Windows

It's Microsoft Patch Tuesday: September 2009

Justin James presents a rundown on the September 2009 batch of Microsoft patches.

This month's patch release is about average for Microsoft Patch Tuesday, but there were a huge number of out-of-band patches in late August. I'm really not a big fan of that for noncritical security patches. It makes sense, though; the patches are related to Windows 7 and Windows Server 2008 R2, both of which RTMed recently and are just now finding their way onto systems.

By reader request, I am now listing the updates' approximate sizes. I am rounding the numbers, so don't treat the numbers as accurate to the byte; the numbers are meant to let you know if this is worth the download in locations with restricted or metered bandwidth. Please let me know in the forums whether you find this change useful or think it adds clutter to the report.

We are continuing to use our new rating system, where one flag means "patch only if applicable," two flags means "patch during your next regularly scheduled patch cycle," and three flags indicates "patch immediately."

Security patches

 MS09-045/KB971961 - Critical (2000, XP, Vista, 2003, 2008): This patch fixes a flaw in the JavaScript engine of Internet Explorer that allows a remote code execution attack to be performed. Note that Windows 7 and Windows 2008 R2 are not affected by this issue. You should install this patch immediately. There are a few known installation issues, so check KB971961 for details. (The update is approximately 330 KB - 1.2 MB.)  MS09-046/KB956844 - Critical (XP, 2000)/Moderate (2003): Attackers can take advantage of the DHTML Editing Component ActiveX control to perform a remote code execution attack on Windows 2000, Windows XP, and Windows Server 2003 machines. The attacker gains the rights of the locally logged-on user. You should install this patch in your next patch cycle; it shouldn't be a problem if you disable ActiveX. (The update is approximately 550 KB - 1.2 MB.) MS09-047/KB973812 - Critical (2000, XP, Vista, 2003, 2008): This patch corrects two problems in which the Windows Media Format can be used to execute remote code execution attacks. This affects Windows Media Player users, as well as servers with Windows Media Services. Itanium 2003 and 2008 systems and Windows 7 and Windows 2008 R2 systems are not affected. (The update is approximately 1.2 MB - 4.8 MB.) / MS09-048/KB967723 - Critical (Vista, 2008)/Important (2003): There are a number of issues with the TCP/IP handing in Windows Vista, Windows Server 2003, and Windows Server 2008. On Windows Server 2003, these issues are manifested as denial-of-service attacks; in Windows Vista and Windows Server 2008, the issues are full remote code execution vulnerabilities. Windows XP, Windows 7, and Windows Server 2008 R2 are not affected by this problem. You should install this patch immediately for any system directly connected to the Internet and during the next patch cycle for systems that do not receive packets directly from the Internet. See KB967723 for known installation issues. (The update is approximately 800 KB - 6.2 MB.) MS09-049/KB970710 - Critical (Vista)/Important (2008): A problem with the wireless NIC systems on Windows Vista and Windows Server 2008 OSs is allowing remote code execution attacks to occur. Windows XP, Windows Server 2003, Windows Server 2008 R2, and Windows 7 are not affected. This is not a problem for systems without Wi-Fi or with Wi-Fi turned off. If you have a Windows Vista or Windows Server 2008 machine with Wi-Fi, you should install this patch immediately. (The update is approximately 900 KB - 1.5 MB.)

Other updates

 "The Usual Suspects": Updates to the Malicious Software Removal Tool (update is approximately 8.7 - 9.3 MB) and Junk Email filters (update is approximately 2.2 MB). Changed, but not significantly: None.

Updates since the last Patch Tuesday

We did not have any security patches released out of band since the last Patch Tuesday, but there were a large number of out-of-band, nonsecurity patches in late August.

There have been a number of minor items added since the last Patch Tuesday:

Daylight Savings Update for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. (The update is approximately 250 KB - 1.3 MB.) Vista/2008 Application Compatibility Update (The update is approximately 2.6 MB - 5.5 MB.) Dynamic Installer Update for Vista and 2008 (The update is approximately 30 KB - 900 KB.) WSUS 3.0 SP2 - Provides support for Windows 7, Windows Server 2008 R2, and BranchCache. (The update is approximately 85 MB.) WSUS 3.0 SP2 Dynamic Installer - Allows WSUS to be installed as a server role. (The update is approximately 85 MB.) Windows 7 Language Pack (The update is approximately 30 MB - 150 MB per language.) IE 8 Compatibility View List for Windows 7 and 2008R2 (The update is approximately 40 KB - 700 KB.) Fix for "stop errors" while installing Vista/2008 SP2 (The update is approximately 40 KB.)

Changed, but not significantly:

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

33 comments
knutvm
knutvm

Searching for MS09-047 KB973812. A search for this patch reveals that Microsoft deny the existence of this Tuesday patch. It appears impossible to track down. Any ideas? Knut M

greg.lambert
greg.lambert

I work for a company called ChangeBase. We analysed each of these application and security updates against a portfolio of over 800 applications and found that with this tranche of updates,there was no major application conflicts or dependencies that should affect most application portfolios.

oz_ollie
oz_ollie

Thanks for giving some indication of the download sizes, so people can roughly work out how this will affect download limits and time :D

derf24
derf24

I like the style of Justin James, but wish he would add the KB numbers in his "Updates since the last Patch Tuesday" section. I'm trying to resolve a problem with KB970653 failing to install. Waiting for MS to get back to me.

ronczap
ronczap

One of these updates clobbered MS Visual Interdev (Visual Studio 6). I had to uninstall them in order to restore Visual Interdev to a working state.

avoidz
avoidz

Looks like mostly more Internet Explorer fixes for XP. Not critical for Firefox users?

MaryWeilage
MaryWeilage

Did you have (or are you having) trouble with this month's patch? Do you find it helpful that Justin included the approximate size of each update?

alan
alan

The above is entitled MS09-047: Vulnerabilities .... Could you have malware blocking your access or redirecting your search ? Alan

Justin James
Justin James

It's ironic, the editor this month asked about that too. :) I'll start that next month, thanks for the suggestion! J.Ja

ronczap
ronczap

Applying these updates caused MS Visual Interdev (Visual Studio 6) to crash. Uninstalling the updates allos Interdev to function normally.

alan
alan

avoidz I respectfully disagree. 1. All released Windows operating systems include I.E., and the O.S. uses I.E. even when you think you are safely browsing with Firefox. Just think back a few months. Bad things happened. I think it was Conficker that caught Microsoft flat-footed with no defence, so they instructed that Tools/Security Options should be used to reduce Internet access whilst they invented a fix - that was needed even for Firefox users. Firefox suffered restrictions to downloads whilst the I.E. security options were thus. Even though I.E. browser was NOT open, its malignant effect was still present. If I.E. is able to have a beneficial effect against Conficker, even for users of Firefox, then I am sure that all the malware on the internet which can penetrate I.E. vulnerabilities will be able to drive a coach and horses through I.E. to the heart of Windows, even whilst the user thinks he is safely using Firefox. 2. With malice and forethought, and clever anticipation of a Eurocrat decision that Windows 7 must be available WITHOUT I.E. etc., Microsoft have hacked a large percentage of Firefox installations via a "security update", and many victims are unaware they have been hacked - it was secretly installed without permission. As evidence I cite the Firefox forum http://forums.mozillazine.org/viewforum.php?f=38 This forum gives help to Firefox users who post their problems. I see that a large percentage of those users have browser string that concludes with something like "Firefox/3.5.2 (.NET CLR 3.5.30729)" I understand that ".NET CLR ????" is the footprint of ".NET Framework Assistant", as revealed in http://windowssecrets.com/2009/06/04/02. At least some of those users are unaware that they have this unrequired infection. I cannot help wondering how many of those people would have avoided problems had this malware not sneaked on-board I do not trust M.S., they play dirty. In my view M.S. cannot make I.E.? as secure as Firefox, so they try to degrade Firefox down to their level. I always keep I.E.7 fully up to date with genuine security patches, but reject non-security "improvements" that are bundled along for the Patch Tuesday Gotcha. n.b. Twice they have offered to download and install Silverlight. Each time I rejected their offer. Each time they held back for another day BUT THEY STILL DUMPED THE SILVERLIGHT EULA on me. I think that gives them AND THEIR PARTNERS (who were not defined) the rights to :- download and install additional software; trawl my P.C. for information which they can then upload and share with one-another. Paranoid Alan

alan
alan

Update notification for KB967715 said it was only 960 K to 3.0 MB ...\SoftwareDistribution/Download got 17.6 MB in 24 Files, and installation added 18.1 MB in 17 more files. I then found 4 different and new versions of SHELL.DLL scattered around C:\, each taking another 8 MB M.S. promised less than 3.0 MB, and gave me 68 MB, merely to stop a hacker from plugging malware into my USB ! ! Had I known the truth I would not have wasted time on it. I had to restore C:\ from the Acronis partition image I made as my customery precaution before allowing any Patch Tuesday on-board, BUT FIRST I plugged in an ancient installation C.D. and the patch did nothing to stop it auto-running, but my Comodo Firewall took up the slack and gave me due warning and protection. Alan

Ron_007
Ron_007

A week and a half ago, on Friday, one of those out of bound patches trashed my Vista (SP2 with all of August Tuesday patches) installation. It downloaded without permission, installed at shutdown then failed on the Step 3 validation step on reboot. It went into a "permanent" failure-reboot cycle. I tried all of the safe modes on restart with no luck. Ended up re-installing.

Justin James
Justin James

Here's what I learned last night: * IE 8 have now been released to 2008 via WSUS; if you choose to install it on your servers, expect to go through two reboot cycles, one to install it, the second to patch it. * I also installed Exchange SP2 last night (it has not be released via the update system at this time). It went VERY smoothly, and VERY quickly (about 40 minutes to install, pretty good as far as these things go). That being said, today I got a complaint that a large email was being blocked. Somewhere along the way (probably, but not definitely the SP2 install), all of my message size limits had become reset to the defaults. Hope this helps! J.Ja

knutvm
knutvm

Alan, I do not think so. Searching Google shows that I'm not alone with this problem. I installed two other security patches, but they completely upset my system to the point that several programmes would not work. I reverted to an earlier restore point to get out of the mess. Never had to do that before. My OS is XP Pro. Knut

bobp
bobp

How do I uninstall this change to Firefox? I downloaded what I thought was a security update. The three updates I show for yesterday in the Add/Remove Programs list are: Security update fopr Windows Media Player (KB968816) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB971961) Thanks.

Justin James
Justin James

... not actual install size. If you want me to give actual install size, this article would take DAYS to produce in order to test the unpacked/installed size on every combination of OS... J.Ja

heavener
heavener

I hate to say it -- but thank heavens someone else experienced this. I though it was my fault that I had to format the C:\ drive and reinstall Vista. Darned inconvenient and time consuming to reinstall all the apps and utilities, too.

stylin19
stylin19

Dell PC attempts to fix startup problems after the last last batch of patches. Basically goes into an infinite loop. This Dell configuration allows driver signing to be disabled at startup then I can start fine. But the disable is not permanent. The Fix Startup app has an Error report that shows driver errors but doesn't show from where. Event log appears to tell me that it was the media 11 patch that whacked me, though I really can't be sure. I've decided to do a recovery restore to 9/8/08 and I am adding the updates one at a time. Is there anyway for me to tell absolutely which which drivers are preventing startup ? I thought my tweaking days were over (sigh) thanks

knutvm
knutvm

Alan, I think we are at cross purposes. I had already been down the link you gave me, but the patch would not download. A search on Google showed that others were having similar trouble. The Tuesday Patch advice I'm referring to mentioned 3 patches which should be installed. The one about which we are discussing would not download, and the other two installed OK, but messed my system up. After that experience I'll refrain from doing any manual patch installations. My problem is that I do not use IE and find that windows auto updates does not like using competition browsers - well certainly not OPERA. I think I'll leave the matter alone,but thanks for responding. Knut

alan
alan

I based my reply upon the facts that :- 1) I understood you were unable to find on the Microsoft site the information that I got within 1 minute, 2) Less than a year ago we had Conficker, and the earliest D.I.Y. test was to click on the links to about 4 different anti-virus sites to see if Conficker was preventing access, 3) Other things can follow in the footsteps. of Conficker, and it was possible that something nasty knew that a rarely applied patch was available to kill it so it blocked your access to that patch. You never said anything about any problems with your P.C. I fully accept that M.S. updates have trashed computers in the past, and will do so in the future. I gave you the link which shows that M.S. acknowledge the existence of kb/973812, they do not deny it. Is you NEW complaint that they deny that it does harm ? Alan

Ocie3
Ocie3

You should read the comments about the Firefox extension "Microsoft .NET Framework Assistant", and decide whether you want to remove it, at the link that Alan gave: http://windowssecrets.com/2009/06/04/02 There was a big stink over the fact that Microsoft installed the initial release of that extension without explicitly asking each Firefox user for permission. The "Uninstall" button was greyed-out, and a security flaw was allegedly found later. A case can be made that the "Click Once" concept that is instantiated by the extension (and for .NET applications) is, inherently, itself a security vulnerability, therefore the extension should be uninstalled. Since then, Microsoft issued an update to repair the extension and now it shows as ver 1.1 with the Uninstall button usable. So, if you have maintained your Windows installation with Microsoft's updates, you should be able to just use the Uninstall button to remove that extension, if that is what you want to do. Else, follow the suggestions in the article on Windows Secrets. Frankly, I don't think that Paranoid Alan's comments refer to, or apply to, the September 2009 Patch Tuesday updates that you mention. (1) Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB968816): This is critical for anyone who [i]ever[/i] runs Windows Media Player, regardless of whether they run Firefox or I.E.. See http://www.microsoft.com/technet/security/bulletin/MS09-047.mspx (2) Security Update for Windows XP (KB956844): Although it is critical, you might skip this one, but you could regret it later. There is no reason that I can find to not install it. See: http://www.microsoft.com/technet/security/bulletin/MS09-046.mspx (3) Security Update for Jscript 5.8 for Windows XP (KB971961): This corrects a critical flaw in the JavaScript engine. The IE rendering engine is embedded in Mozilla/ Firefox; that probably includes the Windows JScript engine. The Firefox IE Tab extension allows you to use the embedded IE engine to display webpages as they would look if you were running IE :-). I would install this update, if only because I use the IE Tab add-on fairly often, but you might need this fix even if you don't use that extension. See: http://www.microsoft.com/technet/security/Bulletin/MS09-045.mspx Note: "critical" means that a vulnerability can be exploited to take control of your computer. If you want to gamble, then don't complain to me if you lose the game.

alan
alan

Seanford. I do NOT DISagree with your statement that "...the numbers are meant to let you know if this is worth the download in locations with restricted or metered bandwidth.". Why do you refuse to accept your own statement ? Do you dispute that I saw 17.6 MB of stuff arrive instead of the promised 3 MB. Can you explain how a 3 MB download could contain two different flavours of an 8 MB shell32.dll ? I have just unhidden the unwanted KB967715 and allowed it to download, and I cancelled the installation and found a brand new folder C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6 which contains sp3qfe and sp3gdr folders each with an 8 MB shell32.dll, plus various other files :- update 1,282,973 16/09/2009 16:08:44 sp3qfe 8,461,824 16/09/2009 16:08:44 sp3gdr 8,461,312 16/09/2009 16:08:44 backup 0 16/09/2009 16:08:42 _usedelta_.state 34 16/09/2009 16:08:42 susdl.rq0 279 16/09/2009 16:08:30 _downloadprogress_.state 4 16/09/2009 16:08:30 _unpacked_.state 34 16/09/2009 16:08:14 WindowsXP-KB967715-x86-ENU.psm 2,673 11/02/2009 05:52:28 spuninst.exe 231,288 09/07/2008 08:38:26 spmsg.dll 17,272 09/07/2008 08:38:24 Incidentally, I have never known an MSI to do its job and the delete itself. What I have known was Windows (LIVE ?) messenger that was often being updated, and the update depended upon the presence of the previous installer, after which the previous installer was retained with all the earlier installers together with the latest installer. Alan

seanferd
seanferd

but they say nothing. KB967715 Size according to download page: 3.0MB Queried size: 3067KB File size after download: 2.99MB Mind you, for this download, most of it is an installer which does not stay on your system. Now, I'll agree that MS is full of it much of the time - I'm no MS fanboy. But this file-size-lies stuff is inaccurate and over the top. Why not focus on something they do that is actually wrong. Many things to choose from.

alan
alan

Justin Please note that I do NOT accuse you of having told lies. I am concerned that M.S. publish lies and would prefer that you test their veracity by observing the size of a download to any machine of your choice before publishing. The M.S. lie was also seen by ianeggbert on http://forum.kitz.co.uk/index.php?topic=4494.0 But you are correct in that the latest version from M.S. no longer suggests that 960 KB is feasible. When I requested you to "accept the update download on a "standard" configuration", I only meant to a single P.C. with a single operating system of your choice - not the results for everything after WIN95. I can quickly learn the relevant scaling factor for my XP Home w.r.t. whatever O.S. you are using. On 25/02/2009 I recorded exactly what appeared with the download notification, and also recorded the size of the downloaded file as 17.6 MB. I have no independent verification of size, BUT I also recorded that after installation I had scattered around C:\ another 4 new 8 MB files named SHELL32.DLL I think there were at least two flavours, and I had one flavour in system32 plus dllcache, and a different flavour in C:\WINDOWS\$hf_mig$\KB???\SP3QFE. If I received two different flavours of SHELL32.DLL in the download, I think it probable I was measuring 17.6 MB on the relevant download item. Incidentally, I now have 9 instance os shell32.dll in system32 and also %hf_mig$\* etc. I think if I removed all the backup/reversion files I could cut my system down from 6 GB to 2 GB, but I agree with the Microsoft philosophy - as soon as any backup/backtrack capability is removed, the system will crash ! ! Regards Alan

Justin James
Justin James

Alan - I've not been able to see anywhere that particular KB listed at those numbers... not in my article, not on the consolidated Microsoft bulletin, and not in the KBs. The Microsoft consolidated bulletin lists the correct numbers as do the download pages for each individual version of the files, I checked earlier today. So, I suspect that you looked at the wrong thing to get that "960 KB - 3 MB" number. J.Ja

alan
alan

The notification stated that KB967715 was between 960 K to 3.0 MB. What actually arrived was 17.6 MB dumped into C:\WINDOWS\system32\SoftwareDistribution\Download. 84 % of that 17.6 MB is a lie. I do not see how that 14.6 MB lie arrived if it was not delivered as part of the download which is relevant to "locations with restricted or metered bandwidth." To add insult to injury, I seem to recall the whole thing was a total waste of time because M.S. totally failed at that attempt, I think they STUPIDLY decided when first inventing XP to use AUTO-RUN registry keys that DIFFERED between XP HOME and XP PRO, and that code was never effective, and the hotfix/patch/whatsit I am referring to totally misfired because they forgot which keys were used on which flavour of XP, so they did it all over again a few weeks later. I would like, BUT NOT NEED, the installation size. I will be fully satisfied with the truth of the download. You tell me a download is 17.6 MB and I will say *5 because installation will involve at least two flavours of code variants and two more lots of hotfix unfix whatevers, and perhaps something for dllcache - and that is 88 MByte just to stop a hacker from sneaking into the house and plugging in a Flash drive - I do not think so. NB there is only one FLASH in this house, and it stays here, never visiting other P.C.s Due to careful organisation and pruning of bloat, it takes about 3 minutes to create a FULL image of C:\ once a month, and 1 minute to create a DIFFERENTIAL image once a day. I do not intend to waste precious minutes from my remaining life by archiving unwanted bloat. I due read the KB articles, but I think that gave the same lie as the notification. My purpose in reading is to decide upon relevance to my needs. I want SECURITY and thought that was the purpose of Patch Tuesday, but find that many "SECURITY" updates fix vulnerabilities in OFFICE products that were never installed here, and there are many other NON-security downgrades bundled in such as SilverLight. Alan

Justin James
Justin James

Alan - I'm sorry, but even that will not be possible. You see, I get this information the moment it is released. Often, it will take hours for the updates to appear in Windows Update for download. Even worse, you are *still* asking for me to maintain a copy of 2000, XP, Vista, W7, 2003, 2008, and 2008R2, perform this sequence on each and every one of them... I'm sorry, but that's not reasonable in terms of time. Finally, I wish I knew why you are upset about KB967715. I *never* reported the file size for that update! Looking at the Microsoft bulletins, they accurately report the numbers (I confirmed by manually downloading each version of the patch). I may add, their numbers are (roughly) inline with yours, give or take a few MB. So to be honest, I think that you are getting really amped up over "Microsoft lies" as a matter of confusion. J.Ja

seanferd
seanferd

The whole point of mentioning file size at all is for people with limited or expensive bandwidth. "...the numbers are meant to let you know if this is worth the download in locations with restricted or metered bandwidth." Exactly what lies are in the post? What truth do you seek? And what information about the size of an installation is so vital? If you actually need to know anything about the patches, reading the relevant MS KB articles would be your best bet. There is a lot more critical information than file size available that will help you know what to look for when testing these patches prior to deployment on your production hardware.

alan
alan

I am happy to withdraw my request for the complete truth to expedite timely delivery of vital information. BUT please at the least accept the update download on a "standard" configuration, and without wasting time on installation, measure the increase in disc space taken by the folder C:\WINDOWS\system32\SoftwareDistribution\Download. My PC downloaded 17.6 MB when getting KB967715, even though the notification promised 960 K to 3.0 MB. Alan

SirWizard
SirWizard

Not quite a month ago, I had the same experience during a Vista patch. Blue screen of death, then a permanent can't-read-the-drive state. The drive manufacturer took the blame as possibly a result of the drive's "ancient" firmware (drive built in March 2009.) The drive manufacturer updated the firmware to the very latest and ran extensive testing on it. Rather than reinstalling Vista, I put in Windows 7 (RC). Fortunately drive C held only the OS and apps, no data, so I only lost time and effort.

ian3880
ian3880

The easiest way around re-installation is to make an image onto a spare hard drive BEFORE doing this sort of thing. (I make an image once a week). When things go seriously pear-shaped, just copy your image back to your computer and all will be as it was when you made the image. There are lots of imaging programs around. I had trouble with Norton's Ghost, so I am presently using a program from O&O Software called O&O Disk Image [http://oo-software.com/home/en/products/oodiskimage/]. Works for me.

Justin James
Justin James

... other than uninstalling them all and reinstalling them one at a time. That being said, if the crash is happening due to the Media patch, it probably is the sound or video driver (which are also the ones that change the most, and can cause an awful lot of instability). J.Ja

Editor's Picks