Ignore Patch That Messes With MSOE.DLL?

[Guest]

One of the more current security patches places a newer version of MSOE.DLL
in the Outlook Express directory. This kills some very important Word macros
that output to email (creates an incoming rather than outgoing email).

I was advised Feb-2006 that MS was aware of this problem.

Am I risking security by avoiding this patch? If so, any suggestions on how
to deal with this?

I think the patch in question is:

Cumulative Security Update for Outlook Express for Windows XP (KB911567)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified that could allow an attacker to
remotely compromise your Windows-based system using Outlook Express and gain
control over it. You can help protect your computer by installing this update
from Microsoft.

- or -

Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified in Microsoft XML Core Services (MSXML)
that could allow an attacker to compromise your Windows-based system and gain
control over it. You can help protect your computer by installing this update
from Microsoft.

 

[MowGreen [MVP]]

Cumulative Security Update for Outlook Express for Windows XP (KB911567)
was replaced by Microsoft Security Bulletin MS07-034 - Critical
Cumulative Security Update for Outlook Express and Windows Mail (929123)
IF you have installed KB929123 then there is no need to install KB911567
as a later Version of msoe.dll [6.0.2900.3138] is included.

MS07-034: Cumulative security update for Outlook Express and for Windows
Mail: http://support.microsoft.com/kb/929123

Under the 'Known issues with this security update' section there is no
mention of the issue you describe.

The other update, KB936181, has no relevance to OE.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Guest]

Thank you. I've lost track of the names and numbers of the patches. What I do
know is that I brought this up in April 2006
http://www.ureader.com/message/3690870.aspx and seemed to recall being told
elsewhere that it was a known problem.

In any event, a couple of new systems and installations later it's still a
problem.

Cumulative Security Update for Outlook Express for Windows XP (KB911567)
was replaced by Microsoft Security Bulletin MS07-034 - Critical
Cumulative Security Update for Outlook Express and Windows Mail (929123)
IF you have installed KB929123 then there is no need to install KB911567
as a later Version of msoe.dll [6.0.2900.3138] is included.

MS07-034: Cumulative security update for Outlook Express and for Windows
Mail: http://support.microsoft.com/kb/929123

Under the 'Known issues with this security update' section there is no
mention of the issue you describe.

The other update, KB936181, has no relevance to OE.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

One of the more current security patches places a newer version of MSOE.DLL
in the Outlook Express directory. This kills some very important Word macros
that output to email (creates an incoming rather than outgoing email).

I was advised Feb-2006 that MS was aware of this problem.

Am I risking security by avoiding this patch? If so, any suggestions on how
to deal with this?

I think the patch in question is:

Cumulative Security Update for Outlook Express for Windows XP (KB911567)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified that could allow an attacker to
remotely compromise your Windows-based system using Outlook Express and gain
control over it. You can help protect your computer by installing this update
from Microsoft.

- or -

Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified in Microsoft XML Core Services (MSXML)
that could allow an attacker to compromise your Windows-based system and gain
control over it. You can help protect your computer by installing this update
from Microsoft.

 

[Steven L Umbach]

While it is best to install security patches if they break something then
you may have to live without it and accept the risks whatever they may be or
try suggested work arounds. If you view the IP Pro version of the article it
will list more details on exactly what the vulnerability is, mitigating
factors, and work arounds to get a better idea what your dealing with and
what to do armed with that information. Below are some of the pertinent
details from the article. For instance if your users are not logged on as a
user that is a member of the local administrators group then the threat is
mitigated for those users. It also states that a user would need to open a
wab.file sent via email or go to a malicious website to open a .wab file.

http://www.microsoft.com/technet/security/bulletin/ms06-016.mspx

A remote code execution vulnerability exists in Outlook Express when using a
Windows Address Book (.wab) file that could allow an attacker who
successfully exploited this vulnerability to take complete control of the
affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of an
affected system. An attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Outlook Express when using a Windows
Address Book File Vulnerability - CVE-2006-0014:

. An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than users
who operate with administrative user rights.

. In an e-mail attack scenario, an attacker could exploit the
vulnerability by sending a specially-crafted .wab file to the user and by
persuading the user to open the file.

. In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site. In order for the exploit to take place, the
user would have to open the .wab file.


Top of section
Workarounds for Microsoft Outlook Express when using a Windows Address
Book File Vulnerability - CVE-2006-0014:

Microsoft has tested the following workarounds. While these workarounds will
not correct the underlying vulnerability, they help block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.

Back up and remove the .wab file association
Removing the WAB registry key helps protect the affected system from
attempts to exploit this vulnerability. To backup and remove the WAB
registry key, follow these steps:

Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys And Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in the
Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

1.
Click Start, click Run, type "regedit" (without the quotation marks),
and then click OK.

2.
Expand HKEY_CLASSES_ROOT, and then click .WAB.

3.
Click File, and then click Export.

4.
In the Export Registry File dialog box, type a file name in the File
Name box, and then click Save.

5.
Click Edit, and then click Delete to remove the registry key.

6.
In the Confirm Key Delete dialog box, you receive an "Are you sure you
want to delete this key and all of its subkeys" message. Click Yes.