It's Microsoft Patch Tuesday: June 2009

Justin James presents a rundown on the June 2009 batch of Microsoft patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

One of the bigger items in this month’s Microsoft patch is that the Vista / 2008 SP2 has been put into the automatic updates bin. There is a ton of other coverage out there for it, but you should be aware that it is now loose. One of the consistent themes this month are vulnerabilities that are “critical” in the 2000 version of a product but are ranked much lower for more recent versions. In addition, there are an unusual number of escalation of privilege attacks; I’m used to these being mostly remote code execution items!

Security patches

MS09-018 / KB971055 – Critical (2000 Server) / Important (XP Professional, 2003): This patch covers two vulnerabilities in Active Directory (KB969805) and Active Directory Application Mode, aka ADAM (KB970437). On Windows 2000 Server, the first vulnerability can result in a remote code execution exploit, allowing an attacker to take over the system (thus, the “critical” rating); on 2003, it is “merely” a denial of service (DOS) attack. On Windows 2003 and XP Professional (with ADAM installed), the exploit also allows DOS attacks. Since your Active Directory should not be exposed to the outside world (especially not on XP), this is not a “must-have” patch yet, except for Windows 2000 Server installations.
MS09-019 / KB969897 – Critical (XP, Vista, IE 5 on 2000) / Important (IE 6 on 2000) / Moderate(2003, 2008): This is a monster-sized cumulative update for Internet Explorer (including IE 7 and 8). It covers a whopping seven privately disclosed vulnerabilities and one publicly disclosed vulnerability in Internet Explorer, all of which can result in remote code execution attacks. The 2003 and 2008 machines have a lower rating on this issue, probably due to their stricter execution environments for IE. This patch should be installed immediately.
MS09-020 / KB970483 – Important (XP, 2000, 2003 with IIS 5 and 6): There is a minor bug in IIS 5 and IIS 6 that allows an attacker to bypass the allowed authentication methods in the IIS configuration. Because the ACL permissions will still apply, this is a fairly low-impact item. In addition, the exploit grants the attacker the permissions of only an anonymous IIS user. This bug is an issue, but do not drop everything to install the patch.
MS09-021 / KB969462 – Critical (Excel 2000) / Important (Excel XP, Excel 2003, Excel 2007, Excel 2004 for Mac, Excel 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer [all versions], Office Compatibility Pack 2007, Office SharePoint Server): Attackers with a malformed Excel file can execute a remote code execution attack on Excel, for every version (and other applications that handle Excel files) from 2000 on up, including Macintosh versions. The vulnerability is considered only “critical” in Excel 2000. Given the prevalence of Excel documents, I’d recommend that you patch this one quickly.
MS09-022 / KB961501 – Critical (2000) / Important (Vista, 2008) / Moderate (XP, 2003): There are three privately disclosed vulnerabilities in the Windows print spooler that can allow an escalation of privileges attack on Vista, XP, 2003, and 2008, and remote code execution attacks on 2000. Of course, your print spooler should never be open to the outside world, but this is still a troubling issue.
MS09-023 / KB963093 – Moderate (XP, 2003): Under certain circumstances, Windows Search 4 may expose personal data. However, what needs to happen is that the specially crafted file needs to be the first results for a search query, which makes this a fairly rare event; in addition the search functionality is not installed by default. You will want to include this patch in your next scheduled maintenance.
MS09-024 / KB957632 – Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Works 8.5, Works 9): A problem with the Microsoft Works converter allows attackers with a specially crafted file to gain the same privileges as the current user to execute code. This isn’t the worst bug in the world, but at the same time, you should patch it at your earliest convenience.
MS09-025 / KB968537 – Important (XP, Vista, 2000, 2003, 2008): There are four separate holes in Windows addressed by this item, all of which allow an escalation of privilege attack to be executed. However, the attacked needs valid logon credentials to begin with and must be logged on locally, which is why it is rated as less important. All the same, I suggest that you patch this immediately.
MS09-026 / KB970238 – Important (XP, Vista, 2000, 2003, 2008): An issue with the RPC Marshalling Engine allows attackers to perform escalation of privilege attacks. The rating on this item is low for a few reasons: first, your RPC ports should be closed to the outside world, and second, none of the installed Windows items use this subsystem. Nonetheless, some third-party software may use it. You should install this patch on your next regular patch day.
MS09-027 / KB969514 – Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Word Viewer, Word Viewer 2003, Office Compatibility Pack 2007): Attackers with specially crafted Word files can execute a remote code execution exploit. It is “critical” on Word 2000 and “important” for all others. I suggest you install it as soon as possible, given the prevalence of Word files.

Other updates

KB966315: Cumulative update for the Media Center TV Pack for Windows Vista. This patch resolves a number of minor and moderate bugs.
KB967632: Cumulative Update for Media Center on Windows Vista: This patch addresses the same set of minor and moderate issues as KB966315 does, but in the Media Center component of Vista.
“The Usual Suspects”: Updates to the Malicious Software Removal Tool, ActiveX Killbits, and Junk E-mail filters.
Changed, but not significantly: IE 8 and Media Center TVPack now includes this month’s cumulative updates.

Updates since the last Patch Tuesday

There have been a number of minor items since the last Patch Tuesday:

Root certificate updates
- KB948465: Vista / 2008 SP2 released to updating systems
- KB963032: Corrects and issue when viewing the Windows Home Server console on resolutions lower than 1024 x 768
- KB971180: Updates to the IE8 “Compatibility View” list
Changed, but not significantly:
- SQL Server 2005 SP3 (KB955706) – Extended the information to be application to Windows 2008 SP2
- XP SP3 (KB936929) – Updated the metadata so that the service pack blocker tool no longer blocks this service pack from installing

Stay on top of the latest XP tips and tricks with TechRepublic’s Windows XP newsletter, delivered every Thursday. Automatically sign up today!

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This Media disposal policy from TechRepublic Premium provides specific instructions for ensuring organization data is properly protected when disposing of old storage media. From the policy: POLICY DETAILS When disposing of damaged, unusable, obsolete, off-lease, decommissioned, old, or end-of-service-life equipment and media, the organization requires that the guidelines outlined herein be followed: Hard drives, ...

PURPOSE To take some of the effort out of writing (and rewriting) emails to share with company staff and executives, TechRepublic Premium has assembled basic templates to handle the most common types of communications. Simply copy the text into your favorite word processor and customize it to fit your needs. Then, paste it into an ...

It’s Microsoft Patch Tuesday: June 2009