Software

It's Microsoft Patch Tuesday: June 2009

Justin James presents a rundown on the June 2009 batch of Microsoft patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

One of the bigger items in this month's Microsoft patch is that the Vista / 2008 SP2 has been put into the automatic updates bin. There is a ton of other coverage out there for it, but you should be aware that it is now loose. One of the consistent themes this month are vulnerabilities that are "critical" in the 2000 version of a product but are ranked much lower for more recent versions. In addition, there are an unusual number of escalation of privilege attacks; I'm used to these being mostly remote code execution items!

Security patches

  • MS09-018 / KB971055 - Critical (2000 Server) / Important (XP Professional, 2003): This patch covers two vulnerabilities in Active Directory (KB969805) and Active Directory Application Mode, aka ADAM (KB970437). On Windows 2000 Server, the first vulnerability can result in a remote code execution exploit, allowing an attacker to take over the system (thus, the "critical" rating); on 2003, it is "merely" a denial of service (DOS) attack. On Windows 2003 and XP Professional (with ADAM installed), the exploit also allows DOS attacks. Since your Active Directory should not be exposed to the outside world (especially not on XP), this is not a "must-have" patch yet, except for Windows 2000 Server installations.
  • MS09-019 / KB969897 - Critical (XP, Vista, IE 5 on 2000) / Important (IE 6 on 2000) / Moderate(2003, 2008): This is a monster-sized cumulative update for Internet Explorer (including IE 7 and 8). It covers a whopping seven privately disclosed vulnerabilities and one publicly disclosed vulnerability in Internet Explorer, all of which can result in remote code execution attacks. The 2003 and 2008 machines have a lower rating on this issue, probably due to their stricter execution environments for IE. This patch should be installed immediately.
  • MS09-020 / KB970483 - Important (XP, 2000, 2003 with IIS 5 and 6): There is a minor bug in IIS 5 and IIS 6 that allows an attacker to bypass the allowed authentication methods in the IIS configuration. Because the ACL permissions will still apply, this is a fairly low-impact item. In addition, the exploit grants the attacker the permissions of only an anonymous IIS user. This bug is an issue, but do not drop everything to install the patch.
  • MS09-021 / KB969462 - Critical (Excel 2000) / Important (Excel XP, Excel 2003, Excel 2007, Excel 2004 for Mac, Excel 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer [all versions], Office Compatibility Pack 2007, Office SharePoint Server): Attackers with a malformed Excel file can execute a remote code execution attack on Excel, for every version (and other applications that handle Excel files) from 2000 on up, including Macintosh versions. The vulnerability is considered only "critical" in Excel 2000. Given the prevalence of Excel documents, I'd recommend that you patch this one quickly.
  • MS09-022 / KB961501 - Critical (2000) / Important (Vista, 2008) / Moderate (XP, 2003): There are three privately disclosed vulnerabilities in the Windows print spooler that can allow an escalation of privileges attack on Vista, XP, 2003, and 2008, and remote code execution attacks on 2000. Of course, your print spooler should never be open to the outside world, but this is still a troubling issue.
  • MS09-023 / KB963093 - Moderate (XP, 2003): Under certain circumstances, Windows Search 4 may expose personal data. However, what needs to happen is that the specially crafted file needs to be the first results for a search query, which makes this a fairly rare event; in addition the search functionality is not installed by default. You will want to include this patch in your next scheduled maintenance.
  • MS09-024 / KB957632 - Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Works 8.5, Works 9): A problem with the Microsoft Works converter allows attackers with a specially crafted file to gain the same privileges as the current user to execute code. This isn't the worst bug in the world, but at the same time, you should patch it at your earliest convenience.
  • MS09-025 / KB968537 - Important (XP, Vista, 2000, 2003, 2008): There are four separate holes in Windows addressed by this item, all of which allow an escalation of privilege attack to be executed. However, the attacked needs valid logon credentials to begin with and must be logged on locally, which is why it is rated as less important. All the same, I suggest that you patch this immediately.
  • MS09-026 / KB970238 - Important (XP, Vista, 2000, 2003, 2008): An issue with the RPC Marshalling Engine allows attackers to perform escalation of privilege attacks. The rating on this item is low for a few reasons: first, your RPC ports should be closed to the outside world, and second, none of the installed Windows items use this subsystem. Nonetheless, some third-party software may use it. You should install this patch on your next regular patch day.
  • MS09-027 / KB969514 - Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Word Viewer, Word Viewer 2003, Office Compatibility Pack 2007): Attackers with specially crafted Word files can execute a remote code execution exploit. It is "critical" on Word 2000 and "important" for all others. I suggest you install it as soon as possible, given the prevalence of Word files.

Other updates

  • KB966315: Cumulative update for the Media Center TV Pack for Windows Vista. This patch resolves a number of minor and moderate bugs.
  • KB967632: Cumulative Update for Media Center on Windows Vista: This patch addresses the same set of minor and moderate issues as KB966315 does, but in the Media Center component of Vista.
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool, ActiveX Killbits, and Junk E-mail filters.
  • Changed, but not significantly: IE 8 and Media Center TVPack now includes this month's cumulative updates.

Updates since the last Patch Tuesday

There have been a number of minor items since the last Patch Tuesday:

  • Root certificate updates
    • KB948465: Vista / 2008 SP2 released to updating systems
    • KB963032: Corrects and issue when viewing the Windows Home Server console on resolutions lower than 1024 x 768
    • KB971180: Updates to the IE8 "Compatibility View" list
  • Changed, but not significantly:

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

35 comments
JCitizen
JCitizen

The latest XP IE 8 patches have thrown Comodo Defense + in the trash bin for my clients. Must be some powerfull security in that browser now, as this is the case. Once the patches were applied the client's computer went into a boot loop until Comodo was reinstalled without Defense +

Shoobe
Shoobe

My Vista Windows Update quit working - does anyone know how to get the updates and download them? Vista insists on using the broken Windows Update. I've spent sometime working with MS to fix it but to no avail. If anybody has had the same issue I like to hear about it. Regards.

dave.cresswell
dave.cresswell

No patches then for Office 2007 Sp2 to fix the Publisher problem in being unable to open publisher files after SP2 applied. Had to remove SP2 and cant proceed to allow update until MS resolve issue as too many documetns to re-create

dpeters
dpeters

An excellent post. This should be a monthly downloadable PDF.

greg_bubba
greg_bubba

I wasn't painless for my vista 64bit machine. It will no longer boot after the patches. Not only will it not boot it will not recover nor will it let me load up the factory defaults disks.

bpsull
bpsull

Wasn't the patch to fix (some of) the problems caused by the .NET framework v3.5 supposed to be included this month?

The 'G-Man.'
The 'G-Man.'

but would it possible to quantify your rating on how important it is to install? For example...you say patch this one quickly. patch in your next scheduled maintenance patch it at your earliest convenience. patch this immediately patch on your next regular patch day. but do not drop everything to install the patch These all mean different things - could we perhaps have an install scale say 1-5 or some other method? Just an idea?

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch?

JCitizen
JCitizen

when they try that with me I force an excalation to the next level of support. They are obligated to keep update going on WGA approved installations, unless you have some program/anti-malware utility that is fudging up the process. Or perhaps a Conficker variant causing the problem. Even OEM installations fall under this obligation. At that point is it your baby.

Justin James
Justin James

If you follow the links to the KBs I post, in many cases, they will have a link to download the patch. J.Ja

jamepie
jamepie

Why can't Microsoft give us one large file with the updates....like AUTO PATCHER?

Mark W. Kaelin
Mark W. Kaelin

I can make PDF versions available if member's want them.

JCitizen
JCitizen

that is what I'm running. But I can't use Business or Ultimate either; I'm stuck with Home Premium. Haven't had any major issues, so far. After the update that is.

JCitizen
JCitizen

There's some scary scenarios I can see coming from that situation.

Justin James
Justin James

I haven't seen any .Net patches come down the pike yet, other than the SP1 patch from a month or two ago. J.Ja

john.tate
john.tate

After loading the ChangeBASE AOK application testing portfolio into an AOK Patch Impact database, all ten patches were tested for application level issues and in addition; application dependencies. Nine of the ten Microsoft Security Updates (MS09-018-MS09-025 and MS09-027) did not raise significant application level or dependency level issues with the AOK Application Test portfolio. Thus, these nine patches were rated as Green. MS09-026 affected over 50% of the 800 odd apps we tested - so this should be the area of focus for testing. The payload that is relevant is:- Rpcrt4.dll, Xpsp3res.dll, Rpcrt4.dll, Xpsp3res.dll, Rpcrt4.dll, Rpcrt4.dll more info at http://www.changebase.com/news/news_release_2009_06_09.html

Justin James
Justin James

You know, something similar to that had been floating in my mind for a few months, but the way I had envisioned it wasn't as simple and would have made less sense. I like this idea, and I think we'll give it a go next month. Thanks! J.Ja

Robbomaz
Robbomaz

Outlook post-patch tries to start, gets splash screen, briefly opens window then closes saying 'Outlook cannot open window' All the other Office programs are fine..?? Tried 'repair', then removed & re-installed Outlook, next step is remove Office & re-install. Not happy!

woodguy
woodguy

After I applied all the patches, my mouse driver went crazy. Could not do anything. Clicks were interpreted when there were none, other clicks not recognized. Backed off all patches and I think it's better.

philbok
philbok

I began installing Vista SP2 on our Vista machines but one of them crashed so I stopped. What are the experiences of others?

bremans
bremans

After the updates were installed, Secunia still indicates the unsafe condition of Office PowerPoint.

mattohare
mattohare

On Vista anyway. Then with all the annoyance that Vista provides, it's getting easier to be happy about these little things. Justin, I loved how you call Automatic Updates a 'bin'. I've come to see that word used exclusively for garbage over here.

abasi_obori
abasi_obori

I downloaded and installed the sp on my machine prior to approving in in WSUS. No issues, except that I noticed that a screen saver I had earlier deployed across the enterprise suddenly stops working. Anyone with this experience

JCitizen
JCitizen

I got some simple crack code imbedded in the factory CD for a non-networkable Brother laser printer. Even though SNMP was disabled in my Vista installation; something in that driver was taking advantage of that vulnerability and scanning the interior of my LAN looking for weaknesses. Fortunately my IDS let me know about it and I spent a lot of money and several arguments with Brother USA, and my ISP, before finally getting rid of that bad driver. This bulleting could have trumped the problem in the first place, if it had come out two months ago.

JCitizen
JCitizen

or start bugging them about it. I've had success in the past with that. It's just not worth opening yourself up for being pwned, for a $20 mouse.

oz_ollie
oz_ollie

You can't install Vista SP 2 if third party disk management or cloning software has been used - see http://support.microsoft.com/kb/971204/ for full details. Microsoft's typical solution - "re-install Windows". This is just absolute crap from Microsoft.

Justin James
Justin James

SP2 wouldn't install until I got rid of the language packs, which have been causing me issues with the "Add/Remove Windows Features" system anyways. Outside of that, I've had zero problems, including my 2008 servers. J.Ja

JCitizen
JCitizen

but I'm running Vista x64 Home premium; not my choice - but Oh Well!!

Justin James
Justin James

It's funny, I never thought of it as a "bin" until I started using WSUS. I have a query in my WSUS console set up to show much what is unapproved for intall, and I think of it as my "bin" (or Inbox) to work through once a month. The more Commonwealth usage of the term slipped by me when my mind made the association. :) J.Ja

JCitizen
JCitizen

They interupt auto-udating and just about every maintenance function we were doing. We finally had to enforce it through GPO because of stubborn clients. Monitor power off functions were harmless and always enabled, with forced logon after inactivity(HIPAA)

mattohare
mattohare

More rogue terminology for us, what?

Editor's Picks