Microsoft issued a security bulletin summary for October 2006 which contained ten security advisories: MS06-056, MS06-057, MS06-058, MS06-059, MS06-060, MS06-061, MS06-062, MS06-063, MS06-064, and MS06-065. The advisories describe vulnerabilities in various Microsoft Windows Operating Systems and Applications. A description of the vulnerabilities can be found at:
Certain Avaya products utilize Microsoft Operating Systems and Applications and may be affected by these vulnerabilities.
Avaya system products include an Operating System with the product when it is delivered. The system products described below are delivered with a Microsoft Operating System. Actions to be taken with these products are also described below.
| Product: | Affected S/W Version(s): | Recommended Actions: |
|---|---|---|
| Unified Communications Center (UCC) - S3400 | All | Follow Microsoft's recommendation for installing the Operating
System patches: MS06-057 MS06-063 The Unified Communications Center product is deployed with the Microsoft Windows 2000 Operating System. |
| Modular Messaging - Messaging Application Server (MAS) | 2.0 | Follow Microsoft's recommendation for installing the Operating
System patch: MS06-057 MS06-063 The Modular Messaging - Messaging Application Server (MAS) version 2.0 is deployed with the Microsoft Windows 2000. |
| Modular Messaging - Messaging Application Server (MAS) | 3.0 | Follow Microsoft's recommendation for installing the Operating System
patches:
MS06-057 MS06-061 MS06-063 MS06-064 MS06-065 The Modular Messaging - Messaging Application Server (MAS) version 3.0 is deployed with the Microsoft Windows 2003 Server Operating System. |
| S8100/DefinityOne/IP600 Media Servers | R10 and greater | Follow Microsoft's recommendation for installing the Operating
System patches: MS06-057 MS06-063 These products are deployed with either the Microsoft Windows 2000 Operating System or the Microsoft Windows NT Operating System. |
Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.
In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Microsoft Windows platform may be. For affected Microsoft Operating Systems and Applications, Microsoft recommends installing patches. Detailed instructions for patching the Operating System and affected Applications are given by Microsoft at the following links:
| Product: | Software Version(s): |
|---|---|
| Avaya Agent Access | All Versions |
| Avaya Basic Call Management System Reporting Desktop - server | All Versions |
| Avaya Basic Call Management System Reporting Desktop - client | All Versions |
| Avaya CMS Supervisor | All Versions |
| Avaya Computer Telephony | All Versions |
| Avaya Contact Center Express (ACCE) | All Versions |
| Avaya CVLAN Client | All Versions |
| Avaya Enterprise Manager | All Versions |
| Avaya Integrated Management | All Versions |
| Avaya Interaction Center (IC) | All Versions |
| Avaya Interaction Center - Voice Quick Start | All Versions |
| Avaya IP Agent | All Versions |
| Avaya IP Softphone | All Versions |
| Avaya Modular Messaging | All Versions |
| Avaya Network Reporting | All Versions |
| Avaya OctelAccess(r) Server | All Versions |
| Avaya OctelDesigner TM | All Versions |
| Avaya Operational Analyst | All Versions |
| Avaya Outbound Contact Management | All Versions |
| Avaya Speech Access | All Versions |
| Avaya Unified Communication Center (UCC) | All Versions |
| Avaya Unified Messenger (r) | All Versions |
| Avaya Visual Messenger TM | All Versions |
| Avaya Visual Vector Client | All Versions |
| Avaya VPNmanager TM Console | All Versions |
| Avaya Web Messenger | All Versions |
Recommended Actions:
Avaya recommends that the Microsoft patches
and/or workaround solutions are applied. Although certain Avaya system products
utilize Microsoft Operating Systems and Applications and may be affected by these
vulnerabilities, Avaya recommends that the use of e-mail clients and Internet
browsers be restricted on Avaya system products (i.e. Outlook Express and
Internet Explorer). The use of browsers should be restricted to authorized
users only as well as limited to the operational needs of the product.
Unrestricted access to the Intranet or Internet should be prohibited beyond the
necessary functions of the product's web administration interface and the
ability to obtain patches.
MS06-056 Vulnerability in ASP.NET Could Allow Information Disclosure (922770): A cross-site scripting (XSS) vulnerability has been discovered in ASP.NET which could allow for the disclosure of unintended information. The Modular Messaging Message Application Server is affected by this vulnerability. Avaya Engineers are still working to determine the appropriate course of action to remediate this issue. Avaya recommends that customers DO NOT install the patch at this time. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3436 to the issue.
MS06-057 Vulnerability in Windows Shell Could Allow Remote Code Execution (923191): A vulnerability in the Windows Shell could allow a Remote attacker to execute arbitrary code as the user that is logged in. The Avaya Modular Messaging - Messaging Application Server, Avaya S8100, and Avaya Unified Communications Center (UCC) are affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-3730 to this issue.
MS06-058 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163): Several vulnerabilities in Microsoft PowerPoint have been reported, the most severe of which could allow a remote attacker to execute arbitrary code as the user that is logged in. No Avaya System products have PowerPoint installed, and are therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3435, CVE-2006-3876, CVE-2006-3877, and CVE-2006-4694 to these issues.
MS06-059 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164): Several vulnerabilities in Microsoft Excel have been reported, the most severe of which could allow a remote attacker to execute arbitrary code as the user that is logged in. No Avaya System products have Excel installed, and are therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-2387, CVE-2006-3431, CVE-2006-3867, and CVE-2006-3875 to these issues.
MS06-060 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) : Several vulnerabilities in Microsoft Word have been reported, the most severe of which could allow a remote attacker to execute arbitrary code as the user that is logged in. No Avaya System products have Word installed, and are therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3647, CVE-2006-3651, CVE-2006-4534, and CVE-2006-4693 to these issues.
MS06-061 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191): Two vulnerabilities have been reported in Microsoft XML Core Services which could allow a remote attacker to execute arbitrary code as the user that is logged in. The Avaya Modular Messaging - Messaging Application Server (MAS) version 3.0 is affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-4685 and CVE-2006-4686 to these issues.
MS06-062 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581) : Several vulnerabilities in Microsoft Office have been reported, the most severe of which could allow a remote attacker to execute arbitrary code as the user that is logged in. No Avaya System products have Office installed, and are therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3434, CVE-2006-3650, CVE-2006-3864, and CVE-2006-3868 to these issues.
MS06-063 Vulnerability in Server Service Could Allow Denial of Service (923414) : Two vulnerabilities have been reported in the Server Service which could allow a remote attacker to cause the affected system to stop responding. The Avaya Modular Messaging - Messaging Application Server (MAS), Unified Communication Manager (UCC), and the Avaya S8100 are affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-3942 and CVE-2006-4696 to these issues.
MS06-064 Vulnerabilities in TCP/IP Could Allow Denial of Service (922819): Several vulnerabilities have been reported in Microsoft TCP/IP Services which could allow a remote attacker to cause the affected system to stop responding, or reboot. The Avaya Modular Messaging - Messaging Application Server (MAS) version 3.0 is affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0790, CVE-2004-0230, and CVE-2005-0688 to these issues.
MS06-065 Vulnerability In Windows Object Packager Could Allow Remote Code Execution (924496): A vulnerability has been discovered in the Windows Object Packager which could allow a remote attacker to take complete control of the affected system. This attack takes a considerable amount of user interaction to exploit. The Avaya Modular Messaging - Messaging Application Server (MAS) version 3.0 is affected by this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-4692 to this issue.
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - October 11, 2006 - Initial Statement issued.
V 2.0 - October 9, 2007 - Changed advisory status to final.
Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or [email protected].
© 2007 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.