It's Microsoft Patch Tuesday: September 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's September 2010 patches in your organization.

This month's Patch Tuesday really highlights a fact that a lot of folks deny: Microsoft Windows XP and Windows 2003 are much less secure than their replacements. I know folks have some reasons to remain on those older operating systems, and I am not going to debate those points, but if "security" is on that list, you are dead wrong. If security is one of your top concerns, than getting off XP and 2003 needs to be a top goal (insert comments about moving to Linux or OS X here).

This blog post is also available in PDF format in a TechRepublic download. The previous months' Microsoft Patch Tuesday blog entries are also available.

Security Patches

MS10-061/KB2347290 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): This patch closes up a remote code execution vulnerability in the print spooler of all places. Since your print spoolers should never be exposed from the outside and because no computer shares printers by default, this patch can safely wait until your regular patch window. In a few rare cases, XP machines with certain printers installed are vulnerable, even without sharing the printer. 110KB - 1.0MB MS10-062/KB975558 - Critical (XP, Vista, 2003, 2008): A problem in the MPEG-4 codec can allow remote code execution attacks when viewing a malformed file or stream. All the same, video files are common enough to warrant installing this patch as soon as you can. 143KB - 912KB MS10-063/KB2320113 - Critical (XP, Vista, 2003, 2008): The portion of Windows that handles Unicode has a bug that could allow remote code execution exploits to be performed. The attacker would need to feed you a document or a Web page with an embedded, malformed font. That's trivially easy, so you will want to install this patch immediately. 293KB - 1.4MB MS10-064/KB2315011 - Critical (Office XP, Office 2003, Office 2007): Outlook is open to a remote code execution attack if it opens an e-mail while connected to an Exchange server in Online Mode. This is a common scenario in the business world, so you will want to treat this patch as a "right now" item. 2.7MB - 12.0MB MS10-065/KB2267960 - Important (IIS 5.1, IIS 6, IIS 7, IIS 7.5): This patch corrects a remote code execution problem, an escalation of privileges issue, and a denial-of-service vulnerability in all modern versions of IIS. The holes can be exploited with a malformed HTTP request. Microsoft labels this problem as "important," but I consider it "critical" and suggest that you patch this as soon as you can. 73KB - 1.6MB MS10-066/KB982802 - Important (XP, 2003): There is a remote code execution attack vulnerability in RPC that this patch addresses. RPC should not be visible outside the firewall, and the attack requires that the user of the exploited PC initiate the connection. As such, this patch can wait until your usual patch time to be installed. 793KB - 3.3MB MS10-067/KB2259922 - Important (XP, 2003): WordPad, of all things, has a problem that can allow remote code execution attacks when opening malicious files. Unless you have desktop machines with nothing better than WordPad installed, this patch can wait until your usual patch window. 617KB - 1.4MB MS10-068/KB983539 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Active Directory, Active Direct Application Mode (ADAM), and Active Directory Lightweight Directory Service (LDS) all have an escalation of privileges hole. The vulnerability is triggered by malformed LDAP messages sent to LSASS servers. The attacker needs a domain account, but their computer does not need to be joined to the domain. You can wait until your scheduled patch time for this one. 856KB - 5.6MB MS10-069/KB2121546 - Important (XP, 2003): Users of XP and 2003 machines that are set up to use a Chinese, Japanese, or Korean system locale are able to elevate the privileges. This patch fixes the hole (Microsoft is a bit vague as to what actually triggers the problem). If you have a system like this, install this patch at your normal time. 634KB - 1.3MB

Other updates

KB2141007 - This adds Extended Protection for Authentication to Outlook Express and Windows Mail. Unless you are using these mail clients (unlikely on a business computer), you can skip this patch. 587KB - 3.0MB KB2398632 - This patch fixes the UE 8 upgrade advisor in Windows 7 and 2008 R2, which is broken by an earlier security update. 581KB - 1.2MB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (11.7MB - 12.1MB) and Junk E-mail filters (2.2MB).

Updates since the last Patch Tuesday

There have been a number of minor items added and updated since the last Patch Tuesday:

Fix for Hyper-V crash on 2008 R2 (KB2264080) - 402KB

Application compatibility update for W7 and 2008 R2 (KB2272691) - 1.8MB - 1.9MB

Application compatibility update for dynamic installer on W7 and 2008 R2 (KB2272691) - 60KB - 11.4MB

Root certificates update (KB931125) - 339KB

System Update Readiness Tool for Vista, W7, 2008, 2008 R2 (KB947821) - 4.5MB - 12.7MB

Update Windows Home Server for back-up restores (KB979453) - 1.8MB

Application compatibility update for W7 and 2008 R2 (KB982110) - 299KB - 937KB

Changed, but not significantly:

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!