Security

It's Microsoft Patch Tuesday: July 2009

Justin James presents a rundown on the July 2009 batch of Microsoft patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

For this month's Microsoft Patch Tuesday, we are trying out a new idea, based on reader feedback. In addition to the usual analysis of the patches, we are adding a simple rating system to let you know "at a glance" if you should install a patch or not. For now, we will be using a simple three-flag rating system:

1 flag: apply this patch only if your environment meets special conditions, such as having an uncommon software package installed or a server directly connected to the Internet.

2 flags: apply this patch during your normal patch cycle. It is an important item, but not important enough to justify immediate action.

3 flags: apply this patch as quickly as possible. In all likelihood, there will be a "zero-day exploit" for the problem (if it is a security-related patch), and it is something that can severely compromise your network if left unpatched.

It should be very rare to see a nonsecurity patch listed at three stars, unless the problem is a newly discovered bug that can shut down your systems (say, an inability for the system clock to handle the year 2010, and the patch is being released on December 30, 2009).

Security patches

MS09-028/KB971633 - Critical (2000, XP, 2003): This patch closes a hole in which a malformed QuickTime file can be used to perform a remote code execution attack. The issue is in the underlying DirectShow component of Windows, but only in older versions, which is why more recent editions of Windows are not affected. You will want to patch this as soon as you can. MS09-029/KB961371 - Critical (2000, XP, Vista, 2003, 2008): A problem with font handling allows an attacker to take control of systems. Because so many different things can embed fonts (especially Word documents), it is critical to get this patched immediately. Windows 2008 Server Core is not affected. MS09-030/KB969516 - Important (Office 2007 SP1): There is a security hole in Microsoft Publisher that allows remote code execution attacks. The attacks have a lower damage potential when a standard user opens the malformed file. This problem exists only in Publisher 2007 and only in Office SP1. Either apply the patch or upgrade to SP2. MS09-031/KB970953 - Important (ISA Server 2006): An ISA Server configured to use RADIUS One Time Passwords and Kerberos authentication is open to an escalation of privileges attack, but the attacker needs to impersonate an ISA administrator. This is a serious problem, but not one you need to worry about unless your environment uses RADIUS and Kerberos. * MS09-033/KB969856 - Important (Virtual PC 2004, Virtual PC 2007, Virtual Server 2005):check the KB article for full details. For the few people still using either one of those products in a production environment, you will want to install this patch during your next patch cycle.

This patch resolves an issue with Virtual PC 2004 and 2007 and Virtual Server 2005 that allowed attackers to take control of the guest VMs. There are some known issues with this update; you will want to

Other updates

KB970408: This patch for Vista SP2 resolves intermittent connectivity problems when a Bluetooth adapter is plugged in to a PC via USB. "The Usual Suspects": Updates to the Malicious Software Removal Tool, ActiveX Killbits, and Junk E-mail filters. Changed, but not significantly: IE8 for XP 64 SP1 (no longer offered), KB950050 (Hyper-V update for Windows 2008), Windows 2008/Vista x64 Service Pack 2.

Updates since the last Patch Tuesday

There have been a number of minor items added since the last Patch Tuesday:

Windows 2008/Vista Service Pack 2 has been released to WSUS and put into the automatic updates bin.

Updates to the IE 8 Compatibility View List.

.NET Assistant for Firefox (KB963707) - Enables the "Click Once" technology to work in the Firefox browser.

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

18 comments
michaels.perry
michaels.perry

The bit about .NET Assistant for Firefox (KB963707) worries me. Originally, MS installed this automatically without seeking permission from the user. As it changed the behaviour of a non-MS application they should, in law, have sought prior consent to make this change - but didn't. So many people have found out how to remove this unwanted piece of malware from MS. Now, are you suggesting they have found a way to prevent us removing this? If so that is unlawful in ALL European countries where our laws are different from those pertaining in the USA.

Justin James
Justin James

I just finished patching all of my VMs (I'll do my physical servers tomorrow or Friday), and it went very smoothly. best of all, most of them did not need to be rebooted, which was a welcome change of pace! And the patches were very quick to install, as well. J.Ja

JCitizen
JCitizen

in Vista Home x64 Internet Explorer 8!! And Oh! Thanks Justin! Very informative! These articles give me great insight into what is going on, since Redmond continues to issue murky reports.

Derek Schauland
Derek Schauland

The flag rating system is great. A quick way to know if the patch should be installed immediately or if it can wait. Its amazing that Microsoft didnt come up with a tool that could be so useful. I am glad someone had this idea

alanbond
alanbond

If only everything in life could be addressed as simply...

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch? Did the new rating system help you determine whether to install certain patches or not?

mattohare
mattohare

As far as that goes, It's not like the UK is that keen to obey the laws anyway. You still go for a pint, not a litre or half litre right?

Justin James
Justin James

It looks like the uninstaller for that update wasn't working right, this patch fixes the uninstaller problem. I think the original patch was a "Important" or "Recommended" patch, which means that they would have asked permission to install it, provided that you did not have your system set to install important/recommended items without asking. J.Ja

mattohare
mattohare

Both did need a restart though.

jck
jck

my bad...lol thought MS put ratings in ... oops the flags thing is a nice touch :)

Shellbot
Shellbot

I like the rating system ye guys did.. Saves me the hassle of checking into the updates!

Justin James
Justin James

But they only use those terms for security items, and sometimes those ratings aren't too helpful. For example, some stuff will be called "critical" when it really can wait; other stuff will be "important" but it really shouldn't wait (do you really want to count on limited access user accounts to "contain the damage" and only have "minor messes" to deal with?). I've always put my analysis in ("You can wait to install this patch...") but we added the flags to make it abundantly clear what our analysis of the patch's priority is. Glad you like it! J.Ja

jck
jck

Yeah, the flag thing is neat. Visual cues are always a good thing for novice and pro alike. Good job to you guys. Plus, I don't trust MS's ratings. Plus, I have found patches and stuff often add certain "undocumented features and add-ons" that they don't fully disclose. When I apply MS stuff, I check with the IT guys in support and networking here at work. They have WSUS here and test stuff. That way, I know what I should and should not. As for home, I patched everything they have put out that was "Critical", "Important" or "Recommended" for Vista and have regretted it. It has slowed load and boot times on the Dell laptop. And, I don't think I've added any new apps to it in almost a year. I realize Microsoft has a lot of cross-compliancy and testing and QA to do. I kinda feel bad for them dealing with the behemoth that is Windows. I am hoping 7 is an improvement. Otherwise, I really will start to move away from Windows and just use XP 64 until they refuse to update it to use their latest tech. Linux has ways of playing Windows games, so I will just work on playing them in Kubuntu or openSUSE or Mepis.

Justin James
Justin James

Well, I use WSUS to handle my updates, but I approved them as well. However, I forgot to add my PC to the list of "excluded from forced updates" PCs on the Group Policy I put in place a while back, and on top of that, my PC was set to install everything included recommended items. Perfect storm to get language packs. Ugh. :) J.Ja

mattohare
mattohare

This is the second time I've heard you have issues with language packs. I didn't think things were that multi-cultural in your area.

Justin James
Justin James

... my system took it upon itself to install 37 language packs. I didn't find this out, until I issued a reboot to find out what was wrong with my network connectivity (probably caused by the ongoing language pack installations). Now, I get to sit there and watch as it is half shut down, totally useless, installing language packs which seem to take half a day. I guess I am going to get a lot read in "Essential LINQ" today! J.Ja

mattohare
mattohare

It was about six hours ago. They all did seem to go painlessly. The first one (on vista) does have a bit of screen flicker. I didn't see which one that is.

Editor's Picks