Justin James presents a rundown on the April 2009 batch of Microsoft Windows patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.
This is the April 2009 edition of TechRepublic's Patch Tuesday update. I hope you haven't been getting as many "April showers" as I have been lately!We've got some really important news for you to know: IE8 is now officially out, and it will inevitably end up in the "Windows Update" system. I cannot emphasize enough that you will want to block this if you are not ready for it. If you are using WSUS, do not approve it for installation if you are not prepared to deploy it. Thankfully, it is not a "security" or "critical" update, so it will not auto-approve or auto-install unless you have your Windows Update or WSUS set to a very liberal policy. There have also been an unusual number of mid-cycle patches, all of a noncritical nature.
- MS09-010/KB923561 - Important (XP, 2000, 2003): There are four bugs (two previously disclosed publicly, two previously undisclosed) that affect a variety of word processing documents and can allow remote code execution exploits to occur. The files are Office, RTF, Write, and WordPerfect files, and the exploit is triggered when they are opened in either WordPad or Word. For Word 2000 users, this is a "Critical" bug; for Word 2002, Office Converter Pack, and WordPad it is "Important." Until you install this patch, do not open these types of documents from "untrusted" sources. There is a known issue with this patch around opening Word 6.0 and Write documents; read this KB article for more details. Frankly, I think that this patch is a "must install" despite the "Important" label; too many people open documents from all over the place. It affects 32-bit, 64-bit, and Itanium versions of Windows.
- MS09-011/KB961373 - Critical (XP, 2000, 2003): This patch closes a hole that lets attackers execute a remote code execution attack through MJPEG files; the bug is in DirectX 8.1 and 9.0x. Users with restricted accounts will possibly not be quite as impacted should they encounter one of these files. You should install this patch immediately. It affects 32-bit, 64-bit, and Itanium versions of Windows.
- MS09-012/KB952004/KB956572 - Important (XP, Vista, 2000, 2003, 2008): This patch resolves four holes in Windows that have already been publicly disclosed. The hole allows an attacker who is already logged on to the system to escalate their privileges and take full control of the system. Seeing as the attacker already needs to be logged on and able to run code, this is not a "drop everything you are doing and install this patch!" item, but you should definitely include it in your next update push to the desktops. It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. If you are running XP, Vista, 2003, or 2008, check this KB for known issues around some settings that may not be preserved after deploying the patch.
- MS09-013/KB960803 - Critical (XP, Vista, 2000, 2003, 2008): This patch addresses three bugs in the Windows HTTP Services system; one of them allows remote code execution that enables an attacker to completely own a system. This is a "must patch" item for all Windows systems. Note that this is not an "IIS" bug! It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. You may see some problems with NTLM authentication if you use IPv6 addresses after installing the patch.
- MS09-014/KB963027 - Critical (XP, Vista, 2000)/Important (2000, 2003): This is a cumulative security update for Internet Explorer 5, 6, and 7. Some of the fixes address already public bugs, and some deal with privately disclosed exploits. You should install this patch immediately. Users with IE8 do not need this patch. It affects 32-bit, 64-bit, and Itanium versions of Windows. You may see some problems with NTLM authentication if you use IPv6 addresses after installing the patch.
- MS09-015/KB959426 - Moderate (XP, Vista, 2003, 2008)/Low (2000): This patch takes care of a problem with the Windows SearchPath function that could enable an escalation of privileges. The exploit has a rather convoluted attack vector with a lot of "if the user does this" type items involved, which is why the security rating is so low. Include this in your next scheduled push of patches; there is little reason to scramble on this one. It affects 32-bit, 64-bit, and Itanium versions of Windows as well as Windows 2008 Server Core. Check the KB article if you have issues with an XSI 5.0 application not loading after the patch is installed.
- KB969058 - Important (IE8 on Vista x64): When you disable IE8 on 64-bit Vista, the "Internet Explorer (No Add-ons)" shortcut does not get removed; this patch fixes that.
- KB944036 - High Priority (IE8 on XP, Vista, 2003, 2008): This is a big one: Internet Explorer 8 is now a patch/release item. Be aware! Thankfully, the priority/classification should not make it automatically install.
- "The Usual Suspects": Updates to the Malicious Software Removal Tool and Junk E-mail filters.
- Changed, but not significantly: None on this Patch Tuesday.
Updates since the last Patch Tuesday
There have been a number of minor items since the last Patch Tuesday:
- KB905474: Updates to Windows Genuine Advantage Notification.
- KB926139/KB926140/KB926141/KB928439: Updates to PowerShell for Windows XP, Vista, and 2003.
- KB955706: Upgrades the Windows Internal Database that SharePoint, WSUS, AD Rights Management Services, Windows System Resource Manager, and UDDI Services rely on.
- KB956587: Windows Home Server Power Pack 2, which features:
- Streaming of MP4 files
- Music, Photos, Videos, and Recorded TV shared folders on the Home Server to Windows Media Center
- Media Center Extenders not using the "Guest" account
- Web-based diagnostic systems to test outside connectivity
- Prevention of accidental overwrites of connector files
- Limitations on file transfers from Vista to make sure that they are not larger than the available disk space on the Home Server
- KB967902: Fixes an issue with expired certificates while connecting to VMs on Windows 2008 x64.
- Changed, but not significantly: MS07-055/KB923810, Microsoft Base Smart Card Cryptographic Service Provider Package, Windows Server 2008 Server Manager, WSUS 3 SP 1 update, IE8 Compatibility View list.
Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!