十二月份資訊安全公告 Dec 14, 2006 Richard Chen 陳政鋒 (Net+, Sec+, MCSE2003+Security, CISSP) 資深技術支援工程師 台灣微軟技術支援處

Questions and Answers Submit text questions using the “Ask a Question” buttonSubmit text questions using the “Ask a Question” button

What We Will Cover Recap Nov. releases known issuesRecap Nov. releases known issues Review Dec. releasesReview Dec. releases Other security resourcesOther security resources –Prepare for new WSUSSCAN.CAB architecture –IE 7 over AU –Lifecycle Information –Windows Malicious Software Removal Tool ResourcesResources Questions and answersQuestions and answers

Recap Nov. Known issues and MS NetwareMS Netware –Get offering even no CSNW is installed: Normal proactive patching MS IE patchMS IE patch –3rd party AP compatibility issue, see KB MS Adobe Flash PlayerMS Adobe Flash Player –Re-offering, install the latest Flash Player to solve the issue MS Workstation serviceMS Workstation service –Worm vulnerability, install the patch immediately MS MSXMLMS MSXML –WSUS category/description error, fixing now. –MSXML4 install failure, see KB927978

Dec 2006 Security Bulletins Summary On Dec 13:On Dec 13: –7 New Security Bulletins 5 Windows (1 critical, 4 important)5 Windows (1 critical, 4 important) 1 Visual Studio (critical)1 Visual Studio (critical) 1 Media Player (critical)1 Media Player (critical) –1 re-release MS (critical) –5 High-priority non-security updates

November 2006 Security Bulletins Overview Bulletin Number Title Maximum Severity Rating Products Affected MS Cumulative Security Update for Internet Explorer (925454) CriticalInternet Explorer 5.01 & 6 MS Vulnerability Visual Studio 2005 Could Allow Remote Code Execution (925674) CriticalVisual Studio 2005 MS Vulnerability in SNMP Could Allow Remote Code Execution (926247) ImportantWindows 2000, XP, 2003 MS Vulnerability in Windows Could Allow Elevation of Privilege (926255) ImportantWindows XP, 2003 MS Cumulative Security Update for Outlook Express (923694) ImportantOutlook Express on Windows 2000, XP, 2003 MS Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121) ImportantWindows 2000 MS06-078Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689) CriticalWindows Media Format 7.1 – 9.5 and Windows Media Player 6.4 on Windows 2000, XP, 2003

December 2006 Security Bulletins Severity Summary Bulletin Number Windows 2000 SP4 Windows XP SP2 Windows Server 2003 Windows Server 2003 SP1 MS CriticalCriticalModerateCritical Windows 2000 SP4 Windows XP SP2 Windows Server 2003 Windows Server 2003 SP1 MS ImportantImportantImportantImportant MS Not Affected ImportantImportant MS Important Visual Studio 2005 MS Critical Windows Media Player 6.4 Windows 2000 SP4 Windows XP SP2 Windows Server 2003 & SP1 MS CriticalCriticalCriticalCritical Outlook Express 5.5 Outlook Express 6 Windows Vista MS ImportantImportant Not Affected

MS06-072: Internet Explorer – Critical Title & KB Article: Cumulative Security Update for Internet Explorer (925454) Affected Software: IE 5.01 SP4 on Windows 2000 SP4 IE 5.01 SP4 on Windows 2000 SP4 IE 6 SP1 on Windows 2000 SP4 IE 6 SP1 on Windows 2000 SP4 IE 6 for Windows XP SP2 IE 6 for Windows XP SP2 IE 6 for Windows Server 2003 RTM and SP1 IE 6 for Windows Server 2003 RTM and SP1 IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64 IE 6 for Windows Server 2003 RTM ia64 and SP1 ia64 IE 6 for Windows Server 2003 x64 IE 6 for Windows Server 2003 x64 IE 6 for Windows XP Pro x64 IE 6 for Windows XP Pro x64 Replaced Updates: MS and all previous Cumulative Security Updates for Internet Explorer MS and all previous Cumulative Security Updates for Internet Explorer Vulnerabilities: CVE TIF Folder Information Disclosure VulnCVE TIF Folder Information Disclosure Vuln CVE TIF Folder Information Disclosure VulnCVE TIF Folder Information Disclosure Vuln CVE Script Error Handling Memory Corruption VulnCVE Script Error Handling Memory Corruption Vuln CVE DHTML Script Function Memory Corruption VulnCVE DHTML Script Function Memory Corruption Vuln Publicly Disclosed: No Known Exploits: No

MS06-072: Internet Explorer – Critical Issue Summary: Two “Remote Code Exploit” vulnerabilities and two “Information Disclosure” vulnerabilities exist in IE that could allow an attacker to run arbitrary code Fix Description: The fix modifies the handling of DHTML script function calls and script error exceptions. It also restricts OBJECT tags from exposing sensitive paths to scripts and access to cached content in the TIF folder Attack Vectors: Malicious Web Page Malicious Web Page Malicious Malicious Mitigations: A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site Exploitation only allows the privilege level of the logged on userExploitation only allows the privilege level of the logged on user By default, IE on Windows 2003 runs in a restricted modeBy default, IE on Windows 2003 runs in a restricted mode Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML messages in the Restricted sites zoneOutlook Express 6, Outlook 2002, and Outlook 2003 open HTML messages in the Restricted sites zone Internet Explorer 7 is not affectedInternet Explorer 7 is not affected Workaround: Disable “Drag and Drop or copy and paste files”Disable “Drag and Drop or copy and paste files” Disable Active Scripting or set to “Prompt”Disable Active Scripting or set to “Prompt” Set IE security to High for Internet and Intranet zonesSet IE security to High for Internet and Intranet zones Open HTML messages in the Restricted sites zone, apply update for Outlook 2000Open HTML messages in the Restricted sites zone, apply update for Outlook 2000 Restart Requirement: NO Installation and Removal: Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment More Information:

MS06-073: WMI Object Broker- Critical Title & KB Article: Vulnerability Visual Studio 2005 Could Allow Remote Code Execution (925674) Affected Software: Microsoft Visual Studio 2005 Microsoft Visual Studio 2005 Replaced Updates: NONE NONE Vulnerabilities: WMI Object Broker Vulnerability - CVE : A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Publicly Disclosed: Yes Known Exploits?: Yes. CVE

MS06-073: WMI Object Broker- Critical Issue Summary: This update resolves a public vulnerability. An attacker who has successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who has successfully exploited this vulnerability could take complete control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Fix Description: The update removes the vulnerability by modifying the way that the WMI Object Broker instantiates other controls. Attack Vectors: Malicious Web Page Malicious Web Page s with Malicious Components s with Malicious Components

MS06-073: WMI Object Broker- Critical Mitigations: A user would have to be persuaded to visit a malicious Web siteA user would have to be persuaded to visit a malicious Web site This ActiveX control is not in the default allow-list for ActiveX controls in Internet Explorer 7. Only customers who have explicitly approved this control by using the ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability.This ActiveX control is not in the default allow-list for ActiveX controls in Internet Explorer 7. Only customers who have explicitly approved this control by using the ActiveX Opt-in Feature are at risk to attempts to exploit this vulnerability. Exploitation only allows the same privileges as the logged on userExploitation only allows the same privileges as the logged on user The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting/ActiveX controls from being used when reading HTML .The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting/ActiveX controls from being used when reading HTML . The vulnerability could not be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message or must click on a link within an .The vulnerability could not be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message or must click on a link within an . By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration.By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration.Enhanced Security ConfigurationEnhanced Security Configuration Workaround: Disable attempts to instantiate the WMI Object Broker control within Internet Explorer (see Microsoft Knowledge Base Article )Disable attempts to instantiate the WMI Object Broker control within Internet Explorer (see Microsoft Knowledge Base Article )Microsoft Knowledge Base Article Microsoft Knowledge Base Article Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zoneConfigure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zonesSet Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones For Outlook 2000, install Outlook Security Update so that Outlook 2000 opens HTML messages in the Restricted sites zone.For Outlook 2000, install Outlook Security Update so that Outlook 2000 opens HTML messages in the Restricted sites zone. For Outlook Express 5.5 Service Pack 2, install Microsoft Security Bulletin MS so that Outlook Express 5.5 opens HTML messages in the Restricted sites zone.For Outlook Express 5.5 Service Pack 2, install Microsoft Security Bulletin MS so that Outlook Express 5.5 opens HTML messages in the Restricted sites zone.MS MS

MS06-073: WMI Object Broker- Critical Restart Requirement: This update does not require a restart unless the required services cannot be stopped by the installer. Installation and Removal: Add/Remove Programs Add/Remove Programs Command line install/uninstall option Command line install/uninstall option Scriptable Deployment Scriptable Deployment More Information:

MS06-074: SNMP - Important Title & KB Article: Vulnerability in SNMP Could Allow Remote Code Execution (926247) Affected Software: Windows 2000 SP 4 Windows 2000 SP 4 Windows XP SP 2 Windows XP SP 2 Windows XP Pro x64 Windows XP Pro x64 Windows Server 2003 Windows Server 2003 Windows Server 2003 & Windows Server 2003 SP1 Windows Server 2003 & Windows Server 2003 SP1 Windows Server 2003 ia64 & Windows Server 2003 SP1 ia64 Windows Server 2003 ia64 & Windows Server 2003 SP1 ia64 Windows Server 2003 x64 Windows Server 2003 x64 Replaced Updates: None None Vulnerabilities: CVE CVE Publicly Disclosed: No Known Exploits?: No

MS06-074: SNMP - Important Issue Summary: A remote code execution vulnerability exists in SNMP Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. Fix Description: The update removes the vulnerability by modifying the way that SNMP Service validates the length of a message before it passes the message to the allocated buffer. Attack Vectors: Malicious packet transmission over the network Malicious packet transmission over the network Mitigations: SNMP service is not installed by default. SNMP service is not installed by default. For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Workaround: Restrict the IP addresses that are allowed to manage the computer. Restrict the IP addresses that are allowed to manage the computer. Block UDP port 161 at the firewall. Block UDP port 161 at the firewall. To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP. To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP. Restart Requirement: Yes Installation and Removal: Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment More Information:

MS06-075: File Manifest - Important Title & KB Article: Vulnerability in Windows Could Allow Elevation of Privilege (926255) Affected Software: Windows XP SP 2 Windows XP SP 2 Windows Server 2003 Windows Server 2003 Windows Server 2003 ia64 Windows Server 2003 ia64 Replaced Updates: None None Vulnerabilities: File Manifest Corruption Vulnerability - CVE File Manifest Corruption Vulnerability - CVE Publicly Disclosed: No Known Exploits?: No

MS06-075: File Manifest - Important Issue Summary: A privilege elevation vulnerability exists in the way that Microsoft Windows starts applications with specially crafted file manifests. This vulnerability could allow a logged on user to take complete control of the system. privilege elevationprivilege elevation Fix Description: The update removes the vulnerability by modifying the way that Client Server Run- time Subsystem validates embedded file manifests before it passes data to the allocated buffer. This security update corrects an integer overflow in sxs.dll. Any application that uses side-by-side assemblies with Requested Privileges section may BSOD the machine. Compctl32.dll and GDIplus.dll are two side-by-side assemblies commonly used by Microsoft. In the worst case a local authenticated user can run execute code before the machine BSOD; therefore local EoP (from local to system is possible). Attack Vectors: Logged on user Logged on user Mitigations: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. The vulnerability could not be exploited remotely or by anonymous users. Workaround: None None Restart Requirement: Yes Yes Installation and Removal: Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment More Information:

MS06-076: Outlook Express- Important Title & KB Article: Cumulative Security Update for Outlook Express (923694) Affected Software: Win2K SP4 WinXP SP2, x64 Edition Win2K3 and Win2K3 SP1, 2K3 Itanium & Sp1 for Itanium, Win2K3 x64 OE 5.5 SP2 on Win2K SP4 OE 6 SP1 on WinXP SP2 OE 6 on WinXP SP2, x64 Edition OE 6 on Win2K3 and Win2K3 SP1, x64 Edition, Itanium & Itanium SP1 Replaced Updates: MS06-016MS & MS with OE6 on WinXP SP2 & x64 and OE6 on Win2K3 Sp1 & x64 MS MS06-016MS Vulnerabilities: CVE : Windows Address Book Contact Record Publicly Disclosed: CVE – No Known Exploits?: No

Issue Summary: CVE : An unchecked buffer in the Windows Address Book (WAB) functions within Outlook Express leads a remote code execution attacks Fix Description: CVE : Removes the vulnerability by modifying the way that Outlook Express, when using a.wab file, validates the length of a field before it passes it to the allocated buffer Attack Vectors: Malicious Malicious Malicious Web Page Malicious Web Page Mitigations: A user would have to be persuaded to visit a malicious Web site A user would have to be persuaded to visit a malicious Web site Exploitation only allows the same privileges as the logged on user Exploitation only allows the same privileges as the logged on user A user must open an attachment that is sent in an A user must open an attachment that is sent in an Workaround: Back up and remove the.wab file association Impact of Workaround: Users will not be able to open address books by double clicking them. They will have to manually start the Windows Address Book application and pass the address book to be used as a command line parameter or they can import the address book from the File menu. This does not affect the use of address books in Outlook Express Restart Requirement No No Installation and Removal: Add/Remove Programs, Command line uninstall option Add/Remove Programs, Command line uninstall option Scriptable Deployment Scriptable Deployment More Information: MS06-076: Outlook Express- Important

MS06-077: RIS - Important Title & KB Article: Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121) Affected Software: Windows 2000 SP4 ONLY Windows 2000 SP4 ONLY Replaced Updates: None None Vulnerabilities: CVE RIS Writable Path Vulnerability CVE RIS Writable Path Vulnerability Publicly Disclosed: No Known Exploits?: No

MS06-077: RIS - Important Issue Summary: RIS allows anonymous access to the file structure of a hosted operating system build through the TFTP service. Fix Description: The update prevents anonymous TFTP users the ability to write to the RIS hosted operating system build’s file structure by adding the registry key identified in the Workarounds section of the bulletin. Attack Vectors: Malicious packet transmission over the network Malicious packet transmission over the network Mitigations: An attacker would need TFTP access to exploit this vulnerability An attacker would need TFTP access to exploit this vulnerability RIS is not installed by default RIS is not installed by default Standard Firewall configurations should block this from the web Standard Firewall configurations should block this from the web Workaround: Configure the TFTP service as read only Configure the TFTP service as read only Disable the TFTP Service Disable the TFTP Service Block UDP port 69 at the firewall Block UDP port 69 at the firewall Restart Requirement: No Installation and Removal: Add/Remove Programs Add/Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment More Information:

MS06-078: Windows Media Player - Critical Title & KB Article: Vulnerability in Windows Media Player Could Allow Remote Code Execution KB addresses Windows Media Player 6.4 KB addresses Windows Media Player 6.4 KB addresses Windows Media Format Runtimes KB addresses Windows Media Format Runtimes Affected Software: Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions Microsoft Windows 2000 Service Pack 4 - (KB923689) Microsoft Windows 2000 Service Pack 4 - (KB923689) Microsoft Windows XP Service Pack 2 - (KB923689) Microsoft Windows XP Service Pack 2 - (KB923689) Microsoft Windows XP Professional x64 Edition - (KB923689) Microsoft Windows XP Professional x64 Edition - (KB923689) Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - (KB923689) Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1 - (KB923689) Microsoft Windows Server 2003 x64 Edition - (KB923689) Microsoft Windows Server 2003 x64 Edition - (KB923689) Affected Software: Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions: Microsoft Windows Media Format 9.5 Series Runtime x64 Edition on the following operating system versions: Microsoft Windows XP Professional x64 Edition - (KB923689) Microsoft Windows XP Professional x64 Edition - (KB923689) Microsoft Windows Server 2003 x64 Edition - (KB923689) Microsoft Windows Server 2003 x64 Edition - (KB923689) Microsoft Windows Media Player 6.4 on the following operating system versions: Microsoft Windows Media Player 6.4 on the following operating system versions: Windows 2000 Service Pack 4 - (KB925398) Windows 2000 Service Pack 4 - (KB925398) Microsoft Windows XP Service Pack 2 - (KB925398) Microsoft Windows XP Service Pack 2 - (KB925398) Microsoft Windows XP Professional x64 Edition – (KB925398) Microsoft Windows XP Professional x64 Edition – (KB925398) Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 – (KB925398) Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 – (KB925398) Microsoft Windows Server 2003 x64 Edition – (KB925398) Microsoft Windows Server 2003 x64 Edition – (KB925398)

Replaced Updates: None None Vulnerabilities: CVE Windows Media Format Vulnerability CVE Windows Media Format Vulnerability CVE Windows Media Format WMVCORE ASX Vulnerability CVE Windows Media Format WMVCORE ASX Vulnerability Publicly Disclosed: No No Known Exploits?: No No MS06-078: Windows Media Player - Critical

Issue Summary: Buffer overflow Buffer overflow Remote Code Execution Remote Code Execution WMV Core WMV Core ASF exploited ASF exploited ASX exploited ASX exploited Fix Description: Update modifies WMVCORE validation process. Update modifies WMVCORE validation process. Attack Vectors: Malicious Web Page Malicious Web Page Malicious Malicious Mitigations: Requires accessing malicious Web site/ opening malicious Requires accessing malicious Web site/ opening malicious Exploitation only allows the same privileges as the logged on user Exploitation only allows the same privileges as the logged on user By default, IE on Windows 2003 runs in a restricted mode By default, IE on Windows 2003 runs in a restricted mode Windows Media Format 11 runtime is not affected by this vulnerability and could be used to prevent an attempt to exploit this vulnerability. Windows Media Format 11 runtime is not affected by this vulnerability and could be used to prevent an attempt to exploit this vulnerability. Workaround: Disable the Windows Media Player ActiveX controls from running in Internet Explorer Disable the Windows Media Player ActiveX controls from running in Internet Explorer Modify the Access Control List on Strmdll.dll to prevent shell based attacks on players on Windows 2000 Modify the Access Control List on Strmdll.dll to prevent shell based attacks on players on Windows 2000 Unregister Shmedia.dll to prevent shell based attacks on players Windows XP and Windows 2003 Unregister Shmedia.dll to prevent shell based attacks on players Windows XP and Windows 2003 MS06-078: Windows Media Player - Critical

Restart Requirement: None, if required services are terminable. None, if required services are terminable. Installation and Removal: Add/ Remove Programs Add/ Remove Programs Command line uninstall option Command line uninstall option Scriptable Deployment Scriptable Deployment More Information: MS06-078: Windows Media Player - Critical

Re-Release of MS Excel Critical Install MS might fail if ALL conditions are true:Install MS might fail if ALL conditions are true: –Running Excel 2002 –MSI 2.0 –Previously installed MS Details:Details: –Basically, because the 059 patch does not contain the MSI 2.0 patch code for 037, installing Excel 2002’s 059 on top of 037 will trigger a Windows Installer 2.0 bug in some cases & result in excel.exe not getting updated to version Resolution: Install MS v2Resolution: Install MS v2

Detection and Deployment BulletinComponent Office UpdateWU/MU MBSA ODT MBSA 2.0/ 2.0.1SUSWSUSEST SMS SUIT SMS ITMU Detect and deploy Detect only Detect and deploy Detect only Detect and deploy MS Microsoft Internet Explorer Not applicableYes Not applicabl eYes MS Microsoft Visual Studio Not applicableYesNoYesNoYes Yes, with ESUITYes MS SNMP Not applicableYes Not applicabl eYes MS File Manifest Not applicableYes Not applicabl eYes MS Microsoft Outlook Express Not applicableYesNoYes Yes, with ESUITYes MS Remote Installation Services (RIS) Not applicableYesNoYes MS Windows Media Player Not applicableYesPartialYes Yes, with ESUITPartial

Other Update Information BulletinRestartUninstallReplaces On products MS YesYes MS and all previous Cumulative Security Updates for IE IE 5.01SP4, IE6, IE6 SP1 MS MaybeYesN/A Visual Studio 2005 MS YesYesN/A Windows 2000 SP4, XPSP2, W2K3, W2K3SP1 MS YesYesN/A XPSP2 and W2K3 MS NoYes MS & MS with OE 6 on WinXP SP2 & x64 and OE 6 on W2K3 SP1 & x64 OE 5.5 SP2 and OE6 MS NoYesN/A W2K Only MS MaybeYesN/A Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions Microsoft Windows Media Format 7.1 through 9.5 Series Runtime on the following operating system versions Microsoft Windows Media Player 6.4 Microsoft Windows Media Player 6.4

December 2006 Non-Security Updates NUMBERTITLEDistribution Update for Windows Server WU, MU Update for Windows XP Media Center Edition for 2005 WU, MU Update for Windows WU, MU Update for Windows WU, MU Update for Office 2003 MU

New WSUSSCAN.CAB architecture New architecture for wsusscan.cab begins since November 2006 Support for existing wsusscan.cab architecture ends on March 2007 SMS ITMU customers: download and deploy updated version of the SMS ITMU – – MBSA 2.0 offline scan customers: – –Download updated version of MBSA now – –Or download the new offline scan file, wsusscn2.cab, by clicking Save this file to C:\Documents and Settings\ \Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\wsusscn2.cab. If you only run MBSA 2.0 in the online mode, do anything. See Microsoft KB Article for more information – –

IE 7 over AU Manual download (EN version) is available.Manual download (EN version) is available. Internet Explorer 7 began distribution over AU in November 2006Internet Explorer 7 began distribution over AU in November 2006 –ZH version schedule see announcement below! Internet Explorer 7 Blocker Toolkit available for enterprise customersInternet Explorer 7 Blocker Toolkit available for enterprise customers –Blocks automatic delivery of Internet Explorer 7 For additional information see:For additional information see: – pdate/ie7announcement.mspx

Lifecycle Support Information Software Update Services (SUS) 1.0Software Update Services (SUS) 1.0 –Old deadline of 6 December 2006 has CHANGED to 10 July 2007 –Information on upgrading: –Information on upgrading: s/default.mspx s/default.mspx Public security support for Windows XP SP1 and Office 2003 SP1 HAS ENDED as of 10 October 2006Public security support for Windows XP SP1 and Office 2003 SP1 HAS ENDED as of 10 October 2006 –No Security Updates for Windows XP SP1 or Office 2003 SP1 starting in November 2006 –Remaining Windows XP SP1, Office 2003 SP1 customers should upgrade to Windows XP SP2, Office 2003 SP2 right away Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006Public security support for Windows 98, 98 SE, and Millennium Edition HAS ENDED as of 11 July 2006 –See for more information Microsoft Forefront Client Security Beta open to download.Microsoft Forefront Client Security Beta open to download. –

Windows Malicious Software Removal Tool – KB Twenty-fourth monthly incremental update.Twenty-fourth monthly incremental update. The Oct update adds the ability to remove:The Oct update adds the ability to remove: –Win32/Beenut Available as priority update through Windows Update or Microsoft Update for Windows XP usersAvailable as priority update through Windows Update or Microsoft Update for Windows XP users –Offered through WSUS; not offered through SUS 1.0 Also as an ActiveX control or download at as an ActiveX control or download at Deployment step-by-stsp: KB891716Deployment step-by-stsp: KB891716

Resources Nov. Security Bulletin Webcast (US) US&EventID= Nov. Security Bulletin Webcast (US) US&EventID= US&EventID= US&EventID= Security Bulletins Summary Bulletins Summary Security Bulletins Search Bulletins Search Security Advisories Advisories MSRC Blog Blog Notifications TechNet Radio Radio IT Pro Security Newsletter Pro Security Newsletter TechNet Security Center Security Center TechNet Forum ITPro Forum ITPro Detection and deployment guidance for the December 2006 security release and deployment guidance for the December 2006 security release

Questions and Answers Submit text questions using the “Ask a Question” buttonSubmit text questions using the “Ask a Question” button Don’t forget to fill out the surveyDon’t forget to fill out the survey For upcoming and previously recorded webcasts: upcoming and previously recorded webcasts: Webcast content suggestions: content suggestions: