For this month’s Microsoft Patch Tuesday, we are trying out a new idea, based on reader feedback. In addition to the usual analysis of the patches, we are adding a simple rating system to let you know “at a glance” if you should install a patch or not. For now, we will be using a simple three-flag rating system:

1 flag: apply this patch only if your environment meets special conditions, such as having an uncommon software package installed or a server directly connected to the Internet.

2 flags: apply this patch during your normal patch cycle. It is an important item, but not important enough to justify immediate action.

3 flags: apply this patch as quickly as possible. In all likelihood, there will be a “zero-day exploit” for the problem (if it is a security-related patch), and it is something that can severely compromise your network if left unpatched.

It should be very rare to see a nonsecurity patch listed at three stars, unless the problem is a newly discovered bug that can shut down your systems (say, an inability for the system clock to handle the year 2010, and the patch is being released on December 30, 2009).

Security patches

MS09-028/KB971633 – Critical (2000, XP, 2003): This patch closes a hole in which a malformed QuickTime file can be used to perform a remote code execution attack. The issue is in the underlying DirectShow component of Windows, but only in older versions, which is why more recent editions of Windows are not affected. You will want to patch this as soon as you can.
MS09-029/KB961371 – Critical (2000, XP, Vista, 2003, 2008): A problem with font handling allows an attacker to take control of systems. Because so many different things can embed fonts (especially Word documents), it is critical to get this patched immediately. Windows 2008 Server Core is not affected.
MS09-030/KB969516 – Important (Office 2007 SP1): There is a security hole in Microsoft Publisher that allows remote code execution attacks. The attacks have a lower damage potential when a standard user opens the malformed file. This problem exists only in Publisher 2007 and only in Office SP1. Either apply the patch or upgrade to SP2.
MS09-031/KB970953 – Important (ISA Server 2006): An ISA Server configured to use RADIUS One Time Passwords and Kerberos authentication is open to an escalation of privileges attack, but the attacker needs to impersonate an ISA administrator. This is a serious problem, but not one you need to worry about unless your environment uses RADIUS and Kerberos. *
MS09-033/KB969856 – Important (Virtual PC 2004, Virtual PC 2007, Virtual Server 2005):check the KB article for full details. For the few people still using either one of those products in a production environment, you will want to install this patch during your next patch cycle.

This patch resolves an issue with Virtual PC 2004 and 2007 and Virtual Server 2005 that allowed attackers to take control of the guest VMs. There are some known issues with this update; you will want to

Other updates

KB970408: This patch for Vista SP2 resolves intermittent connectivity problems when a Bluetooth adapter is plugged in to a PC via USB.
“The Usual Suspects”: Updates to the Malicious Software Removal Tool, ActiveX Killbits, and Junk E-mail filters.
Changed, but not significantly: IE8 for XP 64 SP1 (no longer offered), KB950050 (Hyper-V update for Windows 2008), Windows 2008/Vista x64 Service Pack 2.

Updates since the last Patch Tuesday

There have been a number of minor items added since the last Patch Tuesday:

Windows 2008/Vista Service Pack 2 has been released to WSUS and put into the automatic updates bin.

Updates to the IE 8 Compatibility View List.

.NET Assistant for Firefox (KB963707) – Enables the “Click Once” technology to work in the Firefox browser.

Changed, but not significantly:

TechRepublic’s Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!