Patch Tuesday Analysis for August 2009

There’s plenty to keep us busy this month. Most of the vulnerabilities have Microsoft’s exploitability index of 1 meaning they expect consistent exploit code likely in the next 30 days. Half are workstation vulnerabilities. There’s one denial of service vulnerability for IIS web servers. One vulnerabilities affecting your WINS servers and then 3 that could impact workstation but would mostly be found on servers.

 Workstation Vulnerabilities
 
Here we go yet again with ActiveX. MS09-043 again addresses several vulnerabilities in ActiveX. Some of the workarounds rely on the user to make a wise decision. Ha! The list is long for Office Components so be sure to read the affected products – you may be surprised.
 
MS09-044 is a client vulnerability with the Remote Desktop Protocol. It impacts users who connect to a malicious Terminal Services server using Terminal Server client (aka Remote Desktop Connection client).
 
MS09-037 addresses multiple workstation vulnerabilities, one of which is being actively exploited. In addition to users updating their workstations, responsible developers should also examine their applications as explained in MS09-035. The one presently being exploited is a video ActiveX vulnerability.
 
The workarounds offered in MS09-038 for both vulnerabilities will deny access to the AVIFile API. Users are now accustomed to getting their video fix so it may be better to just apply the patch. 
 
IIS Vulnerabilities
 
MS09-036 is denial of service vulnerability in IIS’s ASP.Net. The workaround limits the number of anonymous requests a thread can receive. This can be done by running in "classic mode" or native thread pool. This workaround may affect performance since CLR was meant to improve the efficiency of thread management, among other things.
 
Server Vulnerabilities
 
MS09-039 addresses two WINS vulnerabilities. WINS is generally used for internal networks. Microsoft recommends blocking inbound unsolicited communication from the Internet at the firewall.
 
Miscellaneous
 
MS09-040 is only of concern if the optional MSMQ (Message Queuing) service is installed which is usually found on servers. If the service is disabled, the system is no longer vulnerable.
 
MS09-041 is a vulnerability in the workstation service. Don't be fooled by the name, this service runs on servers as well as workstations under normal conditions. Other services depend on it. The "workaround" is just a firewall which should be in place already.
 
MS09-042 Telnet? does anyone still use it? For shame...If anyone does, better at least apply the patch. Our recommendation has always been: disable this dangerous service.
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS09-043

957638
Arbitrary code

/ Microsoft Office
Workstations
Terminal Servers
Yes/YesYesCritical Office XP
Office 2003
Visual Studio .NET 2003
BizTalk Server 2002
ISA Server 2004
ISA Server 2006
Small Business Accounting 2006
Restart may be req'd; Office Web Components also affectedPatch after testing
MS09-042

960859
Arbitrary code

/ Windows - Telnet service
Workstations
Servers
Yes/NoNoImportant Win2000
XP
Win2003
Vista
Win2008
Restart Req'dPatch after testing
MS09-039

969883
Arbitrary code

/ WINS
Servers
No/NoNoCritical Server 2003
Server 2000
Restart Req'dPatch after testing
MS09-044

970927
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Restart Req'dPatch after testing
MS09-036

970957
Denial of service

/ asp.net
IIS Servers
No/YesYesImportant Vista
Server 2008
 Patch after testing
MS09-040

971032
Privilege elevation

/ Windows
Workstations
Servers
No/NoYesImportant Win2000
XP
Win2003
Vista
Win2008
MSMQ component; Restart Req'dPatch after testing
MS09-038

971557
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Vista
Server 2003
Server 2008
Restart Req'dPatch after testing
MS09-041

971657
Privilege elevation

/ Windows
Workstations
Servers
No/NoNoImportant XP
Win2003
Vista
Win2008
Restart Req'dPatch after testing
MS09-037

973908
Arbitrary code

/ Active Template Library
Workstations
Terminal Servers
No/YesNoCritical Win2000
XP
Vista
Server 2003
Server 2008
Restart Req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.