It's Microsoft Patch Tuesday: December 2009

This is the month that I declare Microsoft is “insane.”

They have released a number of patches that are clearly security patches as “nonsecurity patches.” What galls me about this is that many administrators have various group policies or WSUS systems in place to automatically push out critical security patches; patches that are improperly labeled as “nonsecurity” fall through the cracks, leaving systems vulnerable longer than intended.

In addition, it looks like they’ve unofficially declared the fourth Tuesday of each month to be a secondary Patch Tuesday. They are consistently releasing nonsecurity patches and updates then as well. A few months ago, this made sense, because Windows 7 and Window Server 2008 R2 had just dropped, and a bunch of minor issues were being found and fixed as quickly as possible. But now there is no excuse for it; things like a Daylight Savings patch can and should wait until Patch Tuesday. I tend to stick up for Microsoft, but in this case, there is no excuse and this situation needs to be changed immediately.

Click to our Microsoft Patch Tuesday Focus Page to catch up on all of 2009’s Patch Tuesday Windows Blog posts on TechRepublic. This blog post is also available in PDF format in a free TechRepublic download.

Security Patches

MS09-069/KB974392 – Important (XP, 2000, 2003): This patch resolves a DoS (Denial of Service) vulnerability in Windows’ Local Security Authority Subsystem Service (LSASS). This patch is not super critical, but you should definitely install it on your next patch cycle. 600KB – 1.3MB
MS09-070/KB971726 – Important (2003, 2008): There is a hole in ADFS (Active Directory Federation Services) that could allow a remote code execution exploit. Luckily, the attacker already needs to be authenticated to trigger the exploit. Microsoft calls this “important,” but I call it “critical”. 450KB – 1MB
MS09-071/KB974318 – Moderate (XP)/Important (Vista, 2000, 2003)/Critical (2008): Problems with PEAP authentication in Windows can lead to remote code execution vulnerabilities when working with MS-CHAP v2 authentication. You’ll want to get this fixed immediately on your servers. 275KB – 1.2MB
MS09-072/KB976325 – Moderate to Critical (IE5, IE6, IE7, IE8): This patch resolves five problems in Internet Explorer that can result in remote code execution exploits, some via “specially crafted Web pages” and some through ActiveX. The criticality matrix on this patch is crazy. Let’s just call it “critical” for all versions IE and Windows, install it immediately, and move on. 3MB – 48.7MB
MS09-073/KB975539 – Important (2000, XP, 2003, Office XP, Office 2003, Works 8.5, Office Converter Pack): Issues in WordPad and some versions of Office allow an attacker to perform remote code execution exploits with a bad Word 97 file. The attacker would get the same privileges as the user. Microsoft doesn’t consider this a top-level issue, but given the prevalence of Office files and user behavior around them, I suggest that you install the patch as soon as you can. 855KB – 2.6MB
MS09-074/KB967183: Important (Project 2002, Project 2003)/Critical (Project 2000): This is another “specially crafted files can lead to remote code execution” patch, this time for Microsoft Project. You will want to install this immediately as well.
KB954157 and KB976138: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB – 1.6MB

Other Updates

KB954157: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB – 1.6MB
KB970430, KB971737, and KB973917: This trio of patches upgrades the security for authentication in HTTP and IIS on XP, Vista, 2003, and 2008. 530KB – 4.0MB
“The Usual Suspects”: Updates to the Malicious Software Removal Tool (9.4 – 9.7MB) and Junk Email filters (2.2MB)

Changed, but not significantly:

IE8 for 2008 and Vista
MS08-037/KB951748 – Security update for 2000

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.

There have been a number of minor items added since the last Patch Tuesday:

Root Certificates Update (KB931125) for XP. 324KB
Windows Home Server Power Pack 3 (KB968349) adds features like W7 compatibility, provides better searching, and fixes a number of bugs. 27.3MB
Remote Desktop Connection 7.0 Client for XP and Vista (KB969084) adds support for the new Remote Desktop features in W7 and 2008 R2. 2MB – 3.3MB
Update to XML Core Services 4.0 SP3 (KB973685) resolves a problem that can cause the XML processing library to get stuck and put out far too many HTTP calls. They aren’t calling this a security update, but it really is, and it should be installed immediately. 2MB
Update XML Core Services 6.0 SP2 (KB973686) is the same as the patch for XML Core Services 4.0, for the same problem. It too should be installed ASAP. 956KB – 2.7MB
Update for Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP (KB973687) also addresses the XML issue. 937KB – 3.7MB
Update to XML Core Services 4.0 Service Pack 2 (KB973688) – same problem, different version of the library. 5.6MB
Update for W7 (KB976092) fixes a possible data corruption problem when moving data to SD cards. 75KB
Daylight Savings Time Update (KB976098) accounts for new DST laws around the world. 140KB – 1.1MB
Update for 2008 and Vista (KB976470) resolves an issue where the Date and Time applet in Control Panel displays an error message for no reason. 413KB – 834KB

Changed, but not significantly:

MS08-076/KB952069 – Security update for Windows Media Components for Windows XP

TechRepublic’s Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE Finding a back-end developer with programming and technical expertise as well as superior collaboration and communication skills will require a comprehensive recruitment strategy. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: TYPICAL ...

PURPOSE Application engineers need to have technical expertise in programming, design, business and the software and hardware required to run the application. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: DETERMINING FACTORS, DESIRABLE ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for employee performance reviews, which will clearly document accomplishments and areas of opportunity via an encouraging and thought-provoking analysis. This will assist in determining the next steps for employees as well as their future at the organization. This policy can be customized ...

It’s Microsoft Patch Tuesday: December 2009