Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's September 2012 patches in your organization.
Greetings, patchers. Some of you already know me from the many articles I've written for TechRepublic and other web sites, and I'm going to be taking over this column from my friend, Justin James, whose "day job" interfered.
Summer is over, the kids are back in school, the weather is (finally) cooling off, and most of us are experiencing the calm before the storm of the holiday season. Things are unusually quiet on the security update front at Microsoft, as well. Coming off the beefy slate of critical and important patches released in August, IT pros responsible for updating can take a breather this month. Don't get too comfortable, though - in October we're expecting Microsoft to release a major update invalidating certificates with short keys (under 1024 bits).
This time, though, we're looking at only two security bulletins addressing four issues, and none of them address vulnerabilities in Windows, Office, IE or the other "usual suspects." None of the issues are rated as critical, either. However, those who have deployed Visual Studio Team Foundation Server 2010 SP1, or Systems Management Server 2003 SP3 or System Center Configuration Manager 2007 SP2, will need to take note.
You'll also notice that Windows 8, Windows RT and Windows Server 2012 have crept into the list of updates, although the fix is a non-security issue.
Security PatchesMS12-061/KB 2719584 - Important (Microsoft Visual Studio Team Foundation Server 2010 SP1): There is a vulnerability in the code of all supported editions of Visual Studio Team Foundation Server 2010 that could enable an attacker to elevate privileges if a user visits the attacker's website that has been set up to exploit the vulnerability. Users would typically be tricked into visiting the malicious website by clicking a link in email or an IM. If you don't have Visual Studio Team Foundation Server 2010 installed, you don't have to worry about this patch. Older versions (2005, 2008) are not included, nor are any editions of Visual Studio itself. MS12-062/KB 2741528 - Important (Microsoft Systems Management Server 2003 SP3 and System Center Configuration Manager 2007 SP2): This one will affect many IT shops still running previous versions of SMS and SCCM. This vulnerability in SMS 2003 and SCCM 2007 works the same way as the Visual Studio Team Foundation Server problem discussed above; visiting an affected website could result in elevation of privilege. Elevation of privilege attacks can be used to do anything an administrator can do: access or destroy data, make changes to the system, install malware, etc. If you're running System Center Configuration Manager R2 or above, you don't have to worry about this one.
Other Updates/ReleasesKB2736233 - This is classified as non-security content by Microsoft but it's an update rollup for ActiveX Killbits for Windows 7, Vista, Server 2008 R2, Server 2008, Server 2003 and Windows XP that addresses security issues in ActiveX controls that could enable an attacker to take control of a system running Internet Explorer. KB2719857 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues relating to using a USB Remote Network Driver Interface Specification (RNDIS) device to connect to a 3G or 4G network. KB2735855 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues with slow network connectivity when running an application that was developed using Windows Filtering Platform (WFP) API. KB2741355 - Update for Windows 7 and Windows Server 2008 R2 to resolve issues affecting Windows Live Movie Maker on a computer with a graphics card that only supports DirectX 9. KB2744129 - Update for Windows Server 2008 R2 x64 to resolve issues with Windows 8 or Windows Server 2012 virtual machines running in Hyper-V. KB2751352 - Update for Windows 8, Windows RT and Windows Server 2012 to resolve an issue with changing file associations for shortcuts.
KB890830 - As usual, Microsoft released an updated version of the Malicious Software Removal Tool (MSRT).
Updates since the last Patch Tuesday
There were no security updates released out-of-band since August 14, 2012.