Microsoft issued a security bulletin summary for August 2006 which contained twelve security advisories: MS06-040, MS06-041, MS06-042, MS06-043, MS06-044, MS06-045, MS06-046, MS06-047, MS06-048, MS06-049, MS06-050, and MS06-051. The advisories describe vulnerabilities in various Microsoft Windows Operating Systems. A description of the vulnerabilities can be found at:
***UPDATE*** On September 26, Microsoft released a new patch regarding MS06-049.
Certain Avaya products utilize Microsoft Operating Systems and may be affected by these vulnerabilities.
Avaya system products include an Operating System with the product when it is delivered. The system products described below are delivered with a Microsoft Operating System. Actions to be taken with these products are also described below.
| Product: | Affected S/W Version(s): | Recommended Actions: |
|---|---|---|
| Unified Communications Center (UCC) - S3400 | All | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-040 MS06-041 MS06-042 MS06-044 MS06-045 MS06-046 MS06-049 MS06-051 The Unified Communications Center product is deployed with the Microsoft Windows 2000 Operating System. |
| Modular Messaging - Messaging Application Server (MAS) | All | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-040 MS06-041 MS06-042 MS06-043(MAS 3.0) MS06-044 MS06-045 MS06-046 MS06-049 MS06-051 The Modular Messaging - Messaging Application Server (MAS) is deployed with the Microsoft Windows 2000 or Microsoft Windows 2003 Operating System. |
| S8100/DefinityOne/IP600 Media Servers | R10 and greater | Follow Microsoft's recommendation for installing the Operating
System
patches: MS06-040 MS06-041 MS06-042 MS06-044 MS06-045 MS06-046 MS06-049 MS06-051 These products are deployed with either the Microsoft Windows 2000 Operating System or the Microsoft Windows NT Operating System. |
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Microsoft Windows platform may be. For affected Microsoft Operating Systems, Microsoft recommends installing patches. Detailed instructions for patching the Operating System are given by Microsoft at the following links:
| Product: | Software Version(s): |
|---|---|
| Avaya Agent Access | All Versions |
| Avaya Basic Call Management System Reporting Desktop - server | All Versions |
| Avaya Basic Call Management System Reporting Desktop - client | All Versions |
| Avaya CMS Supervisor | All Versions |
| Avaya Computer Telephony | All Versions |
| Avaya CVLAN Client | All Versions |
| Avaya Enterprise Manager | All Versions |
| Avaya Integrated Management | All Versions |
| Avaya Interaction Center (IC) | All Versions |
| Avaya Interaction Center - Voice Quick Start | All Versions |
| Avaya IP Agent | All Versions |
| Avaya IP Softphone | All Versions |
| Avaya Modular Messaging | All Versions |
| Avaya Network Reporting | All Versions |
| Avaya OctelAccess(r) Server | All Versions |
| Avaya OctelDesignerTM | All Versions |
| Avaya Operational Analyst | All Versions |
| Avaya Outbound Contact Management> | All Versions |
| Avaya Speech Access | All Versions |
| Avaya Unified Communication Center (UCC) | All Versions |
| Avaya Unified Messenger (r) | All Versions |
| Avaya Visual Messenger TM | All Versions |
| Avaya Visual Vector Client | All Versions |
| Avaya VPNmanagerTM Console | All Versions |
| Avaya Web Messenger | All Versions |
Recommended Actions:
Avaya recommends that the Microsoft
patches
and/or workaround solutions are applied. Although certain Avaya
system
products utilize Microsoft Operating Systems and may be affected by
these
vulnerabilities, Avaya recommends that the use of e-mail clients and
Internet
browsers be restricted on Avaya system products (i.e. Outlook Express
and
Internet Explorer). The use of browsers should be restricted to
authorized
users-only as well as limited to the operational-needs of the
product.
Unrestricted access to the Intranet or Internet should be prohibited
beyond
the necessary functions of the product's web administration interface
and to
obtaining patches. This reduces the risk of vulnerabilities in these
applications.
MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883) : Windows was found to have a vulnerability that could allow an attacker to take complete control of a system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3439 to the issue.
MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683): Two vulnerabilities have been found, the most severe of which could allow an attacker to take complete control of the affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3440, and CVE-2006-3441 to these issues.
MS06-042 Cumulative Security Update for Internet Explorer (918899): A number of vulnerabilities have been discovered in Internet Explorer that could allow an attacker to take control of the system as the user that is logged in. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3280, CVE-2006-3450, CVE-2006-3451, CVE-2006-3637, CVE-2006-3638, CVE-2006-3639, CVE-2006-3640, and CVE-2004-1166 to these issues.
MS06-043 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214) : A vulnerability has been discovered in Outlook Express that could allow an attacker to take control of the system as the user that is logged, if they could be tricked into clicking a malicious link. The Avaya Modular Messaging Message Application Server 3.0 is vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-2766 to this issue.
MS06-044 Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008): A vulnerability has been discovered with the Microsoft Management Console which could allow an attacker to take complete control of an affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3643 to this issue.
MS06-045 Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398): A vulnerability has been discovered in Windows Explorer which an attacker could potentially trick a user to click a malicious link, and could take complete control of an affected system. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3281 to this issue.
MS06-046 Vulnerability in HTML Help Could Allow Remote Code Execution (922616): A vulnerability has been identified in HTML Help ActiveX that could allow remote code execution on the affected system if an attacker could trick a user into visiting a malicious web site. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3357 to this issue.
MS06-047 Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645): A vulnerability has been discovered in Microsoft Visual Basic for Applications that could allow remote code execution on the affected system as the user that is logged in. Avaya system products do not utilize Microsoft Visual Basic for Applications, and are therefore not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3649 to this issue.
MS06-048 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968): Two vulnerabilities have been discovered in Microsoft PowerPoint. An attacker who tricked a user into opening a malicious object could execute code as the user that is logged in. Avaya system products do not utilize Microsoft PowerPoint, and are therefore not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3590 and CVE-2006-3449 to these issues.
MS06-049 Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958) : ***UPDATE*** On September 26, Microsoft released a new patch for this vulnerability. Avaya recommends installing the updated patch. A privilege escalation vulnerability has been discovered in the Windows 2000 Kernel. The Avaya Modular Messaging Message Application Server R2, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3444 to this issue.
MS06-050 Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670): Two vulnerabilities have been discovered in the Microsoft Windows Hyperlink Object Library. These vulnerabilities could be exploited by an attacker who tricked a user into clicking a malicious hyperlink, allowing the attacker to take control of the system as the user that is logged in. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3086 and CVE-2006-3438 to these issues.
MS06-051 Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422): Two vulnerabilities have been discovered in the Windows Kernel that could allow for privilege escalation for a user that is already logged in, or for a remote user to execute code, respectively. The Avaya Modular Messaging Message Application Server, Unified Communication Center (UCC), and S8100 are vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3443 and CVE-2006-3648 to these issues.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - August 8, 2006 - Initial Statement issued.
V 2.0 - October 4, 2006 - Updated information for MS06-049
V 3.0 - November 22, 2006 - Updated MS06-043 description to say that
only
Avaya Modular Messaging Message Application Server 3.0 is affected
and
updated MS06-044 description to say that all Avaya System Products
are
affected.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.
© 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.