Medical Automation Systems

Microsoft Security Bulletin Update

April 2006

Medical Automation Systems reviews all Microsoft security patches when they are released. MAS has evaluated and completed reviews for the security patches listed below for April 2006. Microsoft rates some of these as 'critical' but the vulnerabilities may in fact pose no risk to the RALS system if customers adhere to the intended use of RALS.

The potential impact to RALS customers are Color Coded as follows:

� Red (immediate threat/urgent action needed)

� Green (routine process or no action needed)

� Black (action needed/recommended)

MS06-013 - Critical

Cumulative Security Update for Internet Explorer (912812)

This update addresses ten newly discovered, public and private, vulnerabilities in Internet Explorer.
This affects Windows 2000 systems running IE 6 [and other Windows operating systems].
As a cumulative update to IE this update replaces the previous IE cumulative update MS05-054 and MS06-004 on Windows 2000 systems.
An attacker could exploit the vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious HTML content by other means such as email. These issues can NOT be exploited without user interaction. The impact of successful exploit could be remote code execution. If the logged in user had administrative rights, the code execution could take complete control over the system.
Typical RALS systems do have IE installed and require its use for the web based system components of RALS. This vulnerability cannot be exploited without user interaction. The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

NOTE: Since Microsoft has ended support for Windows NT based systems; the potential for this vulnerability to affect Windows NT based systems was not addressed nor was any patch provided by Microsoft for NT systems.

Recommend this update be included with the next regular RALS product test and release cycle. The update appears to change 12 files on Windows 2000 systems. The expected risk for adverse effects on RALS operations from this update is low.

MS06-014 - Critical

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

This update resolves a newly-discovered, privately-reported vulnerability exists in the ActiveX Data Objects (ADO) that is distributed in various versions of MDAC (Microsoft Data Access Components).
This affects Windows 2000 systems with MDAC 2.5 SP3, MDAC 2.7 SP1, MDAC 2.8 SP1 and Windows XP systems with MDAC 2.8.
An attacker could exploit these vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious content by other means such as email. These issues can NOT be exploited without user interaction. The impact of successful exploit could be remote code execution. If the logged in user had administrative rights, the code execution could take complete control over the system. The user cannot be forced to visit the malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities.

NOTE: Normally this type of update would be recommended for routine inclusion in the next test cycle (green color code), since user actions inconsistant with the RALS product intended use are required to exploit the vulnerability. However since this update replaces MULTIPLE files which are used in RALS operations as part of the MDAC package, it is recommend this update be tested against supported versions of RALS products (especially the web products RALS-Web & RALS-eQuiz), and if successful, be approved as a RALS security update. The expected risk for adverse effects on RALS operations should be low.

MS06-015 - Critical

Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)

This update resolves a newly discovered, privately reported vulnerability that exists in Windows Explorer because of the way that it handles COM objects.
This affects Windows 2000, Windows XP, [and other Windows operating systems]. This update replaces MS05-008 for Windows 2000 and MS05-016 for Windows XP.
An attacker could exploit these vulnerabilities by hosting a malicious web page and enticing the user to visit this site or delivering the malicious content by other means such as email. These issues can NOT be exploited without user interaction. The impact of successful exploit could be remote code execution. If the logged in user had administrative rights, the code execution could take complete control over the system.
This vulnerability cannot be exploited without user interaction. The user cannot be forced to visit a malicious web page and the intended use for the RALS systems does not support users using the RALS systems for non-RALS related "web-surfing" activities nor provide for receiving emails with potentially malicious content or attachments.
NOTE: Since Microsoft has ended support for Windows NT based systems; the potential for this vulnerability to affect Windows NT based systems was not addressed nor was any patch provided by Microsoft for NT systems.
Recommend this update be included with the next regular RALS product test and release cycle. The expected risk for adverse effects on RALS operations from this update is low. The update appears to change two files on Windows 2000 systems.

MS06-016 - Important

Cumulative Security Update for Outlook Express (911567)

This update addresses a newly-discovered, privately-reported vulnerability Outlook Express when using a Windows Address Book.
This affects Windows 2000, Windows XP [and other Windows operating systems].
This update replaces previous patches MS04-018 and MS05-030.
An attacker could exploit this vulnerability by sending a specially-crafted .wab file to the user and by persuading the user to open the file. While Outlook Express may be installed on RALS IMS systems for the purpose of emailing reports, it is not configured to receive email. This vulnerability cannot be exploited without user interaction.
NOTE: Since Microsoft has ended support for Windows NT based systems; the potential for this vulnerability to affect Windows NT based systems was not addressed nor was any patch provided by Microsoft for NT systems.
Recommend this update be included with the next regular RALS product test and release cycle. The expected risk for adverse effects on RALS operations from this update is low.

MS06-017 - Moderate

Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627)

This affects only Microsoft FrontPage Server Extensions 2002. This product is not provided with any RALS product configuration.
Recommendation is no action needed for this update since the affected software is not provided with any RALS installations.

MS Patches NOT Critical to RALS Functionality If MAS determines that the vulnerability as described in a Microsoft bulletin should not adversely affect the RALS functionality when the system is used as intended, the security patch will be tested and included in the next routine product version release. Should the user apply the patches, MAS cannot guarantee or warrant its operation or impact on the RALS system. In this situation there will be no routine customer notification.

MS Patches Critical to RALS Functionality If it is determined that the security vulnerability as described in a Microsoft bulletin is critical to the RALS functionality, MAS will notify customers via a broadcast email from SecurityUpdates@rals.com and by notice on the MAS website http://www.rals.com.

RALS-Plus I RALS-Web I RALS-eQuiz I RALS-TGCM I RALS-Report I Device Interfacing
Customer Support I Clinical Questions I MS Vulnerabilities I MS Updates I RRC Password of the Day
RRC Installation I RALS-Dataports I MAS News I About MAS I Case Studies
Contact Us I POC Links I Home I Legal Notice