Windows

It's Windows Patch Tuesday: April 2009

Justin James presents a rundown on the April 2009 batch of Microsoft Windows patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

This is the April 2009 edition of TechRepublic's Patch Tuesday update. I hope you haven't been getting as many "April showers" as I have been lately!

We've got some really important news for you to know: IE8 is now officially out, and it will inevitably end up in the "Windows Update" system. I cannot emphasize enough that you will want to block this if you are not ready for it. If you are using WSUS, do not approve it for installation if you are not prepared to deploy it. Thankfully, it is not a "security" or "critical" update, so it will not auto-approve or auto-install unless you have your Windows Update or WSUS set to a very liberal policy. There have also been an unusual number of mid-cycle patches, all of a noncritical nature.

Previous TechRepublic Microsoft Windows Blog posts in the Patch Tuesday series are available on the Special Reports search page.

Security patches

  • MS09-010/KB923561 - Important (XP, 2000, 2003): There are four bugs (two previously disclosed publicly, two previously undisclosed) that affect a variety of word processing documents and can allow remote code execution exploits to occur. The files are Office, RTF, Write, and WordPerfect files, and the exploit is triggered when they are opened in either WordPad or Word. For Word 2000 users, this is a "Critical" bug; for Word 2002, Office Converter Pack, and WordPad it is "Important." Until you install this patch, do not open these types of documents from "untrusted" sources. There is a known issue with this patch around opening Word 6.0 and Write documents; read this KB article for more details. Frankly, I think that this patch is a "must install" despite the "Important" label; too many people open documents from all over the place. It affects 32-bit, 64-bit, and Itanium versions of Windows.
  • MS09-011/KB961373 - Critical (XP, 2000, 2003): This patch closes a hole that lets attackers execute a remote code execution attack through MJPEG files; the bug is in DirectX 8.1 and 9.0x. Users with restricted accounts will possibly not be quite as impacted should they encounter one of these files. You should install this patch immediately. It affects 32-bit, 64-bit, and Itanium versions of Windows.
  • MS09-012/KB952004/KB956572 - Important (XP, Vista, 2000, 2003, 2008): This patch resolves four holes in Windows that have already been publicly disclosed. The hole allows an attacker who is already logged on to the system to escalate their privileges and take full control of the system. Seeing as the attacker already needs to be logged on and able to run code, this is not a "drop everything you are doing and install this patch!" item, but you should definitely include it in your next update push to the desktops. It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. If you are running XP, Vista, 2003, or 2008, check this KB for known issues around some settings that may not be preserved after deploying the patch.
  • MS09-013/KB960803 - Critical (XP, Vista, 2000, 2003, 2008): This patch addresses three bugs in the Windows HTTP Services system; one of them allows remote code execution that enables an attacker to completely own a system. This is a "must patch" item for all Windows systems. Note that this is not an "IIS" bug! It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. You may see some problems with NTLM authentication if you use IPv6 addresses after installing the patch.
  • MS09-014/KB963027 - Critical (XP, Vista, 2000)/Important (2000, 2003): This is a cumulative security update for Internet Explorer 5, 6, and 7. Some of the fixes address already public bugs, and some deal with privately disclosed exploits. You should install this patch immediately. Users with IE8 do not need this patch. It affects 32-bit, 64-bit, and Itanium versions of Windows. You may see some problems with NTLM authentication if you use IPv6 addresses after installing the patch.
  • MS09-015/KB959426 - Moderate (XP, Vista, 2003, 2008)/Low (2000): This patch takes care of a problem with the Windows SearchPath function that could enable an escalation of privileges. The exploit has a rather convoluted attack vector with a lot of "if the user does this" type items involved, which is why the security rating is so low. Include this in your next scheduled push of patches; there is little reason to scramble on this one. It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. Check the KB article if you have issues with an XSI 5.0 application not loading after the patch is installed.

Other updates

  • KB969058 - Important (IE8 on Vista x64): When you disable IE8 on 64-bit Vista, the "Internet Explorer (No Add-ons)" shortcut does not get removed; this patch fixes that.
  • KB944036 - High Priority (IE8 on XP, Vista, 2003, 2008): This is a big one: Internet Explorer 8 is now a patch/release item. Be aware! Thankfully, the priority/classification should not make it automatically install.
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool and Junk E-mail filters.
  • Changed, but not significantly: None on this Patch Tuesday.

Updates since the last Patch Tuesday

There have been a number of minor items since the last Patch Tuesday:

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

17 comments
msiska
msiska

I think its great.

tim_cooper
tim_cooper

MS09-014/KB963027 caused our ADP software to stop working

all_starsteel
all_starsteel

What is up with the hate over IE 8? I have it deployed on a few workstations and I have yet to see any problems.

michaels.perry
michaels.perry

Be aware that installing Internet Explorer 8 is potentially highly dangerous! Some people just do not want IE8, so they need be aware that an Automatic install will put IE8 on their systems - or will try to when it becomes part of the patch scheme! Others will find that IE8 does not install properly and a few have reported that some systems are unrecoverable! 2 out of my 3 PCs, ostensibly the same, will load IE8 but the other doesn't and has to be rebuilt!

john.tate
john.tate

Here is a summary of the results from our ACL (application compatibility lab) After loading the ChangeBase AOK application testing portfolio into a Patch Impact database, all seven patches were tested for application level issues and in addition, application dependencies. Only one update (MS09-014) raised a significant number of issues across a small number of applications across the ChangeBase Patch Testing Application portfolio. Full results at http://www.changebase.com/news/news_release_2009_04_14.html

Justin James
Justin James

Sorry folks, I made an error when reading Microsoft's information; I thought that it was indicating the IE 8 release was added to the automatic updates system. This is *not* the case. Regardless, if you wish to make sure that IE 8 does not got through automatic updates, the information in the article is correct, just a bit early. Sorry for any elevated heart rates I may have caused! J.Ja

Mark W. Kaelin
Mark W. Kaelin

As was discussed earlier in the Windows Blog, the update to Internet Explorer 8 is more than a little troublesome. Have you had difficulty with this set of patches?

madmandoug1
madmandoug1

Lately - on all 3 of my systems - IE7 started hanging and sometimes it would not load the first time I tried to run it (on XP Home). Once it got into RAM the first time it worked a little better. It also seemed to work a little better on my XP Pro system. I finally got tired of watching "connecting" and tried IE8 on one of the XP Home systems. It seems a little more bloated but at least it loads every time. The only thing I don't like about it is when you try to open new tabs in a browsing session, it takes a lot longer to load than it did in IE7. It does show you thumbnails of the last 9 web pages you viewed after the new tab opens, but I don't know how often I'll use those links. As always, time will tell

john.tate
john.tate

If you would like to run your ADP app through AOK and see the results we would be happy to do this at no charge and we could ppublish the results on this site?. You would need to download the app to our secure server. We can talk you through this process john.tate@changebase.com

toreador
toreador

I agree. I had far more problems with IE 7 that I am having with IE 8.

toreador
toreador

I have installed it on some of my test machines and all of my personal machines and like it better than IE 7. What problems are you folks experiencing?

spartodd
spartodd

I did a clean install of XP Pro SP2 just this week and even before joining the computer to our SBS2003 network, I installed IE8 on the PC, without any problems. None of the post-SP2 updates were applied until after I joined the PC to the domain and let WSUS handle them. Everything seems fine here.

Justin James
Justin James

... and then suddenly broke. I've been working with the engineers to get it straightened out. J.Ja

CMB from Omaha
CMB from Omaha

When IE 8 installed itself, TechRepublic became inaccessible. TR still works fine in FireFox, though.

toreador
toreador

I am viewing and responding to TR using IE 8. So far I am happy with it and glad I upgraded. I will most likely begin pushing it out to my desktops thru WSUS in the next few weeks.

Editor's Picks