Windows

It's Microsoft Patch Tuesday: September 2012

Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's September 2012 patches in your organization.

Greetings, patchers. Some of you already know me from the many articles I've written for TechRepublic and other web sites, and I'm going to be taking over this column from my friend, Justin James, whose "day job" interfered.

Summer is over, the kids are back in school, the weather is (finally) cooling off, and most of us are experiencing the calm before the storm of the holiday season. Things are unusually quiet on the security update front at Microsoft, as well. Coming off the beefy slate of critical and important patches released in August, IT pros responsible for updating can take a breather this month. Don't get too comfortable, though - in October we're expecting Microsoft to release a major update invalidating certificates with short keys (under 1024 bits).

This time, though, we're looking at only two security bulletins addressing four issues, and none of them address vulnerabilities in Windows, Office, IE or the other "usual suspects." None of the issues are rated as critical, either. However, those who have deployed Visual Studio Team Foundation Server 2010 SP1, or Systems Management Server 2003 SP3 or System Center Configuration Manager 2007 SP2, will need to take note.

You'll also notice that Windows 8, Windows RT and Windows Server 2012 have crept into the list of updates, although the fix is a non-security issue.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-061/KB 2719584 - Important (Microsoft Visual Studio Team Foundation Server 2010 SP1): There is a vulnerability in the code of all supported editions of Visual Studio Team Foundation Server 2010 that could enable an attacker to elevate privileges if a user visits the attacker's website that has been set up to exploit the vulnerability. Users would typically be tricked into visiting the malicious website by clicking a link in email or an IM. If you don't have Visual Studio Team Foundation Server 2010 installed, you don't have to worry about this patch. Older versions (2005, 2008) are not included, nor are any editions of Visual Studio itself. MS12-062/KB 2741528 - Important (Microsoft Systems Management Server 2003 SP3 and System Center Configuration Manager 2007 SP2): This one will affect many IT shops still running previous versions of SMS and SCCM. This vulnerability in SMS 2003 and SCCM 2007 works the same way as the Visual Studio Team Foundation Server problem discussed above; visiting an affected website could result in elevation of privilege. Elevation of privilege attacks can be used to do anything an administrator can do: access or destroy data, make changes to the system, install malware, etc. If you're running System Center Configuration Manager R2 or above, you don't have to worry about this one.

Other Updates/Releases

KB2736233 - This is classified as non-security content by Microsoft but it's an update rollup for ActiveX Killbits for Windows 7, Vista, Server 2008 R2, Server 2008, Server 2003 and Windows XP that addresses security issues in ActiveX controls that could enable an attacker to take control of a system running Internet Explorer. KB2719857 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues relating to using a USB Remote Network Driver Interface Specification (RNDIS) device to connect to a 3G or 4G network. KB2735855 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues with slow network connectivity when running an application that was developed using Windows Filtering Platform (WFP) API. KB2741355 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues affecting Windows Live Movie Maker on a computer with a graphics card that only supports DirectX 9. KB2744129 - Update for Windows Server 2008 R2 x64 to resolve issues with Windows 8 or Windows Server 2012 virtual machines running in Hyper-V. KB2751352 - Update for Windows 8, Windows RT and Windows Server 2012 to resolve an issue with changing file associations for shortcuts.

KB890830 - As usual, Microsoft released an updated version of the Malicious Software Removal Tool (MSRT).

Updates since the last Patch Tuesday

There were no security updates released out-of-band since August 14, 2012.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

17 comments
walter.underwood
walter.underwood

I also value this article greatly. The article itself may not give much more information than I could find hunting around at microsoft, but if anyone is having trouble with the patches, there are comments here saying so. THAT information is so important to me. We do not have multiple backup systems and test systems, so knowing ahead of time that a patch may be trouble is invaluable to me. I have seen patches here that had a little danger ICON next to them because people have had issues with it. It has saved me a ton of time and effort to come here before running updates on my 30+ servers and 100 + machines. Thank you for continuing this.

jimmyhelu
jimmyhelu

This month's Patch Tuesday will plug up less than a dozen vulnerabilities -- 11, to be exact -- in various flavors of Windows, Microsoft Office,

richardao
richardao

Update rollup for ActiveX Killbits.. and Malicious Software Removal Tool for Sept. . The info provided on these two updates tells me no more then provided by Microsoft. After reading the information provided by Microsoft a search for more (I thought) on the updates brought me to here. When someone writes about Microsoft Updates I expected more then a copy of information provided by Microsoft. You could save people time by listing the Update and Update # - and: for information please read the "Details" provided by Microsoft. Sincerely, Richardao .

bulldurn
bulldurn

So that being said; and as Joe mentions, these articles are of great value to all of us.

pgit
pgit

I agree with J.Ja, well written. I also agree with the sentiment that this column is one of the more useful tidbits out here in cyberland. I appreciate it immensely. So is J.Ja gone entirely? Or will he write the occasional article when time permits? He's been one of the most trustworthy voices I've found in the tech world. I hope his 'real job' knows what an asset they have in him and are compensating accordingly. :)

Who Am I Really
Who Am I Really

hope it's a good experience for ya !! when I open the win update window on my win7 x64 today I see 4 + MRT.exe > I also see KB2727727 (Skype 5.10 for windows) I guess they'll be pushing it, now that they own it even if I don't want it

rpatton
rpatton

A disater area for Accress applications, crashes missing DLL's, missing commands (witch) still exist. This is rather suprising, since MS has tradionally supplies a mifration program. any suggestions?

rpatton
rpatton

Mail merge does not work after installation of office SP3. Any one else having this problem or a solution? I can't uninstall SP3 and need to do mail merges all the time. Thank you for this columb it is very helpful, you guys are great!

Developr
Developr

Yes, I second the previous comments about the time-saving value of having a brief summary describing the impact of newly released patches. Thank you Deb!

jnickell
jnickell

We appreciate this series continuing. It is valuable to those of us who wear multiple hats and need a quick summary of what's coming our way.

joe_ramos
joe_ramos

We value these articles as it makes our lives that much easier to review summaries on patch Tuesday.

Chaz Chance#
Chaz Chance#

One of the deciding factors for my company eventually moving to W8 will be based on virtualisation. Its good to see Microsoft dealing with issues early on, because it promises a stable future.

Gisabun
Gisabun

First of many fixes for Windows 8. :-) Doesn't seem to critical. Wonder if there is a fix for mapping drives yet.

Justin James
Justin James

Deb - Thanks for doing such a good job on this! I felt a lot better when Mark told me you were the one who would be handling it. J.Ja

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Your peers can help - describe the problems you are having.

pgit
pgit

This happens to be a light update. Read some of the past post and you'll see a lot of extra info, namely who is most effected, and what the real priority is. For example, J.Ja often distinguished between updates that MS deemed "critical." Some he pointed out could wait for your next normal update cycle, but others he would suggest be done immediately. Microsoft didn't provide that kind of advice, they had listed all equally as "critical." J.Ja and now Deb look into these updates, consider the real world implications and make recommendations. They aren't alarmist, either. It would be easy to say that all updates should be done immediately, like MS does. Stay tuned, next month promises to be a bigger update, there'll be more for Deb to dig through. I look forward to her expert perspective. :)

jcbronson
jcbronson

Thank you, Deb, for carrying the torch. These articles are the perfect reference for a fast explanation to my users about the monthly updates and help prevent the F.U.D. that would otherwise hold back valuable patching.

Editor's Picks