Thursday, December 10, 2009

Microsoft Dec 2009 updates-MS Updates Dec 2009

This is the month that I declare Microsoft is “insane.”
They have released a number of patches that are clearly security patches as “non security patches.” What galls me about this is that many administrators have various group policies or WSUS systems in place to automatically push out critical security patches; patches that are improperly labeled as “non-security” fall through the cracks, leaving systems vulnerable longer than intended.
In addition, it looks like they’ve unofficially declared the fourth Tuesday of each month to be a secondary Patch Tuesday. They are consistently releasing non-security patches and updates then as well. A few months ago, this made sense, because Windows 7 and Window Server 2008 R2 had just dropped, and a bunch of minor issues were being found and fixed as quickly as possible. But now there is no excuse for it; things like a Daylight Savings patch can and should wait until Patch Tuesday. I tend to stick up for Microsoft, but in this case, there is no excuse and this situation needs to be changed immediately.


Security Patches

  • MS09-069/KB974392 - Important (XP, 2000, 2003): This patch resolves a DoS (Denial of Service) vulnerability in Windows’ Local Security Authority Subsystem Service (LSASS). This patch is not super critical but you should definitely install it on your next patch cycle. 600KB - 1.3MB
  • MS09-070/KB971726 - Important (2003, 2008): There is a hole in ADFS (Active Directory Federation Services) which could allow a remote code execution exploit. Luckily, the attacker already needs to be authenticated to trigger the exploit. Microsoft calls this “important” but I call it “critical”. 450KB - 1MB
  • MS09-071/KB974318 - Moderate (XP)/Important (Vista, 2000, 2003)/Critical (2008): Problems with PEAP authentication in Windows can lead to remote code execution vulnerabilities when working with MS-CHAP v2 authentication. You’ll want to get this fixed immediately on your servers. 275KB - 1.2MB
  • MS09-072/KB976325 - Moderate to Critical (IE5, IE6, IE7, IE8): This patch resolves five problems in Internet Explorer which can result in remote code execution exploits, some via “specially crafted Web pages” and some through ActiveX. The criticality matrix on this patch is crazy. Let’s just call it “critical” for all versions IE and Windows, install it immediately, and move on. 3MB - 48.7MB
  • MS09-073/KB975539 - Important (2000, XP, 2003, Office XP, Office 2003, Works 8.5, Office Converter Pack): Issues in WordPad and some versions of Office allow an attacker to perform remote code execution exploits with a bad Word 97 file. The attacker would get the same privileges as the user. Microsoft doesn’t consider this a top level issue, but given the prevalence of Office files and user behavior around them, I suggest that you install the patch as soon as you can. 855KB - 2.6MB
  • MS09-074/KB967183: Important (Project 2002, Project 2003)/Critical (Project 2000): This is another “specially crafted files can lead to remote code execution” patch, this time for Microsoft Project. You will want to install this immediately as well.
  • KB954157 and KB976138: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB

Other Updates

  • KB954157: A problem in the Indeo codec in 2000, XP, and 2003 can allow an attacker with a specially crafted media file to perform a remote code execution attack. Somehow, Microsoft has not released a security bulletin for this issue, and they are not labeling it as a security update in the system! It doesn’t matter what Microsoft chooses to call this, it is a critical security patch. 689KB - 1.6MB
  • KB970430, KB971737, and KB973917: This trio of patches upgrades the security for authentication in HTTP and IIS on XP, Vista, 2003, and 2008. 530KB - 4.0MB
  • “The Usual Suspects”: Updates to the Malicious Software Removal Tool (9.4 - 9.7MB) and Junk Email filters (2.2MB).
Changed, but not significantly:

Updates since the last Patch Tuesday

We did not have any security patches release out of band since the last Patch Tuesday.
There have been a number of minor items added since the last Patch Tuesday:
Changed, but not significantly:

0 Responses to “Microsoft Dec 2009 updates-MS Updates Dec 2009”