Patch Tuesday Analysis for October 2009

Wow! This is a bad month for everyone. I’ve divided my commentary into 3 sections and of course my fast facts chart is below.

Did you know? You can research years and years of Microsoft security bulletins using my Security Bulletin Database. You can filter based on all kinds of criteria. Try it out at http://www.ultimatewindowssecurity.com/patchAnalysis/research.aspx

ALL COMPUTERS

I have no idea why Microsoft rated MS09-056 as only important. It affects the integrity of public key infrastructures and SSL based websites such as online banking! It’s public and proof-of-concept code is out there. Phishers will be working over-time tonight. Get all systems updated ASAP.

Wow, MS09-057 reminds me of good ole “getadmin” from the NT 4 pre-SP3 days. Some of you will remember that. Vulnerability is private now but it will be important for any sites using “least privilege”.

Servers

MS09-050 could include DCs as a target since DCs typically accept SMB packets from everyone. Only SMBv2 is vulnerable. The workaround involves disabling SMBv2 which will cause it to fall back to v1. Update any computer running the Server service ASAP.

With MS09-053 affecting the FTP service, one might wonder why this is only rated “Important” since it is both publicly disclosed and being exploited.  FTP is not installed by default but if you are running an FTP server, getting it updated should be critical.

MS09-059 has to do with a vulnerability in NTLM authentication.  Although Microsoft doesn’t suggest it, it seems not using NTLM would be a mitigating factor.  Windows 2000 or better should be able to authenticate with NTLMv2 or Kerberos.

If you host web sites pay attention to MS09-061 which is normally a workstation vulnerability but could be an issue for you.

MS09-059 seems a fairly innocuous denial of service attack. 

Workstations

Although ASF files are involved in both, MS09-051 is unrelated to MS09-052 so give attention to both patches.  Note that ASF files can have many different file extensions.  Google “Advanced Systems Format“ and click the first 2 search results to learn more about ASF files. The workarounds are not practical unless you can essentially disable Windows Media Player.  For MS09-052 only Windows Media Player 6.4 is affected so it might be a good time to upgrade to Media Player 9. MS09-051 is publicly disclosed and already being used in attacks.

MS09-054 is a cumulative update for all supported versions of Internet Explorer that patches multiple vulnerabilities - one of which is public so patch ASAP. 

ActiveX strikes for the umpteenth time in MS09-055 and the exploit is currently being used in attacks so patch ASAP. Why in the world doesn’t Microsoft set the kill bit on vulnerable ActiveX controls as needed once and for all? 

MS09-060 affects Outlook and Visio Viewer. Rather than supporting Visio Viewer 2002 and 2003, Microsoft recommends upgrading to Visio Viewer 2007.  Updated controls from third parties may also need to be installed.

MS09-062 addresses multiple vulnerabilities in GDI+.  GDI+ interacts with device drivers to provide graphics and formatted text for applications. Since device drivers run in kernel mode the system can be vulnerable. When this came up last year things got complicated. As was true last year when MS08-052 was released, “Customers are potentially at risk if third party applications do not follow the recommended best practices and instead redistribute an old version of gdiplus.dll with their application” It seems the faulty DLLs could cause problems for years to come. Some of the vulnerabilities involve web hosting so servers need to be patched too.

MS09-060 addresses privately reported vulnerabilities in Office.

MS09-061 addresses .NET common language runtime vulnerabilities that primarily affect workstations.

MS09-057 is an Indexing Service vulnerability most likely affecting workstations. It’s currently no public or being used in attacks but I would not delay in updating.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS09-062

957488
Arbitrary code

/ GDI+
Workstations
Terminal Servers
Web Servers
No/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
  
MS09-057

969059
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoYesImportant Win2000
XP
Win2003
Indexing servicePatch after testing
MS09-058

971486
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant Win2000
XP
Win2003
Vista
Win2008
 Patch ASAP in "least privilege" environments
MS09-055

973525
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/YesNoCritical Win2000
XP
Win2003
Vista
Win2008
ActiveX kill-bits again! Patch ASAP
MS09-060

973965
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoCritical Office XP
Office 2003
Office 2007
Visio 2003
Visio 2002
Visio 2007
Outlook and Visio componentPatch after testing
MS09-052

974112
Arbitrary code

/ Windows Media Player
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Win2003
  
MS09-061

974378
Arbitrary code

/ .NET Common Language Runtime
Workstations
Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
 Patch ASAP
MS09-054

974455
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Cumulative UpdatePatch ASP
MS09-056

974571
Spoofing

/ Windows
Workstations
Terminal Servers
Yes/YesNoImportant Win2000
XP
Win2003
Vista
Win2008
Allows certificate spoofing!Patch ASAP
MS09-053

975254
Arbitrary code

/ Windows FTP Service
Servers
Yes/YesYesImportant Internet Information Services
 Patch, Disable FTP or upgrade to IIS 7.5
MS09-059

975467
Denial of service

/ Windows
Servers
No/NoYesImportant XP
Win2003
Win2008
 Patch after testing
MS09-050

975517
Arbitrary code
Denial of service

/ Windows
Workstations
Servers
Domain Controllers
Yes/NoYesCritical Vista
Server 2008
SMBv2Apply Workaround; Patch ASAP
MS09-051

975682
Arbitrary code

/ Windows Media Runtime
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Workarounds cause loss of functionalityPatch ASAP

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.