Security

It's Microsoft Patch Tuesday: August 2009

Justin James presents a rundown on the August 2009 batch of Microsoft patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

This month has been absolutely brutal in terms of critical security patches. Many of these are related to the ActiveX problems that were patched out of band for IE and Visual Studio in July, but some of them are not. Brew up a fresh pot of coffee, because this is going to be a long night for making critical patches.

We are continuing to use our new rating system, where one flag means "patch only if applicable," two flags means "patch during your next regularly scheduled patch cycle," and three flags indicates "patch immediately." There are far too many three-flag items this month for my taste.

Previous Patch Tuesday analysis is also available.

Security patches

MS09-036/KB970957 - Important (Vista, 2008): There is a vulnerability in the way .NET 2.0 and 3.X handle incoming HTTP requests within IIS 7. When the hole is exploited, the Web server (not the entire server) can be locked up until the application pool is restarted. Publicly exposed Web servers should get the update during your next patch cycle. MS09-037/KB973354/KB973507/KB973540/KB973815/KB973869 - Critical (2000, XP, Vista, 2003, 2008): This is a continuation of the Active Template Library vulnerability. This patch closes the holes that exist around ActiveX in a huge swath of Windows subcomponents like Windows Media Player and Outlook Express. You should install this patch as soon as possible. MS09-038/KB971557 - Critical (2000, XP, Vista, 2003, 2008): Attackers with carefully crafted AVI files can perform a remote code execution attack against Windows Media Player. If the user who opened the AVI file is a local administrator, the attacker can take over the PC completely. Install this patch as soon as possible. MS09-039/KB969883 - Critical (2000, 2003): This patch corrects a problem with the WINS server in Windows 2000 and 2003 that can allow a malformed packet to perform a remote code execution attack. If you run a WINS server on either of these two platforms, install this patch now. MS09-040/KB971032 - Important (2000, XP, Vista): MSMQ has a flaw that allows escalation of privilege attacks. You need to install this patch only if you turned on MSMQ, which is off by default. MS09-041/KB971657 - Important (XP, Vista, 2002, 2008): An attacker with valid credentials to a PC can send a malformed RPC packet to escalate their privileges. This is a less serious vulnerability because the attacker needs to have logon credentials to begin with, and RPC is not publicly available. MS09-042/KB960859 - Important (2000, XP, Vista, 2003, 2008): The Telnet service in Windows has a vulnerability that allows attackers to obtain credentials; this patch closes the hole. This is not a major priority, since Telnet is disabled by default and certainly should not be publicly exposed. MS09-043/KB957638 - Critical (Office 2000, Office XP, Office 2003, Office 2007, ISA 2004, ISA 2006, BizTalk 2002, Visual Studio 2003, Small Business Accounting 2006): There are vulnerabilities in the Office Web Components, separate from the other ActiveX issues this month, that could allow remote code execution attacks. You should install this patch immediately to protect your systems and users. MS09-044/KB970927 - Critical (2000, XP, Vista, 2003, 2008, Remote Desktop Connection for Mac 2.0): If a user is tricked into connecting to a malicious Terminal Server or PC running Remote Desktop, an attacker can perform remote code execution attacks against the client machine. You will want to patch this during your next patch cycle if you do not allow RDP/TS outside the firewall, or patch it immediately if you do allow those connections outside the firewall.

Other updates

KB968389: This patch makes the authentication in Windows a bit stronger; further details were not available at the time of writing. "The Usual Suspects": Updates to the Malicious Software Removal Tool and Junk Email filters. Changed, but not significantly: MS09-029/KB961371 (patch for OpenType font engine), KB925876 (Remote Desktop Connection 6.0).

Updates since the last Patch Tuesday

We saw two major security patches release out of band since the last Patch Tuesday:

Internet Explorer ActiveX Vulnerabilities (MS09-034/KB972260) - Critical (IE 5, IE 6, IE 7, IE 8): The patch closes a major hole in Internet Explorer that allows remote code execution exploits via ActiveX controls. You need to apply this patch immediately. Visual Studio Active Template Library (MS09-035/KB969706) - Important (Visual Studio 2003, Visual Studio 2005, Visual Studio 2008): ActiveX components compiled in Visual Studio without this patch may be vulnerable to remote code execution exploits. If you use Visual Studio to write ActiveX components, install this patch, rebuild your components, and redistribute them immediately.

There have been a number of minor items added since the last Patch Tuesday:

Updates to the IE 8 Compatibility View List Windows Installer (KB 973825): Problems where digital signatures could not be verified on large packages are now fixed. Internet Explorer 8 Language Packs

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

25 comments
johndecoville
johndecoville

Thanks Justin James for this article. My Server Folks are on top of this. This is an unusually succinct summary. I have a question for you! Will Win7 further reduce the "Attack Surface" as Vista was intended? Thanks! -John

Poggle
Poggle

Thanks Justin / Techrepublic - I really appreciate this monthly blog

pierre.cossette
pierre.cossette

Where should I look for info on the problems encountered (if any) when these patches are implemented by clients somewhere in the world ?

oz_ollie
oz_ollie

Is there any way you can include the actual file sizes for each patch released? It is something my clients are constantly asking. In Australia one of the major ISPs (Telstra Bigpond) has always had very low data limits and counts uploads and downloads. I try as hard as I can to get them onto realistic plans with other ISPs but it is very hard because it abuses it's monopolistic position, particularly with older people.

nobodyveryspecial
nobodyveryspecial

i've found that one of the updates regarding wga i guess, strengthens the search for hacked/cracked vista (ultimate?) (x64?) versions. Or the ones that use illegal keys. i haven't figured out witch one it is though. Anyone have the same problem?

Ipsenol
Ipsenol

Well done. Great TechRepublic service.

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch?

Justin James
Justin James

John - While I am sure that Microsoft has worked hard to make W7 more secure, from what I have seen, the "attack surface" hasn't been reduced like it was in Vista. Vista had a huge amount of under-the-hood changes (which is why so much software had problems with it) and I think that Microsoft viewed W7 as a "fine tuning" of Vista on that front. I know that UAC is a little less harsh, for example. But, I also have not heard much about W7 and security at all, either. That may be a result of there not being many changes, or it could just be an ignored story in light of all of the other changes it brings to the table. People haven't been howling about compatability like they did with Vista, so I suspect the changes were minor. One thing I will say, I've been writing this article monthly for TechRepublic for about a year now... and Vista (and 2008) has noticably fewer vulnerabilities than XP, 2000, or 2003. Whatever they did in Vista (and I know some of it is IE7) has done a good job at reducing vulnerabilities. J.Ja

emilyjonesCB
emilyjonesCB

Hello, ChangeBASE produce a Patch Tuesday report each month using our automated appcompat testing software AOK, which will help provide the info you need. We test the updates against a database of over a thousand packages. For example, this month AOK flagged a potential issue with MS11-060: "Given the scope of this month???s update, the ChangeBASE team expects to find a small number of issues raised by the AOK Automated Patch Impact Assessment. In particular, Microsoft Security Update M11-060 will require careful testing prior to deployment due to the core operating system DLL???s contained within this update. Due to the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this August Patch Tuesday release cycle. Sample Results 1: MS11-060 Vulnerability in VISIO Could Allow Remote Code Execution" To read the full report each month, please visit AOKpulse: http://aokpulse.blogspot.com/ Hope this is useful! Best, Emily ChangeBASE.com

Justin James
Justin James

The KBs are actually a good place to start, since they list known issues. I try to mention if there are known issues when I put this article together, too. J.Ja

Justin James
Justin James

That's a good suggestion. I'll start that next month, thanks! J.Ja

TuesdayNews
TuesdayNews

Yes, this is a great time & frustration saver. Wish I'd known sooner. Thank you, thank you.

lynchd
lynchd

Did certainly have problems with the patch above,. Yesterday it constantly installed, returned the update history as update succesful only to repeat the process agina and again. WAU's tirelessly warining me about critical update required plus ESET entering warning mode as all critical updates had not been applied. So far today this has settled, fingers crossed.

Wayne in the sticks
Wayne in the sticks

Both my XP desktop and my Dad's hung during the auto-reboot and had to be crashed but they both rebooted OK. If you're supporting users of XP you know what to do...

mikemaggio01
mikemaggio01

My vista machine is hung at update splash screen. Message is: 3 out of 3 patches 33% complete Do Not turn Off the Computer and it just hangs there. I have turned off the computer and restarted but it just starts again and hangs at the same place.

bulldurn
bulldurn

I am using WSUS 2.0 in a LAN environment. I am not having issues with the patches but with the computers automatically restarting after the updates. Many users are losing their work (some just never learn to save, save, save...). Any ideas?

lynchd
lynchd

ESET has again just picked up on the missing critical update so I guess it is still not working properly.

thc007
thc007

My Windows Vista Home Basic machine was hung for 8 hours on Message 3 of 3, but with 0% complete. It finally updated itself after turning the machine off and back on. I only have 1Gb of RAM and am using a Compaq Presario PC

roger
roger

Although my first, simple ideas almost never work.

Justin James
Justin James

If you don't want that to happen, you need to do one of a few things: * Tell your users "tough noogies, that will teach you a lesson". Which is perfectly acceptable in this case. * Use Group Policy to set the computers to notify, but not automatically install updates. This is a REALLY bad idea. Do you think that the users who ignore the shield icon ("New updates are available...") at home will install them at work? No way. * Turn off any auto-approvals in WSUS, and only approve patches once a month, to minimize the damage. What we've done, is set aside (with Group Policy) a number of "Power Users" who I can trust to install updates within 24 hours (the development team, my on-site "hands on" desktop support person). Those people (as well as our VMs for testing) are exempt from forced updates, and are set to "Download & notify". Everyone else is on forced updates, no excuses, and it is the default for new machines. I have WSUS set to auto approve any critical or security items, and definition updates (Windows Defender, Exchange spam lists, etc.). Then, once a month, I manually approve the "important", "recommended" (etc.) stuff, and patch the servers by hand, and let everyone else get patched that night. After a few weeks of this, my users learned to never leave their systems with work unsved. Given the number of power outages we have at that office, it's a good habit for them to be in anyways. Now, to get them to start storing more work on the network and less on local drives... J.Ja

Justin James
Justin James

Out of the zillion servers I patched tonight, only one had this problem. But all the same, I'm getting it too! J.Ja

poppe58
poppe58

Also have this Message Update 3 of 3, 0% complete. Reboots now and then but return to the same screen. Safemode gives a restart back to the 3 of 3 screen. Restorepoint, it hang. What to do???

lynchd
lynchd

I too have have repeated problems with this patch. Windows Update returns a successful update screen after installing then around a few minutes later I am receiving the Update shield in my system tray or my AV flags up a update required. Very annoying.

Editor's Picks