Security

It's Microsoft Patch Tuesday: November 2009

Justin James gathers the information you need to make the right decision on applying Microsoft's November patches in your organization.

This month's actual "Patch Tuesday" items are short and sweet. So why is this month's report so insanely long? Blame it on W7 and 2008R2, but not in a bad way! Microsoft is back-porting a lot of W7/2008R2 functionality to previous versions of Windows, and most of the interim patches are related to this effort. While I applaud Microsoft for doing this and while I understand why they would want to release those items out of band, I think that most systems administrators would rather not see those kinds of items show up until the proper Patch Tuesday.

For information on previous patch Tuesdays, visit the TechRepublic Microsoft Patch Tuesday archives.

Security patches

  • MS09-045/KB975542 - Critical (2000): This patch fixes a remote code execution exploit in Jscript 5.7 on Windows 2000. The patch has been available since December for other versions and other OSs. 718 KB
  • MS09-063/KB973565 - Critical (Vista, 2008): An attacker on the local subnet only could use a specially crafted packet to perform a remote code execution exploit against Vista and 2008. This is a surprising item, in that it affects only Vista and 2008. You will want to get this patch installed immediately, because it requires zero user interaction to trigger it, and the attacker gets full rights from what I can tell. 245 KB - 576 KB
  • MS09-064/KB974783 - Critical (2000): A problem with the License Logging Server on Windows 2000 allows attackers to perform remote code execution exploits against the machine. You should install this patch as soon as you can. 532 KB
  • MS09-065/KB969947 - Critical (XP, 2000, 2003)/Important (Vista, 2008): There are a number of problems with the Windows kernel that allow attackers with carefully crafted fonts to attack the system. On 2000, XP, and 2003, these are remote code execution exploits. On Vista and 2008, these are "merely" escalation of privileges attacks. You should get this patch on your systems as soon as you can. 1.1 MB - 5.6 MB
  • MS09-066/KB973037 - Important (XP, 2000, 2003, 2008): A problem with various active Directory systems allows specially crafted LDAP queries to jam up the Active Directory system on servers. This is a low-priority item, and the patch can wait until your next patch cycle. 800 KB - 5.6 MB
  • MS09-067/KB973593 - Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Converter for Mac, Excel Viewer 2003, Office Compatibility Pack 2007 SP 1 and SP2): A number of problems with various applications that can open Excel files can lead to a remote code execution exploit. The damage is limited on systems with restricted user accounts. Microsoft calls this update "Important," but I feel that you will want to install it immediately, due to the user habit of opening any and every Office file they receive.
  • MS09-068/KB976307 - Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Converter for Mac, Word Viewer): Similar to the Excel bug above, specially crafted Word documents can be used to perform remote code execution attacks, which may have lower permissions for restricted users. Again, the prevalence of Word files makes this more critical than the potential damage would normally indicate, so install this patch quickly. There is a known issue where Office XP users will need to re-agree to the software terms after installing this update.

Other updates

  • KB943729: 2008R2 and 2008 introduced new Group Policy items for Windows clients; this update makes these policies available to machines running XP and 2003. 700 MB - 890 KB
  • KB960568: This update for Vista and 2008 adds BITS 4.0 functionality, which is used by much of the Windows Management system. 1.4 - 1.9 MB
  • KB968930: Adds PowerShell 2.0 and Windows Remote Management 2.0 (for managing Windows computers via SOAP Web Service calls) to XP, Vista, 2003, and 2008. 6.1 MB - 35.9 MB
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool (9.3 - 9.7 MB) and Junk Email filters. 2.2 MB

Changed, but not significantly: Windows Media Center Update (KB975053).

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.

There have been a number of minor items added since the last Patch Tuesday:

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

18 comments
rubyvida1
rubyvida1

Patch KB969947 froze up my windows xp PC. On boot up i would be able to log in and system would beging loading Apps. all of a sudden it would say Symantec corporate edition turned of and system would freez up. I would have to hard rest. I loged in in safe mode removed update everthing works fine. Any ideas???

rasilon
rasilon

Thanks, Justin. Your posts are about the best and clearest decriptions of what is happening w.r.t. Patch Tuesday happenings. Keep it up. Hank Arnold (MVP)

fonman805
fonman805

I agree with the previous post. However, the information would be much more useful if the TR Newsletter emails with links to the article were also sent on Patch Tuesday, rather than two days later. By Thursday the information is not quite as relevant. This has been happening for a while.

Justin James
Justin James

If you look at the timestamp on the article, you'll see that it was posted on Patch Tuesday, before COB on the East Coast, in fact! The problem is TR's newsletter schedule, from what I can tell they moved the "Windows" newsletter to Thursday, and this piece falls under that. But, there is a fix for that! If you go to the special "Patch Tuesday" page (http://blogs.techrepublic.com.com/focus/Windows+Patch+Tuesday.html?tag=post-1792;contentData), you will see two buttons, one to alert you via email, and one for an RSS feed dedicated to this series! So, you can be notified when the new articles are posted. Alternatively, you can just visit that page (or the Windows blog at TR) near the end of the day (EST) on the second Tuesday of the month, and refresh ever 30 minutes until you see it pop up. Regarding the timing, what I do is prepare as much of the material a day or two in advance... all of the things that were released out of band. In the late morning of Patch Tuesday, I'll fill in the details of the non-security content. Then, the moment I see the security patch details released (they do them last, and I refresh every 15 minutes aiting on them), I'll get that done and fire it off to the TR team. Also, Mark Kaelin, the TR editor here who handles this piece, and I coordinate throughout the day so he knows about when to expect my email with the article, and he has always made publication of the piece his #1 priority. He almost always gets it up within an hour of me sending it. Considering the amount of details to be double checked and the formatting involved (like those little glags for "patch importance"), that's great turnaround. I know, that's a lot more detail than you needed, but that's the story of how we get these together. Kind of like that "How it's made" show. :) So yeah, the newsletter *is* tardy, and if you need the information sooner, I would definitely suggest either keeping an eye on the space or subscribing to the email or RSS alerts, because it's only been twice (as far as I can recall) that we had this up after close of business (Eastern Time) on Patch Tuesday. J.Ja

davidt
davidt

Unfortunately, Microsoft was particularly closed-mouth about the details of this Patch Tuesday - it probablt took some time to root out and decipher the details of each patch.

Justin James
Justin James

In general, they discuss Office stuff first, and often will discuss any patches for publically disclosed vulnerabilities, especially those with exploits in the wild, to calm customers. The release details of the non-security patches the night before or early in the day. The security patches, though, are kept under wraps until the early afternoon on Patch Tuesday itself, around 1 - 3 PM EST is when they show up to me. J.Ja

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch?

scalpod
scalpod

KB931125 (root certificates update) being re-offered endlessly to both WSUS clients and also via Microsoft Update. I see this has been a problem with this update in previous versions though I'm not sure how to handle this particular instance? I wonder if the patch isn't being reported as installed correctly and that's why it's offered repeatedly?

davidt
davidt

After testing the patches for a few hours on an XP Pro, Vista, and minor SBS2003 server I rolled everything out today company-wide. So far, no problems.

Justin James
Justin James

Last night I patched all of our VMs and one of our physical servers with no issues. Tonight or tomorrow I am patching the rest of the physical machines. J.Ja

johnInTO
johnInTO

Yes. I automatically picked up 3 updates and my machine wouldn't restart. The System Repair reported bad patches. I had to do a sys restore from just prior to applying the patches in order to get my machine back.

mimoore
mimoore

may i ask what OS are you using and when did you have the problem? we have one desktop running XP that refused to boot up starting tuesday am, but started having difficulties the previous day. We recently had it in for repair/system reinstall, and thought this was evidence of a possible hardware failure. When try to turn it on you can hear the machine start, then it turns off, then it boots up with the screen giving options because "Windows closed abruptly, do you want to: start in safe mode, etc." At that point, no matter what is tried, you get no farther than a repeat of the 2-stage event. (Is this similar to your experience?) Thank you.

mimoore
mimoore

Thank you for your reply and thoughts I succeeded in doing a system restore (Successfully saving data files) and have not connected to the internet yet, pending doing some updates and loading anti-virus via CD/Flash. The computer had McAfee running at the time the problem developed. If it was a worm, I'm wondering what I need to do instead/different. Any thoughts?

helpwithvb
helpwithvb

what i experienced yesterday sounds similar cept i know whats going on. 2 computers kept rebooting constantly till i formated one is vista and the other win7. its not the patches. the situation in the last 2 days seem to have changed with the worm. lastnight after i formated and got back online, 6 dns companys including icann and ripe were in my machine remotely on port 80 and later on msft. since im the only one that knows the worm hijacked your kernel/bios/and firmware as another layer besides the OS, i bet some of your device drivers cant update. my mother took her computer recently cause she turned the affected computer on at the same time. once infected, i still have it since aug 2008 and constructing a way to see it and rid it. i have to work on the hardrive/memory/kernel/firmware at the same time and hoping that once not online, it wont get reinfected. i recieve 2000 incoming ips an hour traced back to my own machines pinging. you can see the worm if you get a hub or router which have logs that the hacker could not successfully intercept

johnInTO
johnInTO

I'm running Vista Home Premium (64 bit). The system created its own recovery point before applying the patches. When Windows reported a problem at start up it recommended a system recovery from the last recovery point. I said go ahead and after several power down/power up cycles, it worked.

seanferd
seanferd

you may wish to try booting from a recovery partition or CD/DVD, if available. Otherwise, you'll need to boot from a live OS CD of some sort to fix it. Or Re-image after pulling user data off with a live OS, or with the drive slaved into another machine. Or from backups.