (http://support.microsoft.com/?kbid=917336) which
has links to details of the patches for Word 2000 (KB917335) and Word 2002
(KB917335)

PowerPoint: KB916768 "MS06-028: Vulnerability in Microsoft PowerPoint
could allow remote code execution"
(http://support.microsoft.com/?kbid=916768) which has links to details of
the patches for PowerPoint 2000 (KB916520) and PowerPoint 2002 (KB916519)

I am currently installing these individually and checking that none
adversely effect my system. I will post back to this thread if I
encounter any problems. To date I have installed all of the system
patches and seen no ill effects. I would strongly advise all users of Win
Me to install these patches.
--
Mike Maltby
MS-MVP Windows

From: "Mike M"

| Microsoft today released a number of hotfixes for Win Me, quite possibly
| the last.
|
| Patches released include:
| Cumulative Security Update for Internet Explorer 6 Service Pack 1
| (KB916281)
| For more details see KB916281 "MS06-021: Cumulative security update for
| Internet Explorer" (http://support.microsoft.com?kbid=916281) and
| Microsoft Security Bulletin MS06-021
| (http://www.microsoft.com/technet/sec.../ms06-021.mspx).
|
| Security Update for Internet Explorer 6 Service Pack 1 (KB918439)
| For more details see KB918439 "MS06-022: Vulnerability in ART image
| rendering could allow remote code execution"
| (http://support.microsoft.com?kbid=918439) and Microsoft Security Bulletin
| MS06-022
| (http://www.microsoft.com/technet/sec.../ms06-022.mspx).
|
| Security Update for Windows Millennium (KB918547)
| For more details see KB918547 "MS06-026: Vulnerability in the Graphics
| Rendering Engine could allow remote code execution"
| (http://support.microsoft.com?kbid=918547) and Microsoft Security Bulletin
| MS06-026
| (http://www.microsoft.com/technet/sec.../ms06-026.mspx).
|
| Security Update for Windows Millennium (KB917344)
| For more details see KB917344 "MS06-023: Vulnerability in Microsoft
| JScript could allow remote code execution "
| (http://support.microsoft.com?kbid=917344) and Microsoft Security Bulletin
| MS06-023
| (http://www.microsoft.com/technet/sec.../ms06-023.mspx).
|
| Security Update for Windows Media Player 9 for Windows 98 and Windows ME
| (KB917734)
| For more details see KB917734 "MS06-024: Vulnerability in Windows Media
| Player could allow remote code execution"
| (http://support.microsoft.com?kbid=917734) and Microsoft Security Bulletin
| MS06-024
| (http://www.microsoft.com/technet/sec.../ms06-024.mspx).
|
| Patches were also released for Word 2000 & 2002 and PowerPoint 2000 &
| 2002.
| Word: KB917336 "MS06-027: Vulnerability in Microsoft Word could allow
| remote code execution" (http://support.microsoft.com/?kbid=917336) which
| has links to details of the patches for Word 2000 (KB917335) and Word 2002
| (KB917335)
|
| PowerPoint: KB916768 "MS06-028: Vulnerability in Microsoft PowerPoint
| could allow remote code execution"
| (http://support.microsoft.com/?kbid=916768) which has links to details of
| the patches for PowerPoint 2000 (KB916520) and PowerPoint 2002 (KB916519)
|
| I am currently installing these individually and checking that none
| adversely effect my system. I will post back to this thread if I
| encounter any problems. To date I have installed all of the system
| patches and seen no ill effects. I would strongly advise all users of Win
| Me to install these patches.

I installed them all. So far no side effects -- this time. This included a MDAC post SP1
update.

I also installed the IE6 SP1 cumulative update AFTER I install all the other updates.

BTW:....



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-164A



Microsoft Windows, Internet Explorer, Media Player, Word, PowerPoint, and
Exchange Vulnerabilities

Original release date: June 13, 2006
Last revised: --
Source: US-CERT



Systems Affected

* Microsoft Windows
* Microsoft Windows Media Player
* Microsoft Internet Explorer
* Microsoft PowerPoint for Windows and Mac OS X
* Microsoft Word for Windows
* Microsoft Office
* Microsoft Works Suite
* Microsoft Exchange Server Outlook Web Access

For more complete information, refer to the Microsoft Security
Bulletin Summary for June 2006.



Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Word, PowerPoint, Media Player, Internet
Explorer, and Exchange Server. Exploitation of these vulnerabilities
could allow a remote, unauthenticated attacker to execute arbitrary
code or cause a denial of service on a vulnerable system.



I. Description

Microsoft Security Bulletin Summary for June 2006 addresses
vulnerabilities in Microsoft Windows, Word, PowerPoint, Media Player,
Internet Explorer, and Exchange Server. Further information is
available in the following US-CERT Vulnerability Notes:

VU#722753 - Microsoft IP Source Route Vulnerability

A vulnerability in Microsoft Windows could allow a remote attacker to
execute arbitrary code on a vulnerable system.
(CVE-2006-2379)

VU#446012 - Microsoft Word object pointer memory corruption
vulnerability

A memory corruption vulnerability in Microsoft Word could allow a
remote attacker to execute arbitrary code with the privileges of the
user running Word.
(CVE-2006-2492)

VU#190089 - Microsoft PowerPoint malformed record vulnerability

Microsoft PowerPoint fails to properly handle malformed records. This
may allow a remote attacker to execute arbitrary code on a vulnerable
system.
(CVE-2006-0022)

VU#923236 - Microsoft Windows ART image handling buffer overflow

Microsoft Windows ART image handling routines are vulnerable to a
heap-based buffer overflow. This vulnerability may allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable
system.
(CVE-2006-2378)

VU#390044 - Microsoft JScript memory corruption vulnerability

Microsoft JScript contains a memory corruption vulnerability. This
vulnerability may allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-1313)

VU#338828 - Microsoft Internet Explorer exception handling
vulnerability

Microsoft Internet Explorer fails to properly handle exception
conditions. This may allow a remote, unauthenticated attacker to
execute arbitrary code.
(CVE-2006-2218)

VU#417585 - Microsoft DXImageTransform Light filter fails to validate
input

The Microsoft DXImageTransform Light COM object fails to validate
input, which may allow a remote attacker to execute arbitrary code on
a vulnerable system.
(CVE-2006-2383)

VU#959049 - Multiple COM objects cause memory corruption in Microsoft
Internet Explorer

Microsoft Internet Explorer (IE) allows instantiation of COM objects
not designed for use in the browser, which may allow a remote attacker
to execute arbitrary code or crash IE.
(CVE-2006-2127)

VU#136849 - Microsoft Internet Explorer UTF-8 decoding vulnerability

Microsoft Internet Explorer fails to properly decode UTF-8 encoded
HTML. This may allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-2382)

VU#909508 - Microsoft Graphics Rendering Engine fails to properly
handle WMF images

Microsoft Windows Graphics Rendering Engine contains a vulnerability
that may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-2376)

VU#608020 - Microsoft Windows Media Player PNG processing buffer
overflow

Microsoft Windows Media Player contains a stack-based buffer overflow
vulnerability that may allow a remote, unauthenticated attacker to
execute arbitrary code on a vulnerable system.
(CVE-2006-0025)

VU#814644 - Microsoft Remote Access Connection Manager service
vulnerable to buffer overflow

A vulnerability in the Microsoft Remote Access Connection Manager may
allow a remote attacker to execute arbitrary code on a vulnerable
system.
(CVE-2006-2371)

VU#631516 - Microsoft Routing and Remote Access does not properly
handle RPC requests

There is a vulnerability in the Microsoft Windows Routing and Remote
Access Service that could allow an attacker to take control of the
affected system.
(CVE-2006-2370)

VU#138188 - Microsoft Outlook Web Access for Exchange Server script
injection vulnerability

A script injection vulnerability exists in Microsoft Exchange Server
running Outlook Web Access.
(CVE-2006-1193)

In MS06-027 Microsoft has released updates for the Word vulnerability
described in Technical Cyber Security Alert TA06-139A.



II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.



III. Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the
Security Bulletins. Microsoft Windows updates are available on the
Microsoft Update site.

Workarounds

Please see the US-CERT Vulnerability Notes for workarounds.



Appendix A. References

* Microsoft Security Bulletin Summary for June 2006 -
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

* Technical Cyber Security Alert TA06-139A -
http://www.us-cert.gov/cas/techalerts/TA06-139A.html

* US-CERT Vulnerability Notes for Microsoft Updates for June 2006 -
http://www.kb.cert.org/vuls/byid?searchview&query=ms06-june

* US-CERT Vulnerability Note VU#446012 -
http://www.kb.cert.org/vuls/id/446012

* US-CERT Vulnerability Note VU#190089 -
http://www.kb.cert.org/vuls/id/190089

* US-CERT Vulnerability Note VU#923236 -
http://www.kb.cert.org/vuls/id/923236

* US-CERT Vulnerability Note VU#390044 -
http://www.kb.cert.org/vuls/id/390044

* US-CERT Vulnerability Note VU#338828 -
http://www.kb.cert.org/vuls/id/338828

* US-CERT Vulnerability Note VU#417585 -
http://www.kb.cert.org/vuls/id/417585

* US-CERT Vulnerability Note VU#136849 -
http://www.kb.cert.org/vuls/id/136849

* US-CERT Vulnerability Note VU#909508 -
http://www.kb.cert.org/vuls/id/909508

* US-CERT Vulnerability Note VU#722753 -
http://www.kb.cert.org/vuls/id/722753

* US-CERT Vulnerability Note VU#959049 -
http://www.kb.cert.org/vuls/id/959049

* US-CERT Vulnerability Note VU#138188 -
http://www.kb.cert.org/vuls/id/138188

* US-CERT Vulnerability Note VU#608020 -
http://www.kb.cert.org/vuls/id/608020

* US-CERT Vulnerability Note VU#814644 -
http://www.kb.cert.org/vuls/id/814644

* US-CERT Vulnerability Note VU#631516 -
http://www.kb.cert.org/vuls/id/631516

* CVE-2006-2492 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492

* CVE-2006-0022 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0022

* CVE-2006-2378 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2378

* CVE-2006-1313 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1313

* CVE-2006-2218 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2218

* CVE-2006-2383 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2383

* CVE-2006-2127 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2127

* CVE-2006-2382 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2382

* CVE-2006-2376 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2376

* CVE-2006-2379 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2379

* CVE-2006-1193 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1193

* CVE-2006-0025 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025

* CVE-2006-2371 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2371

* CVE-2006-2370 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370

* Microsoft Update - https://update.microsoft.com/microsoftupdate

* Securing Your Web Browser -
http://www.us-cert.gov/reading_room/...r/#Internet_Ex
plorer



__________________________________________________ __________________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA06-164A Feedback VU#390044" in the
subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ __________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________



Revision History

June 13, 2006: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRI8+kn0pj593lg50AQKHOwgAvRyUSM1UUAm9rMCEqm qK2F7Nc0zmyBF/
LJQMV04M44DBzO/uAJvj1Bagsg1+eCQB9L86qL3WzKZev200gkYUki1xOJ/S7yv2
8K3ovQ9g2HFTuovw6tO2GE6EO5tWyGO0RjW4juEIe03vUF8rvk BzhQFjl4YCK7Lk
J+O3eula74ZcDExuT/8tzbYmUnW2V5YB4n8THdZmwUcQBG8HgCiYBeA5Ne0Gs2/l
FqcGY6/GcileVChU98p3GBQWp8B+WSUSxGSFEmRl4BnRhB0Me8/RmJt0+Bxs+RJP
mokjmXu0dBFZUAMP0drS1ZBnhu8/s2jo0gvu5qoDmL4el5Y1Lj6bGA==
=k+F0
-----END PGP SIGNATURE-----



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thanks Dave.

I'm likewise seeing no problems as a result of installing these patches
but haven't tested all the possible scenarios regarding Office components.
For example I have only installed the Office 2000 patches and even then
not had the chance to test exhaustively.
--
Mike


David H. Lipman wrote:

I installed them all. So far no side effects -- this time. This
included a MDAC post SP1 update.

I also installed the IE6 SP1 cumulative update AFTER I install all
the other updates.

BTW:....



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-164A



Microsoft Windows, Internet Explorer, Media Player, Word, PowerPoint,
and
Exchange Vulnerabilities

Original release date: June 13, 2006
Last revised: --
Source: US-CERT



Systems Affected

* Microsoft Windows
* Microsoft Windows Media Player
* Microsoft Internet Explorer
* Microsoft PowerPoint for Windows and Mac OS X
* Microsoft Word for Windows
* Microsoft Office
* Microsoft Works Suite
* Microsoft Exchange Server Outlook Web Access

For more complete information, refer to the Microsoft Security
Bulletin Summary for June 2006.



Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Word, PowerPoint, Media Player, Internet
Explorer, and Exchange Server. Exploitation of these vulnerabilities
could allow a remote, unauthenticated attacker to execute arbitrary
code or cause a denial of service on a vulnerable system.



I. Description

Microsoft Security Bulletin Summary for June 2006 addresses
vulnerabilities in Microsoft Windows, Word, PowerPoint, Media
Player, Internet Explorer, and Exchange Server. Further information
is available in the following US-CERT Vulnerability Notes:

VU#722753 - Microsoft IP Source Route Vulnerability

A vulnerability in Microsoft Windows could allow a remote attacker
to execute arbitrary code on a vulnerable system.
(CVE-2006-2379)

VU#446012 - Microsoft Word object pointer memory corruption
vulnerability

A memory corruption vulnerability in Microsoft Word could allow a
remote attacker to execute arbitrary code with the privileges of the
user running Word.
(CVE-2006-2492)

VU#190089 - Microsoft PowerPoint malformed record vulnerability

Microsoft PowerPoint fails to properly handle malformed records.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-0022)

VU#923236 - Microsoft Windows ART image handling buffer overflow

Microsoft Windows ART image handling routines are vulnerable to a
heap-based buffer overflow. This vulnerability may allow a remote,
unauthenticated attacker to execute arbitrary code on a vulnerable
system.
(CVE-2006-2378)

VU#390044 - Microsoft JScript memory corruption vulnerability

Microsoft JScript contains a memory corruption vulnerability. This
vulnerability may allow a remote, unauthenticated attacker to
execute arbitrary code on a vulnerable system.
(CVE-2006-1313)

VU#338828 - Microsoft Internet Explorer exception handling
vulnerability

Microsoft Internet Explorer fails to properly handle exception
conditions. This may allow a remote, unauthenticated attacker to
execute arbitrary code.
(CVE-2006-2218)

VU#417585 - Microsoft DXImageTransform Light filter fails to
validate input

The Microsoft DXImageTransform Light COM object fails to validate
input, which may allow a remote attacker to execute arbitrary code
on a vulnerable system.
(CVE-2006-2383)

VU#959049 - Multiple COM objects cause memory corruption in
Microsoft Internet Explorer

Microsoft Internet Explorer (IE) allows instantiation of COM objects
not designed for use in the browser, which may allow a remote
attacker to execute arbitrary code or crash IE.
(CVE-2006-2127)

VU#136849 - Microsoft Internet Explorer UTF-8 decoding vulnerability

Microsoft Internet Explorer fails to properly decode UTF-8 encoded
HTML. This may allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-2382)

VU#909508 - Microsoft Graphics Rendering Engine fails to properly
handle WMF images

Microsoft Windows Graphics Rendering Engine contains a vulnerability
that may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-2376)

VU#608020 - Microsoft Windows Media Player PNG processing buffer
overflow

Microsoft Windows Media Player contains a stack-based buffer
overflow vulnerability that may allow a remote, unauthenticated
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-0025)

VU#814644 - Microsoft Remote Access Connection Manager service
vulnerable to buffer overflow

A vulnerability in the Microsoft Remote Access Connection Manager
may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-2371)

VU#631516 - Microsoft Routing and Remote Access does not properly
handle RPC requests

There is a vulnerability in the Microsoft Windows Routing and Remote
Access Service that could allow an attacker to take control of the
affected system.
(CVE-2006-2370)

VU#138188 - Microsoft Outlook Web Access for Exchange Server script
injection vulnerability

A script injection vulnerability exists in Microsoft Exchange Server
running Outlook Web Access.
(CVE-2006-1193)

In MS06-027 Microsoft has released updates for the Word
vulnerability described in Technical Cyber Security Alert TA06-139A.



II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.



III. Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the
Security Bulletins. Microsoft Windows updates are available on the
Microsoft Update site.

Workarounds

Please see the US-CERT Vulnerability Notes for workarounds.



Appendix A. References

* Microsoft Security Bulletin Summary for June 2006 -

http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx

* Technical Cyber Security Alert TA06-139A -
http://www.us-cert.gov/cas/techalerts/TA06-139A.html

* US-CERT Vulnerability Notes for Microsoft Updates for June 2006
- http://www.kb.cert.org/vuls/byid?searchview&query=ms06-june

* US-CERT Vulnerability Note VU#446012 -
http://www.kb.cert.org/vuls/id/446012

* US-CERT Vulnerability Note VU#190089 -
http://www.kb.cert.org/vuls/id/190089

* US-CERT Vulnerability Note VU#923236 -
http://www.kb.cert.org/vuls/id/923236

* US-CERT Vulnerability Note VU#390044 -
http://www.kb.cert.org/vuls/id/390044

* US-CERT Vulnerability Note VU#338828 -
http://www.kb.cert.org/vuls/id/338828

* US-CERT Vulnerability Note VU#417585 -
http://www.kb.cert.org/vuls/id/417585

* US-CERT Vulnerability Note VU#136849 -
http://www.kb.cert.org/vuls/id/136849

* US-CERT Vulnerability Note VU#909508 -
http://www.kb.cert.org/vuls/id/909508

* US-CERT Vulnerability Note VU#722753 -
http://www.kb.cert.org/vuls/id/722753

* US-CERT Vulnerability Note VU#959049 -
http://www.kb.cert.org/vuls/id/959049

* US-CERT Vulnerability Note VU#138188 -
http://www.kb.cert.org/vuls/id/138188

* US-CERT Vulnerability Note VU#608020 -
http://www.kb.cert.org/vuls/id/608020

* US-CERT Vulnerability Note VU#814644 -
http://www.kb.cert.org/vuls/id/814644

* US-CERT Vulnerability Note VU#631516 -
http://www.kb.cert.org/vuls/id/631516

* CVE-2006-2492 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492

* CVE-2006-0022 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0022

* CVE-2006-2378 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2378

* CVE-2006-1313 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1313

* CVE-2006-2218 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2218

* CVE-2006-2383 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2383

* CVE-2006-2127 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2127

* CVE-2006-2382 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2382

* CVE-2006-2376 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2376

* CVE-2006-2379 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2379

* CVE-2006-1193 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1193

* CVE-2006-0025 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0025

* CVE-2006-2371 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2371

* CVE-2006-2370 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370

* Microsoft Update -
https://update.microsoft.com/microsoftupdate

* Securing Your Web Browser -


http://www.us-cert.gov/reading_room/...r/#Internet_Ex
plorer



__________________________________________________ __________________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA06-164A Feedback VU#390044" in the
subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ __________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________



Revision History

June 13, 2006: Initial release

Hello!

I'm experiencing some issues installing the KB918547 (MS06-026) patch
on ME systems. Does anyone know if it requires a specific version of
IE or something else? I have been able to install it on ME machines
with IE 6 so far, but not IE 5.5.

Anne

IE 5.5 is NOT supported in any way by MS at this time - you will have to
upgrade to IE6 SP1

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"anne" wrote in message
oups.com...
Hello!

I'm experiencing some issues installing the KB918547 (MS06-026) patch
on ME systems. Does anyone know if it requires a specific version of
IE or something else? I have been able to install it on ME machines
with IE 6 so far, but not IE 5.5.

Anne

Anne,

There does indeed to be something odd about the KB918547 (MS06-026) patch.
Whilst IE5.5 as such has been unsupported since the end of 2005, the last
patch being the cumulative update for IE5.5 released in December 2005, the
KB918547 hotfix is one of three patches offered to a Win Me system running
IE5.5 (the others being IE6 SP1 and 917344 [MS06-024]) however despite
being offered by the Windows Update site it will not install. The reason
being that this patch is for IE6 SP1 and is being offered in error by the
WU site to those still running IE5.5

I have notified Microsoft of this problem.

I would however like to stress that no machine should still be running
IE5.5 if used to access the net and that you should as a matter or urgency
update all such PCs to IE6 SP1.
--
Mike Maltby
MS-MVP Windows [2001-2006]



anne wrote:

Hello!

I'm experiencing some issues installing the KB918547 (MS06-026) patch
on ME systems. Does anyone know if it requires a specific version of
IE or something else? I have been able to install it on ME machines
with IE 6 so far, but not IE 5.5.

Interesting, Mike!
I just fired up a new ME (VPC) install - and 888113 also refuses to install.
Both patches are positioned in TechNet and WU as OS updates rather than as
IE updates, so should be IE version independent??

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"Mike M" wrote in message
...
Anne,

There does indeed to be something odd about the KB918547 (MS06-026) patch.
Whilst IE5.5 as such has been unsupported since the end of 2005, the last
patch being the cumulative update for IE5.5 released in December 2005, the
KB918547 hotfix is one of three patches offered to a Win Me system running
IE5.5 (the others being IE6 SP1 and 917344 [MS06-024]) however despite
being offered by the Windows Update site it will not install. The reason
being that this patch is for IE6 SP1 and is being offered in error by the
WU site to those still running IE5.5

I have notified Microsoft of this problem.

I would however like to stress that no machine should still be running
IE5.5 if used to access the net and that you should as a matter or urgency
update all such PCs to IE6 SP1.
--
Mike Maltby
MS-MVP Windows [2001-2006]



anne wrote:

Hello!

I'm experiencing some issues installing the KB918547 (MS06-026) patch
on ME systems. Does anyone know if it requires a specific version of
IE or something else? I have been able to install it on ME machines
with IE 6 so far, but not IE 5.5.

Correction:

The problem with the KB918547 (MS06-026) patch is that appears to be
timing out when downloaded from the WU site on a machine running IE5.5 and
NOT that it is not also for IE5.5 SP2. I would suggest that until this is
fixed (if ever) that you manually download the patch to your desktop from
the URL in the Windows Update log
(http://download.windowsupdate.com/ms...9630fd4a9a.exe)
and install the patch manually. The patch should now install without
problem.
--
Mike Maltby
MS-MVP Windows [2001-2006]



Mike M wrote:

Anne,

There does indeed to be something odd about the KB918547 (MS06-026)
patch. Whilst IE5.5 as such has been unsupported since the end of
2005, the last patch being the cumulative update for IE5.5 released
in December 2005, the KB918547 hotfix is one of three patches offered
to a Win Me system running IE5.5 (the others being IE6 SP1 and 917344
[MS06-024]) however despite being offered by the Windows Update site
it will not install. The reason being that this patch is for IE6 SP1
and is being offered in error by the WU site to those still running
IE5.5
I have notified Microsoft of this problem.

I would however like to stress that no machine should still be running
IE5.5 if used to access the net and that you should as a matter or
urgency update all such PCs to IE6 SP1.

Noel,

Installs manually without problems on IE5.5 SP2 but not IE5.5 RTM as in a
clean Win Me. See e-mail.
--
Mike


Noel Paton wrote:

Interesting, Mike!
I just fired up a new ME (VPC) install - and 888113 also refuses to
install. Both patches are positioned in TechNet and WU as OS updates
rather than as IE updates, so should be IE version independent??

The 98 version of the same patch will also NOT install on IE 5.0 on 98.
Both the 98 and ME patches seem to install fine on IE 6 (no service
pack), and the message that pops up when trying to apply these patches
on IE 5.x machines states that the machine does not have the right
version of Internet Explorer, so it must somehow be a requirement.

Anne