Security

It's Microsoft Patch Tuesday: December 2009

Justin James gathers the information you need to make the right decision on applying Microsoft's December 2009 patches in your organization.

This is the month that I declare Microsoft is "insane."

They have released a number of patches that are clearly security patches as "nonsecurity patches." What galls me about this is that many administrators have various group policies or WSUS systems in place to automatically push out critical security patches; patches that are improperly labeled as "nonsecurity" fall through the cracks, leaving systems vulnerable longer than intended.

In addition, it looks like they've unofficially declared the fourth Tuesday of each month to be a secondary Patch Tuesday. They are consistently releasing nonsecurity patches and updates then as well. A few months ago, this made sense, because Windows 7 and Window Server 2008 R2 had just dropped, and a bunch of minor issues were being found and fixed as quickly as possible. But now there is no excuse for it; things like a Daylight Savings patch can and should wait until Patch Tuesday. I tend to stick up for Microsoft, but in this case, there is no excuse and this situation needs to be changed immediately.

Click to our Microsoft Patch Tuesday Focus Page to catch up on all of 2009's Patch Tuesday Windows Blog posts on TechRepublic. This blog post is also available in PDF format in a free TechRepublic download.

Security Patches

  • MS09-069/KB974392 - Important (XP, 2000, 2003): This patch resolves a DoS (Denial of Service) vulnerability in Windows' Local Security Authority Subsystem Service (LSASS). This patch is not super critical, but you should definitely install it on your next patch cycle. 600KB - 1.3MB
  • MS09-070/KB971726 - Important (2003, 2008): There is a hole in ADFS (Active Directory Federation Services) that could allow a remote code execution exploit. Luckily, the attacker already needs to be authenticated to trigger the exploit. Microsoft calls this "important," but I call it "critical". 450KB - 1MB
  • MS09-071/KB974318 - Moderate (XP)/Important (Vista, 2000, 2003)/Critical (2008): Problems with PEAP authentication in Windows can lead to remote code execution vulnerabilities when working with MS-CHAP v2 authentication. You'll want to get this fixed immediately on your servers. 275KB - 1.2MB
  • MS09-072/KB976325 - Moderate to Critical (IE5, IE6, IE7, IE8): This patch resolves five problems in Internet Explorer that can result in remote code execution exploits, some via "specially crafted Web pages" and some through ActiveX. The criticality matrix on this patch is crazy. Let's just call it "critical" for all versions IE and Windows, install it immediately, and move on. 3MB - 48.7MB
  • MS09-073/KB975539 - Important (2000, XP, 2003, Office XP, Office 2003, Works 8.5, Office Converter Pack): Issues in WordPad and some versions of Office allow an attacker to perform remote code execution exploits with a bad Word 97 file. The attacker would get the same privileges as the user. Microsoft doesn't consider this a top-level issue, but given the prevalence of Office files and user behavior around them, I suggest that you install the patch as soon as you can. 855KB - 2.6MB
  • MS09-074/KB967183: Important (Project 2002, Project 2003)/Critical (Project 2000): This is another "specially crafted files can lead to remote code execution" patch, this time for Microsoft Project. You will want to install this immediately as well.
  • KB954157 and KB976138: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn't matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB

Other Updates

  • KB954157: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn't matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB
  • KB970430, KB971737, and KB973917: This trio of patches upgrades the security for authentication in HTTP and IIS on XP, Vista, 2003, and 2008. 530KB - 4.0MB
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool (9.4 - 9.7MB) and Junk Email filters (2.2MB)

Changed, but not significantly:

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.

There have been a number of minor items added since the last Patch Tuesday:

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

24 comments
slange
slange

Since installing this series of patches, I'm experiencing 2 to 3 blue screen shut-downs per week. I have no idea why.

polskyman
polskyman

this patch is crashing IE8 users after around 10 to 20 minutes on coco.fr . I tried to call microsoft to warn them that this patch is making problem with standard ajax. if someone has some info on how to avoid IE8 crash and what cause it in javascript mail me : contact 'at) coco.fr thank you everybody

Justin James
Justin James

I just did almost all of my patches, and haven't had a problem. I even installed KB973917, and WSUS still worked. J.Ja

Craig_B
Craig_B

If MS doesn't release patches on time, people get upset, if they release something early, people get upset. In any event, so far my early adopter group has not had any problems. For the non-critical patches such as the Daylight Savings Time patch that MS released a couple of weeks ago, I simply waited and deployed them with yesterday's patches. I typically do not auto approve any patches.

witheyprice-23249170717795989062233419883169
witheyprice-23249170717795989062233419883169

'Preview' on my Mac (10.6.2) stopped showing jpgs after today's security update. They 'open', and I can get a sidebar picture, but the main part of the window in blank. Do you think the two are related, or just a fluke coincidence?

BALTHOR
BALTHOR

Even My bit Torrent is gone---

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch? Are you annoyed by Microsoft's inconsistencies when it comes to categorizing security patches?

Brenton Keegan
Brenton Keegan

I had problems with KB973917. I haven't had an update break any services in a long time.

Brenton Keegan
Brenton Keegan

I am one of those people. It's about schedule and when M$ releases patches it affects my work schedule. Since I have to reboot servers I have to do it after hours. Naturally I get upset when security updates requiring reboots are release out of band.

maliu
maliu

After updates today on my Lab WSUS server, my WSUS snap-in console stopped responding... i had to uninstall all update today to have the server up.

Ron_007
Ron_007

All the advanced notices said there were 6 patches, no big deal. Boy was I surprised to see 17 updates ready to download. Thanks for listing the mid month patches. I hadn't heard about them.

SMparky
SMparky

I agree. I like to manually approve security and critical updates on my WSUS server but it really gets annoying having to read through all the things classified as "updates" and "update rollups". So many of them clearly state that they include security fixes yet they don't classify them as security updates. I also wish the WSUS server could combine updates. Doing individual approvals for the same patch for Win 2k, 2k3, 2k8, Vista, 7, and Itanium, x86, x64, and in different languages is annoying. I should be able to approve all of them with one click.

jcbronson
jcbronson

We had to remove KB973917 due to web applications being unavailable after the update. YMMV. Hopefully a viable work-around will show up soon.

Justin James
Justin James

... was the patch a few months ago that broke Office Communications Server. :( J.Ja

Justin James
Justin James

Microsoft has a "Patch Tuesday" so that we can plan around it. When they have a "secondary Patch Tuesday" it doubles the work we need to do. For me, doing the patching consumes two nights of my life; one night to patch VMs, one night to patch physical servers. Doubling that isn't cool, especially when I'm on salary and don't get paid extra. :) Another issue is that it is potentially disruptive. Patching always carries a risk of breaking something, having that risk two times a month is not something I'm thrilled about. Look, if they have an out-of-band security patch, I'm OK with it, especially if it is for something where there are exploits in the wild. In those scenarios, I patch the stuff that I know is exposed to the vulnerability, and leave the rest to get the patch during my next cycle. Likewise, I don't care so much about desktop related patches, because I just push it out via WSUS and let nature take its course over the next day or so. But things that involve me burning the midnight oil patching server after server... they really need to minimize that to one release whenever possible. J.Ja

Brenton Keegan
Brenton Keegan

I don't have a C-Level looking over my shoulder making sure I hit 4 9s and the work environment I work is is very pretty void of the nasty office politics I read about. But as a net admin, I like to do the best I can and I like to see the 4 9s, makes me feel good =)

Justin James
Justin James

... no one meaasures or cares about downtime, so long as work doesn't get disrupted. But I know that my scenario is increasingly rare and more and more shops are 24 x 7 thanks to globablization, or support online services that must always be up. J.Ja

Justin James
Justin James

I would love to know why the reboots are so common. Why can't I just restart any services that relied upon the updated components? I have a couple of machines that exibit some... odd... behavior on bootup, like an ISA server that sometimes "loses" 2 NIC ports (totally unexplanable), so rebooting them is something I need to minimalize as much as possible. J.Ja

Brenton Keegan
Brenton Keegan

Downtime is also an issue. Having 2 patch days makes getting 4 9s monthly very hard. I have noticed that the second round of patches rarely has security updates. This past month there was I believe one security patch and it didn't even apply to my environment. Since they are mostly always non-security updates I just wait to apply then on the next second Tuesday.

wiggledbits
wiggledbits

I had hoped beyond hope that by Server 2008 and Windows 7 would have engineered away from the need to reboot on so many patches and updates. For non critical PCs it's an annoyance, for servers and critical workstations it is plain stupid. I can't count the number of times I have patched a machine and prayed that it came back up to a working mode.

Justin James
Justin James

One of the other posted said that this patch broke some IIS stuff. It's to "enhance authentication security in some scenarios", sounds more like it is *breaking* authentication! J.Ja

Editor's Picks