This month has been absolutely brutal in terms of critical security patches. Many of these are related to the ActiveX problems that were patched out of band for IE and Visual Studio in July, but some of them are not. Brew up a fresh pot of coffee, because this is going to be a long night for making critical patches.
We are continuing to use our new rating system, where one flag means "patch only if applicable," two flags means "patch during your next regularly scheduled patch cycle," and three flags indicates "patch immediately." There are far too many three-flag items this month for my taste.
Previous Patch Tuesday analysis is also available.
Security patchesMS09-036/KB970957 - Important (Vista, 2008): There is a vulnerability in the way .NET 2.0 and 3.X handle incoming HTTP requests within IIS 7. When the hole is exploited, the Web server (not the entire server) can be locked up until the application pool is restarted. Publicly exposed Web servers should get the update during your next patch cycle. MS09-037/KB973354/KB973507/KB973540/KB973815/KB973869 - Critical (2000, XP, Vista, 2003, 2008): This is a continuation of the Active Template Library vulnerability. This patch closes the holes that exist around ActiveX in a huge swath of Windows subcomponents like Windows Media Player and Outlook Express. You should install this patch as soon as possible. MS09-038/KB971557 - Critical (2000, XP, Vista, 2003, 2008): Attackers with carefully crafted AVI files can perform a remote code execution attack against Windows Media Player. If the user who opened the AVI file is a local administrator, the attacker can take over the PC completely. Install this patch as soon as possible. MS09-039/KB969883 - Critical (2000, 2003): This patch corrects a problem with the WINS server in Windows 2000 and 2003 that can allow a malformed packet to perform a remote code execution attack. If you run a WINS server on either of these two platforms, install this patch now. MS09-040/KB971032 - Important (2000, XP, Vista): MSMQ has a flaw that allows escalation of privilege attacks. You need to install this patch only if you turned on MSMQ, which is off by default. MS09-041/KB971657 - Important (XP, Vista, 2002, 2008): An attacker with valid credentials to a PC can send a malformed RPC packet to escalate their privileges. This is a less serious vulnerability because the attacker needs to have logon credentials to begin with, and RPC is not publicly available. MS09-042/KB960859 - Important (2000, XP, Vista, 2003, 2008): The Telnet service in Windows has a vulnerability that allows attackers to obtain credentials; this patch closes the hole. This is not a major priority, since Telnet is disabled by default and certainly should not be publicly exposed. MS09-043/KB957638 - Critical (Office 2000, Office XP, Office 2003, Office 2007, ISA 2004, ISA 2006, BizTalk 2002, Visual Studio 2003, Small Business Accounting 2006): There are vulnerabilities in the Office Web Components, separate from the other ActiveX issues this month, that could allow remote code execution attacks. You should install this patch immediately to protect your systems and users. MS09-044/KB970927 - Critical (2000, XP, Vista, 2003, 2008, Remote Desktop Connection for Mac 2.0): If a user is tricked into connecting to a malicious Terminal Server or PC running Remote Desktop, an attacker can perform remote code execution attacks against the client machine. You will want to patch this during your next patch cycle if you do not allow RDP/TS outside the firewall, or patch it immediately if you do allow those connections outside the firewall.
Other updatesKB968389: This patch makes the authentication in Windows a bit stronger; further details were not available at the time of writing. "The Usual Suspects": Updates to the Malicious Software Removal Tool and Junk Email filters. Changed, but not significantly: MS09-029/KB961371 (patch for OpenType font engine), KB925876 (Remote Desktop Connection 6.0).
Updates since the last Patch Tuesday
We saw two major security patches release out of band since the last Patch Tuesday:Internet Explorer ActiveX Vulnerabilities (MS09-034/KB972260) - Critical (IE 5, IE 6, IE 7, IE 8): The patch closes a major hole in Internet Explorer that allows remote code execution exploits via ActiveX controls. You need to apply this patch immediately. Visual Studio Active Template Library (MS09-035/KB969706) - Important (Visual Studio 2003, Visual Studio 2005, Visual Studio 2008): ActiveX components compiled in Visual Studio without this patch may be vulnerable to remote code execution exploits. If you use Visual Studio to write ActiveX components, install this patch, rebuild your components, and redistribute them immediately.
There have been a number of minor items added since the last Patch Tuesday:Updates to the IE 8 Compatibility View List Windows Installer (KB 973825): Problems where digital signatures could not be verified on large packages are now fixed. Internet Explorer 8 Language Packs
Changed, but not significantly:
TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!
Justin James is the Lead Architect for Conigent.