BULLETIN ID: 2006007061, Rev 1

PUBLISHED: 2006-06-18
STATUS: Retired
REGION: All
PRIORITY: Critical
TYPE: Bulletin
Background:
Before taking any action please ensure that you are viewing the latest official version of this security advisory by
referencing http://www.nortel.com/securityadvisories
===========
== Source ==
===========
On - Microsoft issued Security Bulletin MS06-023 addressing "Vulnerability in Microsoft JScript Could Allow Remote Code
Execution (917344)". Some Nortel products are potentially affected by this issue.
=============
== Overview ==
=============
Microsoft Bulletin MS06-023 is available at: http://www.microsoft.com/technet/security/Bulletin/MS06-023.mspx
Impact of Vulnerability: Remote Code Execution.
Description: There is a remote code execution vulnerability in JScript. An attacker could exploit the vulnerability by
constructing specially crafted JScript that could potentially allow remote code execution if a user visited a Web site or
viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete
control of an affected system.
Security Update Replacement: This bulletin replaces a prior security update. Please refer to the Microsoft link above for
additional information.
Analysis:
===============================
== Affected Products and Releases ==
===============================
The following Nortel Generally Available products are potentially vulnerable to the security issue outlined in Microsoft
Security Bulletin MS06-023. Please follow Microsoft's recommendation and instruction for installing the Security Update:
.
>TECHNICAL SUPPORT
. SECURITY ADVISORY BULLETIN
.
.
Nortel Response to Microsoft Security Bulletin MS06-023
CallPilot - 1002rp, 200i, 201i, 702t, 703t
. CallPilot releases 1.07, 2.x, 3 and 4 are affected. Testing is in progress. See revised bulletin
P-2006-0011-Global-Rev5_CallPilot Server Security Update for instructions.
CICM
. This potential vulnerability affects both the CICM and CICM-EM. Please refer to the CICM product specific bulletin for
further information.
Contact Center - Multimedia
. Apply hotfix.
Contact Center - Symposium Agent
. Apply hotfix (product had been Manufacturing Discontinued).
The following Nortel Generally Available products are potentially vulnerable to the security issue outlined in Microsoft
Security Bulletin MS06-023 in that, while there is no direct dependency with the Nortel product, the affected component is
a base component of Windows/OS. Please follow Microsoft's recommendation and instruction for installing the Security
Update:
Contact Center - CCMS
Enterprise NMS
IP Softphone 2050
MCS5100, MCS5200
Self-Service - CCXML, Media Processing Svr 100, Media Processing Svr 500, Media Processing Svr 1000, Peri
Application, Speech Servce, VoiceXML, WVADS
TM-CS1000
. Optivity Telephony Manager Version 2.20.78 with Service Update 4 installed (TM).
The following Nortel Generally Available products are not vulnerable to the security issue outlined in the Microsoft
Security Bulletin MS06-023:
Contact Center - CCMA, CCMS, Contact Center - Express, NCC
. No dependency. IE should not be run on CCMS server.
Contact Center CCT, CallPilot 1001rp
. No dependency. IE should not be run on CCT server.
Contact Center - TAPI Server
. No dependency. IE should not be run on TAPI SP server (product had been Manufacturing Discontinued).
Enterprise Policy Manager
. Not EPM application specific.
IP Address Manager
. The component mentioned in the Microsoft Security Bulletin is not used or incorporated in the Nortel product.
Meridian - CS 2100-Compact, CS 2100
. The Communication Server 2100 Compact and Communication Server 2100 are Linux based solutions therefore not
vulnerable to Microsoft based vulnerabilities.
Meridian SL100
NORTEL RESPONSE TO MICROSOFT SECURITY BULLETIN MS06-023 2006007061, REV 1
Page: 2 of 5
. The Meridian SL-100 platform is not vulnerable to Microsoft specific vulnerabilities . It does not contain any
components of Microsoft operating systems nor can any Microsoft software be installed on this platform.
Sun Platform-MCS5100
. Software has been disabled or ports have been masked.
VPN Client
The following Nortel Generally Available products have not yet completed investigation to determine Vulnerability Status
relative to the security issues outlined in Microsoft Security Bulletin MS06-023 It is not recommended to apply security
update until investigation is complete, and vulnerability known. Upon completion of investigation, an up-issue of
Technical Bulletin / Security Advisory will be released:
MDM
W-NMS-CNM, W-NMS-UMTS
Recommendations:
Prevention and mitigation recommendations may differ depending on the Nortel product. Please see the Analysis section
for a detailed overview and breakdown per product.
Required Actions:
Resolution is provided in the Microsoft Security Update, please see the Analysis section for a product breakdown to
determine if any action is required.
Attachments:
There are no attachments for this bulletin
Footer Information:
Retirement Reason:
This multi-product consolidated response bulletin has exceeded it's planned active period and is no longer needed.
For Additional Information:
For more information please contact your next level of support or visit http://www.nortel.com/contact for support numbers
within your region.
Nortel security advisories: http://nortel.com/securityadvisories
Nortel Partner Information Center (PIC) website: http://www.nortelnetworks.com/pic
Products and Releases:
The information in this bulletin is intended to be used with the following products and associated releases:
PRODUCT RELEASE
CDMA-Network Management-W-NMS-CNM
CICM-CICM-CICM
CallPilot-CallPilot-CallPilot 1001rp
CallPilot-CallPilot-CallPilot 1002rp
CallPilot-CallPilot-CallPilot 200i
CallPilot-CallPilot-CallPilot 201i
CallPilot-CallPilot-CallPilot 702t
NORTEL RESPONSE TO MICROSOFT SECURITY BULLETIN MS06-023 2006007061, REV 1
Page: 3 of 5
CallPilot-CallPilot-CallPilot 703t
Contact Center-Administration-CCMA
Contact Center-Manager-CCMS
Contact Center-CTI-CCT
Contact Center-Manager-Contact Center - Express
Contact Center-Multimedia-Contact Center - Multimedia
Contact Center-Manager-NCC
Contact Center-CTI-Symposium Agent
Contact Center-CTI-TAPI Server
ENSM-NMS-Enterprise NMS
ENSM-Policy Services-Enterprise Policy Manager
ENSM-IP Address Manager-IP Address Manager
Enterprise VoIP-Applications-TM-CS1000
Meridian-SL100-CS 2100
Meridian-SL100-CS 2100-Compact
Meridian-SL100-SL100
Multimedia Comm.-MCS5100-MCS5100
Multimedia Comm.-MCS5200-MCS5200
Multimedia Comm.-OEM-Sun Platform-MCS5100
Multiservice Switch-Network Management-MDM
Phones & Accessories-IP-IP Softphone 2050
Self-Service-Web Centric Self-Svc-CCXML
Self-Service-Media Processing Svr-Media Processing Svr 100
Self-Service-Media Processing Svr-Media Processing Svr 1000
Self-Service-Media Processing Svr-Media Processing Svr 500
Self-Service-Self-Service-Peri Application
Self-Service-Self-Service-Speech Server
Self-Service-Web Centric Self-Svc-VoiceXML
Self-Service-Web Centric Self-Svc-WVADS
UMTS-Network Management-W-NMS-UMTS
VPN Router-Client-VPN Client
To view the most recent version of this bulletin, access technical documentation, search
our knowledge base, or to contact a Technical Support Representative, please visit
Nortel Technical Support on the web at: http://support.nortel.com/. You may also sign
up to receive automatic email alerts when new bulletins are published.
REFERENCE: MS06-023
PRE-REQUIRED PATCH:
PATCH ID:
Copyright 2007 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel assumes no responsibility
for any errors that may appear in this document. The information in this document is proprietary to Nortel Networks.
Nortel recommends any maintenance activities, such as those outlined in this bulletin, be completed during a local maintenance window.
NORTEL RESPONSE TO MICROSOFT SECURITY BULLETIN MS06-023 2006007061, REV 1
Page: 4 of 5
Nortel, the Nortel logo, and the Globemark design are trademarks of Nortel Networks. All other trademarks are the property of their respective owners.
NORTEL RESPONSE TO MICROSOFT SECURITY BULLETIN MS06-023 2006007061, REV 1
Page: 5 of 5