Microsoft issued a security bulletin summary for June 2006 which contained three security advisories: MS06-021, MS06-022, MS06-023, MS06-024, MS06-025, MS06-026, MS06-027, MS06-028, MS06-029, MS06-030, MS06-031 and MS06-032. The advisories describe vulnerabilities in various Microsoft Windows Operating Systems. A description of the vulnerabilities can be found at:
Certain Avaya products utilize Microsoft Operating Systems and may be affected by these vulnerabilities.
Avaya system products include an Operating System with the product when it is delivered. The system products described below are delivered with a Microsoft Operating System. Actions to be taken with these products are also described below.
| Product: | Affected S/W Version(s): | Recommended Actions: |
|---|---|---|
| Unified Communications Center (UCC) - S3400 | All | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-21 MS06-25 MS06-30 MS06-31 MS06-32 The Unified Communications Center product is deployed with the Microsoft Windows 2000 Operating System. |
| Modular Messaging - Messaging Application Server (MAS) | All | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-21 MS06-25 MS06-30 MS06-31 (prior to 3.0) MS06-32 The Modular Messaging - Messaging Application Server (MAS) is deployed with the Microsoft Windows 2000 or Microsoft Windows 2003 Operating System. |
| S8100/DefinityOne/IP600 Media Servers | R10 and greater | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-21 MS06-25 MS06-30 MS06-31 MS06-32 These products are deployed with either the Microsoft Windows 2000 Operating System or the Microsoft Windows NT Operating System. |
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Microsoft Windows platform may be. For affected Microsoft Operating Systems, Microsoft recommends installing patches. Detailed instructions for patching the Operating System are given by Microsoft at the following links:
| Product: | Software Version(s): |
|---|---|
| Avaya Agent Access | All Versions |
| Avaya Basic Call Management System Reporting Desktop - server | All Versions |
| Avaya Basic Call Management System Reporting Desktop - client | All Versions |
| Avaya CMS Supervisor | All Versions |
| Avaya Computer Telephony | All Versions |
| Avaya CVLAN Client | All Versions |
| Avaya Enterprise Manager | All Versions |
| Avaya Integrated Management | All Versions |
| Avaya Interaction Center (IC) | All Versions |
| Avaya Interaction Center - Voice Quick Start | All Versions |
| Avaya IP Agent | All Versions |
| Avaya IP Softphone | All Versions |
| Avaya Modular Messaging | All Versions |
| Avaya Network Reporting | All Versions |
| Avaya OctelAccess(r) Server | All Versions |
| Avaya OctelDesignerTM | All Versions |
| Avaya Operational Analyst | All Versions |
| Avaya Outbound Contact Management> | All Versions |
| Avaya Speech Access | All Versions |
| Avaya Unified Communication Center (UCC) | All Versions |
| Avaya Unified Messenger (r) | All Versions |
| Avaya Visual Messenger TM | All Versions |
| Avaya Visual Vector Client | All Versions |
| Avaya VPNmanagerTM Console | All Versions |
| Avaya Web Messenger | All Versions |
Recommended Actions:
Avaya recommends that customers follow
recommended actions supplied by the Operating System vendor (e.g.
Microsoft
Windows) or remove the affected packages.
MS06-021 Cumulative Security Update for Internet Explorer (916281): Internet Explorer was found to contain several vulnerabilities, which resulting exploitation could possibly cause memory corruption, address bar spoofing and/or information disclosure. The worst of these issues could potentially allow an attacker to take complete control over a computer if exploited in an Internet Explorer session run by someone with administrator privileges. The Avaya Modular Messaging Message Application Server, S8100, and UCC are affected by these vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-2218, CVE-2006-2382, CVE-2006-2383, CVE-2006-1303, CVE-2005-4089, CVE-2006-2384, CVE-2006-2385, and CVE-2006-1626 to these issues.
MS06-022 Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439):A vulnerability was found in the way Microsoft Windows renders AOL ART image file types. If an attacker can trick a user into opening a specially crafted AOL ART image file, it may be possible to execute arbitrary code with the permissions of the user viewing the file. If the user has administrator privileges, this could possibly allow the attacker to completely control the system in question. Avaya system products do not utilize AOL ART image format and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2006-2378 to the issue.
MS06-023 Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): Due to a memory corruption error in Microsoft JScript, an attacker who has carefully constructed a web page or HTML email containing JScript could possibly gain access over a remote system. This memory corruption error could possibly allow arbitrary code execution with the permissions of the user viewing the web page or HTML email containing malicious JScript. If the user viewing the web page or HTML email has administrator privileges, this could possibly allow the attacker to take control of the system. Avaya system products do not utilize Microsoft JScript and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-1313 to this issue.
MS06-024 Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734): Windows Media Player was found to contain a remote code execution vulnerability in the way it processes PNG image file types. If a user loads a carefully constructed PNG image from a web page, email or other source inside of Windows Media Player, it may be possible to execute arbitrary code with the permissions of the user running Windows Media Player. If the user running Windows Media Player has administrator rights, this could possibly allow control of the system to be taken over by the author of the malicious PNG image file. Avaya system products do not utilize Windows Media Player and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-0025 to this issue.
MS06-025 Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280): The Routing and Remote Access Service in Microsoft Windows was found to contain possible remote arbitrary code execution vulnerabilities. Due to these issues, a remote attacker could possibly execute arbitrary code on the system. The Avaya Modular Messaging Message Application Server, S8100, and UCC are affected by these vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-2370 and CVE-2006-2371 to these issues.
MS06-026 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547): Due to a flaw found in the Graphics Rendering Engine for WMF image file types, it is possible for a remote attacker to execute arbitrary code on a system. Using a carefully constructed WMF image file, an attacker could possibly execute arbitrary code with the permissions of a user viewing the image file via a web site or email. If the user has administrator rights, this could lead to the attacker gaining control over the system. Avaya system products do not utilize WMF image files and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2376 to this issue.
MS06-027 Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336) : Microsoft Word was found to contain an object pointer vulnerability. Using a specially crafted Microsoft Word document file, an attacker could possibly execute arbitrary code by exploiting this issue. If the user viewing this Microsoft Word document file has administrator privileges, a remote attacker could possibly gain control over the system. Avaya system products do not utilize Microsoft Word and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2492 to this issue.
MS06-028 Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768): A vulnerability was found Microsoft PowerPoint which could possibly lead to the execution of arbitrary code. Using a specially crafted Microsoft PowerPoint presentation file containing a malformed record, a remote attacker could execute arbitrary code with the permissions of the user viewing the Microsoft PowerPoint presentation file. If this user has administrator rights, this could possibly allow the attacker to gain control over the system. Avaya system products do not utilize Microsoft PowerPoint and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-0022 to this issue.
MS06-029 Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442): The Outlook Web Access (OWA) component of Microsoft Exchange was found to contain a script injection flaw. Using a carefully crafted email, a user could possibly execute a script with the security permissions of the user they are logged into OWA as. This attack vector would require actual interaction from the attacker. Avaya system products do not utilize Outlook Web Access and are therefore not affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-1193 to this issue.
MS06-030 Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389): The implementation of Server Message Block (SMB) in Microsoft Windows was found to contain two flaws that could either lead to a privilege escalation or a Denial of Service (DoS) situation. To take advantage of either of these vulnerabilities, an attacker would have to successfully authenticate with the target server before being able to launch the attacks. The Avaya Modular Messaging Message Application Server, S8100, and UCC are affected by these vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-2373 and CVE-2006-2374 to these issues.
MS06-031 Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736) : The RPC service in Microsoft Windows was found to contain a flaw which would allow a malicious user to spoof a network resource. Due to this issue, a user could possibly be tricked into connecting to what appears to be a trusted network server or resource, when in actuality the attacker is spoofing the server and/or resource. The Avaya Modular Messaging Message Application Server prior to 3.0, S8100, and UCC are affected by these vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2380 to this issue.
MS06-032 Vulnerability in TCP/IP Could Allow Remote Code Execution (917953): The TCP/IP stack in Microsoft Windows was found to contain an issue with how IP source routing is handled. If successfully exploited, a remote attacker could execute arbitrary code, possibly gaining control over the system. The Avaya Modular Messaging Message Application Server, S8100, and UCC are affected by these vulnerabilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2379 to this issue.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - June 13, 2006 - Initial Statement issued.
V 2.0 - June 14, 2006 - Revised risk level based on futher evaluation.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or [email protected].
© 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.