Patch Tuesday Analysis for April 2009

If you manage workstations this will be a busy month. Microsoft encourages us to act quickly with the bold note on many of the updates: "This vulnerability is currently being exploited in the Internet ecosystem." This is the strongest language I've seen on any of the comments in the new Exploitability Index since Microsoft began using it last October. Not only is exploit code likely but it's in the wild.

Those charged with updating servers will have it a little bit easier. The patches apply to all but as long as best practices are followed, only MS09-016 focuses on servers.

MS09-012 addresses a vulnerability that has been known for over a year. There are some interesting comments on this at http://blogs.technet.com/msrc/archive/2009/04/14/token-kidnapping.aspx. Microsoft indicates that extensive testing has been done on this already. At this point I recommend installing after minimal testing of applications that Microsoft might have missed. You may need to update some 3rd party applications that may be vulnerable as well.

MS09-013 - The vulnerability in in WinHTTP which is not used by Internet Explorer but it is used by other components of Windows such as Universal Plug and Play. WinHTTP allows an application to send HTTP requests to other servers.

MS09-014 is a cumulative update of IE. Note that IE 8 is not affected by the vulnerabilities. However it may be too early for a full scale deployment of the new browser.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS09-015

959426
Privilege elevation

/ Windows
Workstations
Terminal Servers
Yes/NoNoModerate Win2000
XP
Win2003
Win2008
Search Path ModificationPatch after testing
MS09-012

959454
Privilege elevation

/ Windows
Workstations
Terminal Servers
SQL Server Systems
Yes/YesNoImportant Win2000
XP
Win2003
Vista
Win2008
Token KidnappingPatch after minimal testing
MS09-010

960477
Privilege elevation

/ Windows (Wordpad), MS Office (Word Component)
Workstations
Terminal Servers
Yes/YesNoCritical Win2000
Win2003
Office 2000
Office XP
 Patch after accelerated testing
MS09-013

960803
Arbitrary code

/ Windows - WinHTTP
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
 Patch after testing
MS09-011

961373
Arbitrary code

/ Windows Direct Show, DirectX
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Win2003
 Patch after testing
MS09-016

961759
Denial of service

Servers
Yes/NoNoImportant Forefront TMG MBE
ISA Server 2004
ISA Server 2006
 Patch after testing
MS09-014

963027
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Cumulative Security Update/IE8 not affectedPatch or upgrade
MS09-009

968557
Arbitrary code

/ Microsoft Office (Excel Component)
Workstations
Terminal Servers
Yes/YesNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
Comp. Pack for Office 2007
 Patch after accelerated testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.