What an utter disaster this month has been for Microsoft on the security patches. I had a chance to start working on this edition before the security patches were announced, and I was so pleased at how few items there were. And then, we saw 13 (yes, thirteen) security bulletins published, most of which are for “critical” vulnerabilities. The silver lining is that Windows 7 and Windows Server 2008 R2 were barely scathed, and most of the time, it was for shared components, not the operating system itself. Also of note was an IIS security vulnerability, which has been very, very rare as of late.

On W7 and 2008 R2, please note that when “2008” is specified as the affected OS, 2008 R2 is not considered “2008.” Unlike Windows Server 2003 R2, which was more of a feature pack than anything else, Windows Server 2008 R2 made enough changes to the base OS that they really are separate operating systems. As a result, they do not share vulnerabilities like 2003 and 2003 R2 do, and I will always list 2008 R2 as a separate item if a patch is meant for it.

Security Patches

  • MS09-050/KB975517 – Critical (Vista, 2008): This is the awaited patch for the SMB2 exploit that could allow remote code execution attacks as well as fix two other similar issues that have not been publicly disclosed. This patch is absolutely mandatory at this point and should be installed immediately. 200 KB – 350 KB
  • MS09-051/KB975682 – Critical (2000, XP, Vista, 2003, 2008): There are vulnerabilities in the Windows Media Runtime that allow remote code execution to occur, with a specially crafted file. The attacker could gain the same rights as the local user. You should install this patch as soon as possible. 650 KB – 1.1 MB
  • MS09-052/KB974112 – Critical (2000, XP, 2003): This is another issue with Windows Media, this time with Windows Media Player in older versions of Windows. Again, an attacker can use a specially crafted file to run code with the same rights as the local user. If you have one of these OSs installed, you will want to install this patch immediately. 600 KB – 790 KB
  • MS09-053/KB975254 – Important (2000, CP, Vista, 2003, 2008): This update corrects two issues with IIS’s FTP service. The problem exists in IIS 5.0 – IIS 7.0 Vista, and 2008 servers (with IIS 7) are affected only if they have FTP Service 6 installed. On IIS 5.0, one of the vulnerabilities can lead to a remote code execution exploit. The other problem resolved with this patch can be used to perform a denial-of-service attack on all listed versions of IIS. If you are using IIS 5.0, I suggest you install this patch as soon as you can, otherwise it can wait until your normal patch cycle. 160 KB – 1.1 MB
  • MS09-054/KB974455 – Critical (IE 5.01, IE 6, IE 7, IE 8): This cumulative update for IE resolves four vulnerabilities, one of which has already been publicly disclosed. It also bundles a number of other hotfixes in. These vulnerabilities could be exploited by attackers with specially crafted Web pages to perform remote code execution attacks with the local user’s rights. I suggest you install this one quickly. 3 MB – 40 MB
  • MS09-055/KB973525 – Critical (2000, XP)/Important (Vista, W7)/Moderate (2003)/Low (2008, 2008 R2): This cumulative security update for the ActiveX Killbits component resolves a remote code execution exploit that is already being exploited in the wild. If you are allowing IE to run ActiveX controls on untrusted pages, you need to install this immediately, otherwise, wait until your next scheduled patch cycle. 27 KB
  • MS09-056/KB974571 – Important (2000, XP, Vista, W7, 2003, 2008, 2008 R2): A problem with the Windows cryptography system could allow spoofing attackers, should the attacker get a hold of the user’s certificates, which is fairly unlikely. Install this patch on your next patch cycle. 42 KB – 1 MB (Editor’s note: See Justin’s discussion post for the latest information about this particular patch!)
  • MS09-057/KB969059 – Important (2000, XP, 2003): There is a chance that an attacker could use the Indexing Service’s ActiveX control to force the target computer to index a bad URL, which would then perform a remote code execution attack on the PC. This is definitely one of the most roundabout exploits of the year. All the same, you should install this patch during your usual maintenance. 1 MB – 4.8 MB
  • MS09-058/KB971486 – Important (2000, XP, 2003, 2008): An issue with the Windows kernel could allow an escalation of privileges attack. This is a relatively low-key bug, since the attacker would need to be logged in and running the exploit code, and remote and anonymous users cannot trigger it. Put this patch on during your next patch window. 1.6 MB – 7.8 MB
  • MS09-059/KB975467 – Important (XP, Vista, W7, 2003, 2008, 2008 R2): A problem with the Windows security subsystem could allow an attacker to send a malformed NTLM authentication packet and perform a denial-of-service exploit. This is not terribly serious; this patch can wait until your next maintenance period. 150 KB – 2.4 MB
  • MS09-060/KB973965 – Critical (Office XP, Office 2003, Visio Viewer 2002, Visio Viewer 2003, Visio Viewer 2007): This patch resolves ActiveX issues in various versions of Office, which could be used to perform remote code execution attacks and gain the local user’s privileges. This patch should be installed immediately. Microsoft recommends that people with the Visio Viewers version 2002 and 2003 upgrade to the 2007 version immediately, as a separate hotfix will not be provided for those versions (the update for MS09-034 takes care of it in those versions). Also, the Outlook View Control may not work after installing this update; Microsoft has made updates available to fix that issue as well. No file size data available.
  • (desktops)/(servers) MS09-061/KB974378 – Critical (2000, XP, Vista, W7, Silverlight 2 on Mac, Silverlight 2 on Windows desktop OS)/Important (2003, 2008, 2008 R2)/Moderate (Silverlight 2 on Windows Server): An issue with the .NET Framework could allow attackers to perform remote code execution attacks via the XAML browser and XBAPs, Silverlight applications, or .NET applications. If the user manages to upload an ASP.NET application to an IIS server, they could then trigger the exploit as well. You should install this patch immediately on desktop OS versions of Windows (and Macs). Windows Server installations can wait until the next patch time for this one. 83 KB – 30.8 MB
  • MS09-062/KB957488: A number of problems in GDI+ (the graphics system in Windows) can allow remote code execution attacks to be triggers with malformed image files. Normally, I would list the affected products (you can see the full chart here), but this patch has so many products that it is a safe bet that if you are running Windows, it hits you one way or another. Sure, Vista, W7, 2008 R2, and a few other OSs are not vulnerable, but Microsoft Office and SQL Server are, so between the two of those products alone (as well as the other affected products), it is a sure bet that your system is vulnerable. You should install this patch as quickly as you can. 1.2 MB – 3.6 MB

Other updates

  • KB974306: This patch fixes a number of issues with Media Center in Windows Vista. 12.5 Mb – 14.7 MB
  • KB974431: W7 and 2008 R2 have some minor reliability issues that are addressed by this patch. 16.5 MB – 21.6 MB.
  • KB974307: This is a big cumulative update for the Media Center TV Pack on Vista. 10.8 Mb – 12 MB
  • “The Usual Suspects”: Updates to the Malicious Software Removal Tool (9 – 9.4 MB) and Junk E-mail filters. 2.2 MB
  • Changed, but not significantly: Extended Protection for Authentication (KB968389).

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.

There have been a number of minor items added since the last Patch Tuesday:

Changed, but not significantly:

TechRepublic’s Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!