Justin James presents a rundown on the February 2009 batch of Microsoft Windows patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.
Welcome to the February 2009 edition of TechRepublic's Patch Tuesday update. We are experimenting this month with reporting issues with products other than just Windows today (in this case, SQL Server, Visio, and Exchange). Let us know what you think of the extra information!
- MS09-002/KB961260 — Critical (XP, Vista)/Moderate (2003, 2008): This patch addresses two previously undisclosed security holes in IE7 that could allow remote code executions. This one lets it happen right through the Web page itself, so it is pretty darn nasty. You will want to install this patch ASAP. This patch also fixes two other minor issues with IE7 (KB950060 and KB958585).
- MS09-003/KB959239 — Critical (Exchange 2000, Exchange 2003, and Exchange 2007): This patch fixes two previously undisclosed vulnerabilities in Exchange. One of them is really nasty, allowing a remote code execution attack. The other one is slightly less nasty, allowing the attacker to shut down the Exchange System Attendant and a number of other services. If you have an Exchange server, you will want to apply this patch immediately.
- MS09-004/KB960082/KB960089 — Important (2003, 2008): Apparently, there is a problem with SQL Server that allows code put into a field (particularly through a SQL injection attack) to be run remotely. This patch corrects that problem.
- Why is this only "important"? Because it counts on people being able to get things into your database to begin with, and because up-to-date systems with SQL Server (7.0 SP4, 2005 SP3, and 2008) are not affected anyway.
- This patch belongs in Windows updates because every copy of Windows Server ships with various "lightweight" versions of SQL Server, such as MSDE or SQL Server Express. So, even though this is a bug in SQL Server, it is still a problem for nearly all copies of Windows Server. Microsoft may call this "important," but I would suggest that you install it. Be warned, there seem to be a few minor issues with the patches, particularly around MSDE 2000; check the KB articles before you decide to install it.
- MS09-005/KB957634 — Important (Visio 2002, Visio 2003, and Visio 2007): Attackers with a specially crafted Visio file can gain complete control over a system if the file is opened; this patch corrects this issue. Users who do not run with administrative rights are not affected, which is why it is marked as "important" and not critical. Even so, a lot of users run with administrative rights anyway, so I recommend that you install this patch if you have anyone using Visio.
- KB960544 — Recommended (Vista with Media Center): This patch corrects two minor problems (crashing Ehvid.exe and audio playback problems on systems with digital cable card tuners) with Media Center. If you use Media Center, go ahead and install this item; otherwise you can safely ignore it.
- KB958653 — Recommended (Vista with Media Center TV Pack): This is a cumulative update to the Media Center TV Pack in Vista. If you use Media Center TV Pack, you will want to install this, since it fixes a number of annoying bugs.
- "The Usual Suspects": Updates to the ActiveX "killbits," Malicious Software Removal Tool, and Junk Email filters.
- Changed, but not significantly: There is nothing to report this month.
Updates since the last Patch Tuesday
There have been a number of minor items since the last Patch Tuesday:
- KB940518: A metadata only change to a previous patch for Windows Server 2008
- KB959209: A hot fix for a few small issues with .Net Framework 3.5 SP1
- KB958926: An update to Windows Home Server Power Pack 1 to improve the self-repair system for backups
Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!