Patch Tuesday Analysis for August 2009
There’s plenty to keep us busy this month. Most of the vulnerabilities have Microsoft’s exploitability index of 1 meaning they expect consistent exploit code likely in the next 30 days. Half are workstation vulnerabilities. There’s one denial of service vulnerability for IIS web servers. One vulnerabilities affecting your WINS servers and then 3 that could impact workstation but would mostly be found on servers.
Workstation Vulnerabilities
Here we go yet again with ActiveX. MS09-043 again addresses several vulnerabilities in ActiveX. Some of the workarounds rely on the user to make a wise decision. Ha! The list is long for Office Components so be sure to read the affected products – you may be surprised.
MS09-044 is a client vulnerability with the Remote Desktop Protocol. It impacts users who connect to a malicious Terminal Services server using Terminal Server client (aka Remote Desktop Connection client).
MS09-037 addresses multiple workstation vulnerabilities, one of which is being actively exploited. In addition to users updating their workstations, responsible developers should also examine their applications as explained in MS09-035. The one presently being exploited is a video ActiveX vulnerability.
The workarounds offered in MS09-038 for both vulnerabilities will deny access to the AVIFile API. Users are now accustomed to getting their video fix so it may be better to just apply the patch.
IIS Vulnerabilities
MS09-036 is denial of service vulnerability in IIS’s ASP.Net. The workaround limits the number of anonymous requests a thread can receive. This can be done by running in "classic mode" or native thread pool. This workaround may affect performance since CLR was meant to improve the efficiency of thread management, among other things.
Server Vulnerabilities
MS09-039 addresses two WINS vulnerabilities. WINS is generally used for internal networks. Microsoft recommends blocking inbound unsolicited communication from the Internet at the firewall.
Miscellaneous
MS09-040 is only of concern if the optional MSMQ (Message Queuing) service is installed which is usually found on servers. If the service is disabled, the system is no longer vulnerable.
MS09-041 is a vulnerability in the workstation service. Don't be fooled by the name, this service runs on servers as well as workstations under normal conditions. Other services depend on it. The "workaround" is just a firewall which should be in place already.
MS09-042 Telnet? does anyone still use it? For shame...If anyone does, better at least apply the patch. Our recommendation has always been: disable this dangerous service.
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS09-043
957638 | Arbitrary code
/ Microsoft Office | Workstations
Terminal Servers
| Yes/Yes | Yes | Critical | Office XP
Office 2003
Visual Studio .NET 2003
BizTalk Server 2002
ISA Server 2004
ISA Server 2006
Small Business Accounting 2006
| Restart may be req'd; Office Web Components also affected | Patch after testing | MS09-042
960859 | Arbitrary code
/ Windows - Telnet service | Workstations
Servers
| Yes/No | No | Important | Win2000
XP
Win2003
Vista
Win2008
| Restart Req'd | Patch after testing | MS09-039
969883 | Arbitrary code
/ WINS | Servers
| No/No | No | Critical | Server 2003
Server 2000
| Restart Req'd | Patch after testing | MS09-044
970927 | Arbitrary code
/ Windows | Workstations
Terminal Servers
| No/No | No | Critical | Win2000
XP
Win2003
Vista
Win2008
| Restart Req'd | Patch after testing | MS09-036
970957 | Denial of service
/ asp.net | IIS Servers
| No/Yes | Yes | Important | Vista
Server 2008
| | Patch after testing | MS09-040
971032 | Privilege elevation
/ Windows | Workstations
Servers
| No/No | Yes | Important | Win2000
XP
Win2003
Vista
Win2008
| MSMQ component; Restart Req'd | Patch after testing | MS09-038
971557 | Arbitrary code
/ Windows | Workstations
Terminal Servers
| No/No | Yes | Critical | Win2000
XP
Vista
Server 2003
Server 2008
| Restart Req'd | Patch after testing | MS09-041
971657 | Privilege elevation
/ Windows | Workstations
Servers
| No/No | No | Important | XP
Win2003
Vista
Win2008
| Restart Req'd | Patch after testing | MS09-037
973908 | Arbitrary code
/ Active Template Library | Workstations
Terminal Servers
| No/Yes | No | Critical | Win2000
XP
Vista
Server 2003
Server 2008
| Restart Req'd | Patch after testing |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|