Microsoft released seven security updates, three rated critical. Here's a brief description of each update; for more information, go to
http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx
MS06-072: Cumulative Security Update for Internet Explorer.
This update fixes several vulnerabilities in previous versions of Microsoft Internet Explorer (IE). Web sites that are crafted with special code could have that code executed on the local computer. If the locally logged on user is an administrator, that code will execute with administrator privileges.
Applies to: All versions of IE 5 and IE 6. Doesn't apply to IE 7.
Recommendation: Microsoft has rated this update as critical. You should put this patch through an accelerated testing process to ensure that it doesn't cause other problems and then deploy it immediately.
MS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution.
A vulnerability exists in Visual Studio 2005 that could allow remote code execution. An exploit for this vulnerability is "out in the wild," which is why Microsoft has rated the update as critical.
Applies to: All editions of Visual Studio 2005 except the Express editions.
Recommendation: Microsoft has rated this update as critical. If your organization uses Visual Studio 2005, you should put this patch through an accelerated testing process to ensure that it doesn't cause other problems and then deploy it immediately.
MS06-074: Vulnerability in SNMP Could Allow Remote Code Execution.
Although the SNMP service isn't installed by default on Windows computers, a vulnerability exists in the service that could be used by an attacker to execute code remotely.
Applies to: All versions of Windows.
Recommendation: Microsoft has rated this update as important but not critical. This means that you should test the update on development computers thoroughly and deploy it as part of your normal patch management cycle.
MS06-075: Vulnerability in Windows Could Allow Elevation of Privilege.
This vulnerability allows a locally logged on user with standard privileges to elevate those privileges to those of an administrator by running an appropriately crafted application.
Applies to: Windows XP and Windows Server 2003.
Recommendation: Microsoft has rated this update as important but not critical. This means that you should test the update on development computers thoroughly and deploy it as part of your normal patch management cycle.
MS06-076: Cumulative Security Update for Outlook Express.
This update fixes a possible remote code execution problem in Microsoft Outlook Express. Exploiting the problem requires that a user give permission for the exploit to work.
Applies to: All versions of Outlook Express.
Recommendation: Microsoft has rated this update as important but not critical. This means that you should test the update on development computers thoroughly and deploy it as part of your normal patch management cycle.
MS06-077: Vulnerability in Remote Installation Service Could Allow Remote Code Execution.
The Remote Installation Service (RIS) is used to deploy software from a central server to clients in an Active Directory (AD) environment. A vulnerability in this service could allow an attacker to gain access to a client through this service.
Applies to: Windows 2000 Service Pack 4 (SP4)
Recommendation: Microsoft has rated this update as important but not critical. This means that you should test the update on development computers thoroughly and deploy it as part of your normal patch management cycle.
MS06-078: Vulnerability in Windows Media Format Could Allow Remote Code Execution.
This update relates to a problem with Windows Media Format. An attacker could send a media file that promises humorous video but also carries code that will allow the attacker to take over the subject's computer. The attacker might not be the person who forwards the media, but relies on others, unaware of the media's extra content, to forward it to their friends.
Applies to: All versions of Windows.
Recommendation: Microsoft has rated this update as critical. You should put this patch through an accelerated testing process to ensure that it doesn't cause other problems and then it deploy immediately. Remind users of the risk of opening non-work-related attachments no matter how humorous or interesting they might seem.
