Security

It's Microsoft Patch Tuesday: October 2009

Justin James gathers the information you need to make the right decision on applying Microsoft's October patches in your organization.

What an utter disaster this month has been for Microsoft on the security patches. I had a chance to start working on this edition before the security patches were announced, and I was so pleased at how few items there were. And then, we saw 13 (yes, thirteen) security bulletins published, most of which are for "critical" vulnerabilities. The silver lining is that Windows 7 and Windows Server 2008 R2 were barely scathed, and most of the time, it was for shared components, not the operating system itself. Also of note was an IIS security vulnerability, which has been very, very rare as of late.

On W7 and 2008 R2, please note that when "2008" is specified as the affected OS, 2008 R2 is not considered "2008." Unlike Windows Server 2003 R2, which was more of a feature pack than anything else, Windows Server 2008 R2 made enough changes to the base OS that they really are separate operating systems. As a result, they do not share vulnerabilities like 2003 and 2003 R2 do, and I will always list 2008 R2 as a separate item if a patch is meant for it.

Security Patches

  • MS09-050/KB975517 - Critical (Vista, 2008): This is the awaited patch for the SMB2 exploit that could allow remote code execution attacks as well as fix two other similar issues that have not been publicly disclosed. This patch is absolutely mandatory at this point and should be installed immediately. 200 KB - 350 KB
  • MS09-051/KB975682 - Critical (2000, XP, Vista, 2003, 2008): There are vulnerabilities in the Windows Media Runtime that allow remote code execution to occur, with a specially crafted file. The attacker could gain the same rights as the local user. You should install this patch as soon as possible. 650 KB - 1.1 MB
  • MS09-052/KB974112 - Critical (2000, XP, 2003): This is another issue with Windows Media, this time with Windows Media Player in older versions of Windows. Again, an attacker can use a specially crafted file to run code with the same rights as the local user. If you have one of these OSs installed, you will want to install this patch immediately. 600 KB - 790 KB
  • MS09-053/KB975254 - Important (2000, CP, Vista, 2003, 2008): This update corrects two issues with IIS's FTP service. The problem exists in IIS 5.0 - IIS 7.0 Vista, and 2008 servers (with IIS 7) are affected only if they have FTP Service 6 installed. On IIS 5.0, one of the vulnerabilities can lead to a remote code execution exploit. The other problem resolved with this patch can be used to perform a denial-of-service attack on all listed versions of IIS. If you are using IIS 5.0, I suggest you install this patch as soon as you can, otherwise it can wait until your normal patch cycle. 160 KB - 1.1 MB
  • MS09-054/KB974455 - Critical (IE 5.01, IE 6, IE 7, IE 8): This cumulative update for IE resolves four vulnerabilities, one of which has already been publicly disclosed. It also bundles a number of other hotfixes in. These vulnerabilities could be exploited by attackers with specially crafted Web pages to perform remote code execution attacks with the local user's rights. I suggest you install this one quickly. 3 MB - 40 MB
  • MS09-055/KB973525 - Critical (2000, XP)/Important (Vista, W7)/Moderate (2003)/Low (2008, 2008 R2): This cumulative security update for the ActiveX Killbits component resolves a remote code execution exploit that is already being exploited in the wild. If you are allowing IE to run ActiveX controls on untrusted pages, you need to install this immediately, otherwise, wait until your next scheduled patch cycle. 27 KB
  • MS09-056/KB974571 - Important (2000, XP, Vista, W7, 2003, 2008, 2008 R2): A problem with the Windows cryptography system could allow spoofing attackers, should the attacker get a hold of the user's certificates, which is fairly unlikely. Install this patch on your next patch cycle. 42 KB - 1 MB (Editor's note: See Justin's discussion post for the latest information about this particular patch!)
  • MS09-057/KB969059 - Important (2000, XP, 2003): There is a chance that an attacker could use the Indexing Service's ActiveX control to force the target computer to index a bad URL, which would then perform a remote code execution attack on the PC. This is definitely one of the most roundabout exploits of the year. All the same, you should install this patch during your usual maintenance. 1 MB - 4.8 MB
  • MS09-058/KB971486 - Important (2000, XP, 2003, 2008): An issue with the Windows kernel could allow an escalation of privileges attack. This is a relatively low-key bug, since the attacker would need to be logged in and running the exploit code, and remote and anonymous users cannot trigger it. Put this patch on during your next patch window. 1.6 MB - 7.8 MB
  • MS09-059/KB975467 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): A problem with the Windows security subsystem could allow an attacker to send a malformed NTLM authentication packet and perform a denial-of-service exploit. This is not terribly serious; this patch can wait until your next maintenance period. 150 KB - 2.4 MB
  • MS09-060/KB973965 - Critical (Office XP, Office 2003, Visio Viewer 2002, Visio Viewer 2003, Visio Viewer 2007): This patch resolves ActiveX issues in various versions of Office, which could be used to perform remote code execution attacks and gain the local user's privileges. This patch should be installed immediately. Microsoft recommends that people with the Visio Viewers version 2002 and 2003 upgrade to the 2007 version immediately, as a separate hotfix will not be provided for those versions (the update for MS09-034 takes care of it in those versions). Also, the Outlook View Control may not work after installing this update; Microsoft has made updates available to fix that issue as well. No file size data available.
  • (desktops)/(servers) MS09-061/KB974378 - Critical (2000, XP, Vista, W7, Silverlight 2 on Mac, Silverlight 2 on Windows desktop OS)/Important (2003, 2008, 2008 R2)/Moderate (Silverlight 2 on Windows Server): An issue with the .NET Framework could allow attackers to perform remote code execution attacks via the XAML browser and XBAPs, Silverlight applications, or .NET applications. If the user manages to upload an ASP.NET application to an IIS server, they could then trigger the exploit as well. You should install this patch immediately on desktop OS versions of Windows (and Macs). Windows Server installations can wait until the next patch time for this one. 83 KB - 30.8 MB
  • MS09-062/KB957488: A number of problems in GDI+ (the graphics system in Windows) can allow remote code execution attacks to be triggers with malformed image files. Normally, I would list the affected products (you can see the full chart here), but this patch has so many products that it is a safe bet that if you are running Windows, it hits you one way or another. Sure, Vista, W7, 2008 R2, and a few other OSs are not vulnerable, but Microsoft Office and SQL Server are, so between the two of those products alone (as well as the other affected products), it is a sure bet that your system is vulnerable. You should install this patch as quickly as you can. 1.2 MB - 3.6 MB

Other updates

  • KB974306: This patch fixes a number of issues with Media Center in Windows Vista. 12.5 Mb - 14.7 MB
  • KB974431: W7 and 2008 R2 have some minor reliability issues that are addressed by this patch. 16.5 MB - 21.6 MB.
  • KB974307: This is a big cumulative update for the Media Center TV Pack on Vista. 10.8 Mb - 12 MB
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool (9 - 9.4 MB) and Junk E-mail filters. 2.2 MB
  • Changed, but not significantly: Extended Protection for Authentication (KB968389).

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.

There have been a number of minor items added since the last Patch Tuesday:

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

50 comments
yarbrough2
yarbrough2

I know this is late, but we wait two weeks before deploying updates to our live environment to flush out any problems. Has anyone experienced issues with October?s updates causing a Nehalem based server running Server 2003 R2 to hang at the reboot after the patches are installed? We only have two in our environment, but both hung last night at the reboot after the update installation. I found this information, but it is specifically for blue screens and Server 2008 R2: http://support.microsoft.com/kb/975530

feral
feral

Im gobsmacked at the number of people complaining their systems got bombed by a patch. How is it Microsofts fault they can not possibly test a patch for every known config, the responsibility is yours as the system manager to ensure that a patch does not bomb a critical system. If you are stupid enough to install a patch without testing you accept the risk. Dont cry about it in here.

Chief Bottle Washer
Chief Bottle Washer

And you guy bash the holy crap out of Mac users. Ha! How superior is your freaked out Winbloze 7 = Vista = XP = MS DOS now? You guys are whacky.

micjackz@aol.com
micjackz@aol.com

The "Attackers" certainly have work-arounds already in place. Why else would Microsoft need constant fixes every month? This is beyond tiresome.....it's criminal on Microsoft's part.

JohnEdwards1
JohnEdwards1

Since installing these 16 updates (to Vista HP SP2 32-bit), I have lost all images from my incoming messages in Windows Mail. Any idea which could be the culprit?

shawn.chambers
shawn.chambers

Seems like I get a new patch everyday now. Maybe we should change the name...

julian.brunt
julian.brunt

Since the patches on my Vista 64 OS IE 8 will only connect to web pages in 'InPrivate' mode. I have looked around the and can't find a reason or anyone else wih this issue. I would appreciate any assistance. Nothing in any logs either :S

Craig_B
Craig_B

So Far So Good, all patches seem to work ok. Remember Adobe updates are out as well.

Mark W. Kaelin
Mark W. Kaelin

Did you have (or are you having) trouble with this month's patch?

---TK---
---TK---

Yes we do test our systems before we patch the entire infrastructure... We have about 100 test servers that are in dev. after that we push it out to the 2000+ (not including our Virtual Enviroment) other servers both in dev. and prod. So tell me champ, if I have a server that tanked after the push how am I to tell which Update tanked the server? Uninstall each one, one by one? or come to this thread and see what other people have come up with... Lets do some math, 15 min to read through the post (maybe I find the fix) vs hours of uninstalling rebooting and then reinstalling what I just removed.... So to the people with issues, keep posting.. lol It actually does help some people...

AnOldItGuy
AnOldItGuy

It broke a Msoft product , i don't believe they tested against their own applications

adam_ski
adam_ski

Pardon me, I see your point, nevertheless I find it bollocks. As much as I agree that care should be taken administering patches, I totally resist the statement "it's not Microsoft fault", or "[admin] stupid enough to patch without testing]" Being an admin, I have limited resources for patching and testing. I can barely get a machine or two for tests. And I definitely cannot spend a week on thorough testing of all possible scenarios. On the contrary, MS has much bigger resources and much deeper knowledge on what their patches would and could affect. That's just the case of a doctor. You are not expected to "test" your medicines on yourself, right? You expect proper thoroughness and care being taken while preparing the drug; including the side effects listing. While of course it's not 100% proof and things like Thalidomide can happen, you basically trust your doctor and the pharma company that what they prescribe you would help you, rather than harm. Why shouldn't we treat OS patches same way? Or even more strictly, as they fix just what was screwed (omitted, neglected, forgotten) by the very maker of it (so we get them free, while we still pay for drugs). Best

---TK---
---TK---

Maybe I'm miss reading this post... and if so, disregard this post. Are you seriously saying it is MS's fault for the attackers constantly finding new holes to exploit? I think your blaming the wrong people here, I think you should be pissed at the attackers for the constant "fixes"! Thats like me blaming my ISP for bandwidth issues, when in-fact is a$$holes from china, mexico, russia, ect trying to brute force my ssh server. Its not my ISP's fault, thats the attackers. All MS is trying to do is protect your rear end... How bout this, if your so tired of the updates, turn them off!

Justin James
Justin James

... take a look at Oracle. Their bug count is huge, they patch merely 4 times a year (leaving known holes in their applications for months at a time), and often, known bugs will sit unaddressed for YEARS. In comparison, Microsoft is saintly. J.Ja

Tumbleweed_Biff
Tumbleweed_Biff

I thing it is every week, not every month, and even that is less than strict - updates can come out any day, at any time. Certainly, Microsoft bears a certain amount of blame going back to one of the most idiotic choices they made in releasing ActiveX, a technology which *requires* a trusted network when the internet was not trustable. That having been said, the *real* blame belongs squarely on the shoulders of the criminals who seek to abuse these vulnerabilities for various reasons, from plain impishness, to malice, to outright theft. If those people were hunted down to the ground mercilessly, and great rewards given to those who provide information leading to arrests, and these criminals prevented from any contact with the internet ever again, then the internet could become trustworthy. (Face it, for what is lost annually to virus damage, you could reward people reporting things $1M and still come out way ahead.) Until then, Microsoft, as the monopoly controller, has the onus of finding and fixing all the gaps in their OS's, and when you are dealing with this much of a code base, it is an eternal and infernal task.

Tumbleweed_Biff
Tumbleweed_Biff

To my experience, blocked images is usually a function of a setting in the firewall. Look for some change in site checking/verification/etc that might have caused this. Could be the image site you were connecting to has some malware that your system is blocking ... any number of possibilities, but that is the direction to go: something has changed which is now blocking your access to that/those sites and you need to figure out what and why.

Justin James
Justin James

I've noticed that too. Sometimes it takes a few days to arrive in the pipeline. My WSUS server just got some more of these that were supposedly released on Tuesday just now. :( J.Ja

rfmayebo
rfmayebo

yes - My Dell Inspiron Mini would not restart after the updates, instead ending teh Blue Screen of Death - STOP: 0x0000007E. Trawling through some forums revealed the culprit as KB971486. Uninstalling this patch restored system functionality. KB971486 is a security patch - that means I am vulnerable to whatever it was supposed to resolve. Problem is the attempted cure killed my PC!

yarbrough2
yarbrough2

I know this is late, but we wait two weeks before deploying updates to our live environment to flush out any problems. Has anyone experienced issues with October?s updates causing a Nehalem based server running Server 2003 R2 to hang at the reboot after the patches are installed? We only have two in our environment, but both hung last night at the reboot after the update installation. I found this information, but it is specifically for blue screens and Server 2008 R2: http://support.microsoft.com/kb/975530

kalpstech
kalpstech

ms09-055 kb973525 breaks visio viewer. When installed, .vsd files no longer open with visio viewer. Remove patch and visio viewer works

AnOldItGuy
AnOldItGuy

We have a service automation app (web based) that thanks to microsoft bombs on every attempt to update data for our techs. Smooth move microsoft , way to go. Bitten by the array access fault in kb974455 , Oh and by the way it doesnt show up as an un-installable for vista or 7 , just on Xp.

eng.omar.hafez
eng.omar.hafez

Hi all, Normally, my workstations get internet from the server. Yesterday I downloaded the updates on the server and once I restarted the server, all workstations had lost connection to the server (hence, internet). They only way to run things again was to uninstall all updates happened on Oct 14th. Has anyone had the same problem? Any advice will be appreciate. Many Thanks, Omar

jcbronson
jcbronson

My WSUS server synced at 10:30 and picked up the updates, but they all tagged as "expired" and were unavailable for my network. I found that someone else reported the same issue. Around 4pm, a manual sync got things back in order. I wonder how many others saw this or know why it happened. Did MS pull some back?

mik3
mik3

After applying all patches offered to my Win XP with SP3 machine I find that Microsoft Update keeps offering to install KB971486 again. I have reinstalled it three times from Microsoft Update and also manually from an install file I got from the Microsoft Download site. Each time it seems to install ok, and Microsoft Update History says it installed correctly. Oh, I also manually installed it from Safe Mode as well. I'm still being offered the KB971486 patch by Microsoft Update. Very Annoying!!! BTW Secunia PSI and Belarc Advisor both say I have all pertinent patches for my system, and Belarc lists KB971486 as being installed correctly. Anyone have any solutions for this? Thanks.

jck
jck

I'm waiting for restore points to start failing like Danger's backups did. :^0

webmaster
webmaster

We have had 2 Windows Server 2003 Enterprise Domain controllers go down after the automatic updates last night one we have recovered not sure why yet and the other one still does not boot.

davidt
davidt

I'd like to report that I finished updating 25 XP Pro systems and 2 SBS2003 servers about 6 hours ago. All patches were applied. So far (knock on wood) no adverse affects. This included a mixture of Office 2003 and Office 2007.

psynnott
psynnott

I have W7 RTM from MSDN, and upon rebooting after Tuesday's updates W7 hangs at the "Preparing to configure windows - do not turn off your computer" message. I have already forced a reboot and it is hanging at the same stage again. Hourglass is still turning, but nothing appears to be happening. Been at this stage for over 20minutes this time. Any ideas apart from a system restore? Cheers

Justin James
Justin James

WARNING! I just got off the phone with Microsoft support. After installing my patches and rebooting, my OCS 2007 R2 server would not start the "Front End" service internally or the Access Edge service externally. The error IEs in event log were 12299 and 12290, and it was saying that an evaluation copy had expired. It turns out, KB974571 is causing the problem. At this time, DO NOT INSTALL KB974571 on any servers running OCS or LCS, Microsoft support informed me that both products are impacted. J.Ja

Justin James
Justin James

I agree that testing patches would be great. But, unfortunately, I do not have those resources. It took me *months* to build out this infrastructure and get all of those servers configured. Trying to clone the whole thing would be a killer on my time, and brutal on the budget. There's another factor to consider as well, and that is the *time* issue. I could test. It takes me, oh, 4 hours at this point to do all of my patching, rebooting, verification, etc. So if I were to test first, I would not really be able to get the patches installed until Wednesday night, due to when the patches are released. Meanwhile, the moment the patches come out, the "bad guys" are analyzing it and coming up with all sorts of exploits based on what they see in the patches, so they can wreck unpatched systems. In the last two years, I have had precisely one bad go south on me (the one I posted about above) on a server. If I have to choose between an extra 24 - 48 hours of vulnerability, plus the expense of doubling my hardware budget, not to mention the effort to construct a fully isolated test network (I may add, many, MANY of the services we have are public, so I'd need to duplicate the full public facing stuff too), or, possibly having to put an emergency phone call in to Microsoft on Tuesday night (like I did this time), which doesn't even cost me a cent because we're certified partners, guess what? I'm patching Tuesday night. In a world of bigger budgets with bad guys that are slower to exploit, patching would definitely be something I'd be doing, though. But in this case, it's a matter of taking the lesser of two evils. J.Ja

Chief Bottle Washer
Chief Bottle Washer

It's Microsoft's responsibility to roll out a higher quality product not some half-baked beta version and give it a name. Look at all the trouble you guys need to go through to get your software back into working condition prior to your upgrading/servicing/PATCHING. Microsoft should just re-name Windows to Patches. Because that's all it is - sewn together patches of code.

rasilon
rasilon

Same thing here. My WSUS server just synched last night and 4 more updates arrived for Server 2008. Security Updates for Active Killbits (KB973525) and Windows Media Format RUntime 11 (KB954155) for 32 & 64 bit. It *IS* getting a bit crazy.... :-(

fusion94
fusion94

my server synced at 410 and all of the updates came through just fine... that being said a sql update(kb970892) and an office update(kb974554) has cause a few errors, a dozen or so... but we are getting that fixed.

davidt
davidt

In my case, I had run a registry clean-up program too aggresively, and had removed an entry that Update looks for (seperate place from the Update History). Microsoft has the solution to it in the knowledgebase or technet - I don't recall the details, since it was a couple of years ago.

davidt
davidt

Let us know when you find out any details

psynnott
psynnott

KB974431 is causing this problem. It is an "important update" but is not selected by default. Keep it unticked if you wish to avoid any trouble!

Justin James
Justin James

One of the SQL Server updates won't install on one of my servers. I'm not worried about it, becuase it is the tiny SQL Server Express install for the Active Directory Migration tool, and it's pretty locked down already since the tool hasn't been used in a year. J.Ja

Thoyvald
Thoyvald

Have had similar problem in the past. The easy solution is to simply untick this on the update list and at least it will stopp telling you. MY problem is that BITS doesnt work an I have to download updates on another computer as Admin and install them via a USB stick on my main PC

webmaster
webmaster

8hrs with ms tech support uninstalled patches and several other things nothing worked they are stumped, starting over :(

rainswept
rainswept

You may simply have the lucky circumstance of HAL or absence of a race condition that passed initial QC. On your cue, assuming not all of your details are invalid as you state, I'm at least at the same level of management as you so the following should hold some weight: My (new) Windows 2008 Server R2 machine also hung on a brand new install. The animation runs as others have noted, but the mouse behaves as if there's a deferred procedure call (DPC) problem. At my level of experience (25 years), initial secure system state, and the due diligence required to set up a domain controller, in my professional opinion, the problem cannot be so easily identified as "you must have messed with the OS." I have a list of notes in front of me that show I have not. In other words, sometimes patches are bad, and it's quite easy to verify this, e.g.: "Microsoft (crashes servers) admits Exchange update goof": * http://www.v3.co.uk/vnunet/news/2226121/microsoft-fesses-exchange or "Black Screen woes could affect millions on Windows 7, Vista and XP" (patches KB915597 and KB976098): * http://www.prevx.com/blog/140/Black-Screen-woes-could-affect-millions-on-Windows--Vista-and-XP.html or "You may experience performance issues after you install the 811493 (MS03-013) security update" (caused by a Microsoft regression error): * http://support.microsoft.com/default.aspx/kb/819634 and it's why many corporations run Windows Update Services, so that updates can be screened at the server before LAN distribution. My point is, the very human attribute you give the end user, which may be (but is not definitely) true, can also be attributed to the patch developers...and faced with reinstalling my server and the subsequent delays, I really wish GM's and other perhaps less-than-technical staff recognized more often that it's not always the (installer's) victim's fault. ** Edit: Second installation...same procedure, no hang...yet the same patches were applied each time: KB890830, 973525, 974431, 974332, 974571, 975364, 975467, 976098, 976325. Unfortunately, while documenting this for others helps build causation/correlation, this is not enough for proof.

rasilon
rasilon

I booted my W7 RTM system this AM and saw the update offered. Wierd.... I installed it (hey, I'm a techie!) with no apparent problems...

hueta
hueta

I just installed that update.. no probs whatsoever after restart... if an update ruins ur os, u had probably messed the os in other ways earlier. for me, Win7 has been rock solid, freaking love it.. pathetic how some ppl tested windows 7's alpha versions (vista) and even paid for that. [oh yeah, these account details, not valid]

wg_schmitt
wg_schmitt

I thought VISTA was the most secure windows ever offered?

rasilon
rasilon

No sign of this patch on my W7 RTM machine, either... I just checked again and nothing offered. Hank Arnold (MVP)

Justin James
Justin James

... that's the "reliability update"! For whatever reason, it wasn't offered to y W7 machine. At least, not yet. Maybe later on today it will be. J.Ja

robin
robin

Our Office Communicator service Front-End refused to start this morning on our 2003 server; read the info on OCS 2007 Standard FRONT-END server which confirmed that KB974571 was the culprit, so removed the update and all works fine now. I switched updating from automatic install to download and wait.. and after 10 minutes it was sitting there waiting to be installed again!! I have now declined the offer and removed it from troubling us again on this server. Luckily we only use this server for OCS 2007 (It's a VM). I have now read Microsoft's blog at http://support.microsoft.com/kb/974571 which confirms the problem.