Microsoft

It's Microsoft Patch Tuesday: September 2009

Justin James presents a rundown on the September 2009 batch of Microsoft patches.

This month's patch release is about average for Microsoft Patch Tuesday, but there were a huge number of out-of-band patches in late August. I'm really not a big fan of that for noncritical security patches. It makes sense, though; the patches are related to Windows 7 and Windows Server 2008 R2, both of which RTMed recently and are just now finding their way onto systems.

By reader request, I am now listing the updates' approximate sizes. I am rounding the numbers, so don't treat the numbers as accurate to the byte; the numbers are meant to let you know if this is worth the download in locations with restricted or metered bandwidth. Please let me know in the forums whether you find this change useful or think it adds clutter to the report.

We are continuing to use our new rating system, where one flag means "patch only if applicable," two flags means "patch during your next regularly scheduled patch cycle," and three flags indicates "patch immediately."

Security patches

 MS09-045/KB971961 - Critical (2000, XP, Vista, 2003, 2008): This patch fixes a flaw in the JavaScript engine of Internet Explorer that allows a remote code execution attack to be performed. Note that Windows 7 and Windows 2008 R2 are not affected by this issue. You should install this patch immediately. There are a few known installation issues, so check KB971961 for details. (The update is approximately 330 KB - 1.2 MB.)  MS09-046/KB956844 - Critical (XP, 2000)/Moderate (2003): Attackers can take advantage of the DHTML Editing Component ActiveX control to perform a remote code execution attack on Windows 2000, Windows XP, and Windows Server 2003 machines. The attacker gains the rights of the locally logged-on user. You should install this patch in your next patch cycle; it shouldn't be a problem if you disable ActiveX. (The update is approximately 550 KB - 1.2 MB.) MS09-047/KB973812 - Critical (2000, XP, Vista, 2003, 2008): This patch corrects two problems in which the Windows Media Format can be used to execute remote code execution attacks. This affects Windows Media Player users, as well as servers with Windows Media Services. Itanium 2003 and 2008 systems and Windows 7 and Windows 2008 R2 systems are not affected. (The update is approximately 1.2 MB - 4.8 MB.) / MS09-048/KB967723 - Critical (Vista, 2008)/Important (2003): There are a number of issues with the TCP/IP handing in Windows Vista, Windows Server 2003, and Windows Server 2008. On Windows Server 2003, these issues are manifested as denial-of-service attacks; in Windows Vista and Windows Server 2008, the issues are full remote code execution vulnerabilities. Windows XP, Windows 7, and Windows Server 2008 R2 are not affected by this problem. You should install this patch immediately for any system directly connected to the Internet and during the next patch cycle for systems that do not receive packets directly from the Internet. See KB967723 for known installation issues. (The update is approximately 800 KB - 6.2 MB.) MS09-049/KB970710 - Critical (Vista)/Important (2008): A problem with the wireless NIC systems on Windows Vista and Windows Server 2008 OSs is allowing remote code execution attacks to occur. Windows XP, Windows Server 2003, Windows Server 2008 R2, and Windows 7 are not affected. This is not a problem for systems without Wi-Fi or with Wi-Fi turned off. If you have a Windows Vista or Windows Server 2008 machine with Wi-Fi, you should install this patch immediately. (The update is approximately 900 KB - 1.5 MB.)

Other updates

 "The Usual Suspects": Updates to the Malicious Software Removal Tool (update is approximately 8.7 - 9.3 MB) and Junk Email filters (update is approximately 2.2 MB). Changed, but not significantly: None.

Updates since the last Patch Tuesday

We did not have any security patches released out of band since the last Patch Tuesday, but there were a large number of out-of-band, nonsecurity patches in late August.

There have been a number of minor items added since the last Patch Tuesday:

Daylight Savings Update for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. (The update is approximately 250 KB - 1.3 MB.) Vista/2008 Application Compatibility Update (The update is approximately 2.6 MB - 5.5 MB.) Dynamic Installer Update for Vista and 2008 (The update is approximately 30 KB - 900 KB.) WSUS 3.0 SP2 - Provides support for Windows 7, Windows Server 2008 R2, and BranchCache. (The update is approximately 85 MB.) WSUS 3.0 SP2 Dynamic Installer - Allows WSUS to be installed as a server role. (The update is approximately 85 MB.) Windows 7 Language Pack (The update is approximately 30 MB - 150 MB per language.) IE 8 Compatibility View List for Windows 7 and 2008R2 (The update is approximately 40 KB - 700 KB.) Fix for "stop errors" while installing Vista/2008 SP2 (The update is approximately 40 KB.)

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

Editor's Picks