Information regarding MS06-015

Hi everyone, Mike Reavey here.  I wanted to quickly let you know about some things related to MS06-015 that we’ve gotten some customer questions on.  First, we’re currently tracking an issue involving the interaction of the security update with some components related to some Hewlett Packard devices that so far appear to be consumer level. The scope is limited at the moment but the impact might be that an application could hang when conducting certain operations, like opening a file from the “File-open” dialog in an application.  While we’re working on determining all the affected possibilities, you can do the following if you’ve been affected:

– (If you have multiple user accounts set up) Log onto the computer using an account with Administrator privileges

– Click the Start button, then click Run and type “regedit” at the prompt, without the quotes; this will start Registry Editor

– Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached key in Registry Editor

– Right click on the key and select New / DWORD Value

– Rename the resulting value “{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401″, without the quotes

– Right click the value, select Modify, and type “1” into the Value Data field

– Close Registry Editor

We’re working on a KB article on this and adding it to the bulletin caveats. Again, our information at this time leads us to believe that this is having little to no impact on corporate networks. The MSRC along with the Windows team and PSS will be investigating this through the weekend.  If you believe you are having this issue, I certainly urge you to contact 1-866-PCSafety in Canada and the US for no charge support.  International customers can receive the same support by contacting their local Microsoft subsidiary.

Another question I’ve gotten is around the defense in depth change documented in MS06-015.  There’s been some confusion around that I think, but as is our normal practice for security bulletins, we document the existence of any additional defense in depth product behavioral changes, as well as the area of functionality where the change occurred so that customers can assess the impact to their environments.  However, providing more detail on internal product changes could serve to aid attackers. Suffice to say the change is *not* related to a software vulnerability, merely a product behavior change to make the product more resilient to attack. There’s been some feedback we can make that more clear so we will work to do so in the future. On the whole, customers have been clear that we need to strike a balance between providing information to assess risk, and aiding attackers.  But as our constant readers know, the information in our security bulletins has become more and more detailed over time so we certainly will be listening to your feedback about the information we provide to make the bulletins better.


-Mike Reavey


*This posting is provided “AS IS” with no warranties, and confers no rights.*