What Is It?

Today is the day after Patch Tuesday, and Microsoft has released 7 new security bulletins, and re-released one bulletin. The re-released bulletin affects all Microsoft Office users, including our subscribers who are still using Office 2000.

Following is a list of the updates that affect the majority of users. The complete list is shown in the December 2006 security bulletin summary at http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx.

1. MS06-059, Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164), is a re-release of a bulletin that was originally issued two months ago. The reason for the re-release is that users who are still running Windows Installer, Version 2.0, got a false report that the update succeeded. However, in some cases, excel.exe was not updated, leaving users vulnerable, without any outward indication to that effect.
   • The next section contains instructions for upgrading to Windows Installer 3.0. We strongly urge you to do so, to reduce the risk of similar future mishaps.
   • This re-release affects Microsoft Office 2000, which must be updated through the Office Update Web site. Please see the next section for additional information, and to Office 2004 and Office X for the Macintosh.
2. MS06-072, Cumulative Security Update for Internet Explorer (925454), applies to users who are still using Internet Explorer versions 6 and 5.01 (if it's installed on Windows 2000, Service Pack 4).
3. MS06-075, Vulnerability in Windows Could Allow Elevation of Privilege (926255), is a relative rarity, a vulnerability that cannot be exploited remotely. Nevertheless, if you have computers in public areas, such as student computer labs, this is an important update.
4. MS06-076, Cumulative Security Update for Outlook Express (923694), affects our many subscribers who use Outlook Express as their mail reader. Although the remote code execution vulnerability discussed in this bulletin seems like a bit of a stretch to me, it is, nevertheless, conceivable. In any case, it's a good idea to keep your email client up to date, since it is one of your most vulnerable applications.

Network administrators and developers who use Visual Studio 2005 (except the Express edition) should read the security bulletin summary at http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx for important information about additional bulletins not mentioned in this notice.

What Should You Do?

What you need to do depends on the version of Microsoft Office that you use. Please follow the directions in the sections that apply to you.

Microsoft Office 2000 for Windows

If you are still using Office 2000, visit the Office Update site at http://office.microsoft.com/, click on the Downloads link, then the Office Update link, and accept all the critical updates that you are offered. For US English versions of Microsoft Office, you can go directly to http://office.microsoft.com/en-us/officeupdate/default.aspx. You will need your original Office installation CD unless the installation files are on your local computer or on an accessible network share.

Microsoft Office 2004 for the Apple Macintosh

If you use Microsoft Office 2004 or Microsoft Excel 2004 for the Macintosh, download and install Microsoft Office 2004 for Mac 11.3.0 Update from http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/Office2004/Office2004_1130.xml.

Microsoft Office X for the Apple Macintosh

If you use Microsoft Office X or Microsoft Excel X for the Macintosh, download and install Microsoft Office v. X for Mac 10.1.8 Update from http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/OFFICEX/OfficeX_1018.xml.

All Microsoft Windows Users

If you have Windows Update configured to automatically update, the other updates should be installed in due course. However, we recommend that you periodically check with Windows Update, at http://update.microsoft.com/, to be certain that you are up to date, since automatically updates occasionally fail.

If you haven't done so, you should upgrade to Windows Installer, Version 3.0, to reduce the risk of future difficulties such as the one that led to the re-release, yesterday, of MS06-059. Unless you have already upgraded to Windows Installer, Version 3.0, it will be listed as an optional update on the page returned to you when you request a list of available updates.

Important: In order to see the optional updates, you must select the Custom button on the opening screen. The Express button lists only critical updates.

References

• http://office.microsoft.com/ is the Office Update Web site.
• http://update.microsoft.com/ is the general Microsoft Update Web site.
• http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx is the Microsoft Security Bulletin Summary for December 2006.
• http://www.microsoft.com/mac/ is the Microsoft Web site for Apple Macintosh users.

David Gray, MBA, Chief Wizard WizardWrx, formerly P6 Consulting
	V: +1 (817) 812-3041 TZ: USA Central, GMT -6 E: dagray@wizardwrx.com W: www.wizardwrx.com	5006 Cloyce Court North Richland Hills, TX 76180-6944 USA
Tell me what you need, and I’ll conjure it.