2009: the final Patch Tuesday

This month Microsoft released 6 bulletins to plug 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of them are rated Critical and the other three Important. These bulletins affect all supported versions of Windows and IE; regarding Office the bulletins impact Project, Word and Works 8.5. The other important piece of information is that all of the updates require a reboot so plan accordingly.

MS09-072 covers Security Advisory 977981 (HTML Object Memory Corruption) and due to the fact that the vulnerability was publicly disclosed and affects IE 6 and IE 7 Microsoft put this at the top of the priority list. It’s the only bulletin that has both a critical severity rating and the maximum Exploitability rating. Those users running IE 8 on any version of Windows and IE 5.01 on Windows 2000 are not affected by this vulnerability. With that said how many people are still running IE 5.01 on systems? I’d like to think that sometime in the last 8 years most if not everyone has updated their systems.

MS09-070 resolves two reported vulnerabilities in Windows which allow maliciously crafted HTTP request to an ADFS-enabled Web server. However for the attack to be effective valid log on credentials are needed – because of this, Microsoft placed this lower on the deployment list. This patch is for any machine running Windows Server 2003 32 and x64 Edition, Windows Server 2008 and Windows 2008 x64 Edition.

MS09-071 addresses vulnerabilities in the Internet Authentication Services where if a message is copied incorrectly into memory when handling PEAP authentication attempts it could allow compromise. This security update is rated Critical for Windows Server 2008 for 32-bit Systems Service Pack 2 and Windows Server 2008 for x64-based Systems Service Pack 2 and for other versions of Windows the rating drops to either Important or Moderate. However those running Windows 7 or Server 2008 R2 x64 or Itanium versions are not affected.

MS09-073 patches a vulnerability in Microsoft’s WordPad and Office text converters. For users to be affected by this they would need to open a malicious Word 97 file in either WordPad or MS Word. This security update is rated Important for WordPad on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. It’s also rated Important for all supported editions of Microsoft Office Word 2002 and Microsoft Office Word 2003, Microsoft Office Converter Pack, and Microsoft Works 8.5. This does not affect Vista SP1, SP2 32 or x64, Windows 7 32 or x64, Server 2008 R2x64 or Itanium versions of windows.

MS09-074 covers a vulnerability in Microsoft Project where if a user opens a maliciously crafted project file the attacker can get complete control of the affected system. This has a Critical rating for MS Project 2000 SP1 and an important rating for MS project 2002 SP1 and MS Project 2003 SP3.

MS09-069 fixes a vulnerability in Local Security Authority Subsystem Service (LSASS) that could allow for a denial of service (DNS) attack. For this to take place the attacker would have to send ISAKMP messages to the LSASS communicating through Internet Protocol security (IPsec). This is rated Important for all supported Windows 2000, Windows XP and Windows Server 2003.

I also want to highlight the rerelease of MS08-037. This addresses the vulnerability in both DNS client and DNS server that could allow spoofing. This is for Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. For Windows 2000 users, if you’ve downloaded and installed this already, you need to install it again to be completely updated.

As I always say, no matter what the severity rating from Microsoft you should download and install all the updates needed for your system.

For more detailed information, take a look at the Microsoft blog about these updates.