Welcome to the December 2008 edition of TechRepublic’s Patch Tuesday coverage! This month’s relatively light round of Microsoft Windows patches must be my early holiday present from Steve Ballmer and company! All joking aside, while this batch is relatively small, most of them should be applied immediately. Because many of the security vulnerabilities this month were privately disclosed, there are no problems in the wild, but expect there to be some within a day or two. Happy holidays to all, and see you on the second Tuesday of 2009!

Previous TechRepublic Microsoft Windows Blog posts in the Patch Tuesday series are available on the Special Reports search page.

Security Patches

  • MS08-071/KB956802 – Critical (2000, XP, 2003, Vista, 2008): This patch corrects a problem with GDI (the Windows graphics system) that allows attackers to use a WMF image file to take over your computer. This patch affects every version of Windows from 2000 through present, both 32-bit and 64-bit flavors, and even affects Server Core. You should install this patch immediately.
  • MS08-073/KB958215 – Critical (IE5, IE6 on XP, IE 7)/Moderate (IE6 on 2003): This is a large cumulative update for Internet Explorer. Because it contains many patches that you may have missed and is considered “critical” for nearly every system out there, you will want to install it immediately.
  • MS08-075/KB959349/KB958623/KB958624 – Critical/Important (Vista, 2008): This patch closes two security holes in Vista and 2008 (but not Server Core), 32-bit and 64-bit editions. Both problems are in the Windows Search system, where the attacker gets the user to open and save a search file, or tries going to an URL with the same type of file. One of the exploits is critical and can allow an attacker to completely take over the computer. This patch should be applied immediately.
  • MS08-076/KB954600/KB952068/KB952069 – Important (2000, XP, 2003, Vista, 2008): A wide variety of media-related items (Windows Media Player, Windows Media services, and the Windows Media Format Runtime) are all affected by a remote code execution exploit. The severity is “Important” because the use needs administrative rights for the exploit to be really nasty. This affects all versions of Windows with the exception of Server Core and should be installed immediately.

Other Updates

  • KB955839 – High Priority (XP, 2003, 2008): This patch updates a number of time zones (Argentina, Egypt, Iran, Israel, Mauritius, Morocco, Pacific SA, Pakistan, East South America, and Central Brazil) on XP, 2003, and 2008, all CPUs. If your systems need to be aware of those times zones, apply the patch. Otherwise, you can probably pass on it.
  • KB957388 – Important (Vista, 2008): Here is one of those “application compatibility” patches for Vista and 2008. At the time of this writing, the KB article was not online, so there are no in-depth details available.
  • KB960763 – Important (Vista): Apparently, installing the HP Digital Imagine Monitor v. 6.0 software on Vista and XP is causing severe performance problems (ironically, caused by the “HP Customer Participation Program”). Unfortunately, this patch applies only to Vista; an XP patch is on its way soon. If you have this software, install this patch immediately; otherwise, wait until you need it or the next time you get a chance, just in case you ever buy an HP printer later on.

“The Usual Suspects”: Updates to the Malicious Software Removal Tool and Junk Email filters.

Updates since the last Patch Tuesday

There are a bunch of minor updates since the last Patch Tuesday. Many of them are minor revisions to existing updates, and some are things like root certificate updates, group policy extensions, and so on. All of these items are low impact, but they should be installed.

Stay on top of the latest XP tips and tricks with TechRepublic’s Windows XP newsletter, delivered every Thursday. Automatically sign up today!