It's Microsoft Patch Tuesday: June 2009

One of the bigger items in this month’s Microsoft patch is that the Vista / 2008 SP2 has been put into the automatic updates bin. There is a ton of other coverage out there for it, but you should be aware that it is now loose. One of the consistent themes this month are vulnerabilities that are “critical” in the 2000 version of a product but are ranked much lower for more recent versions. In addition, there are an unusual number of escalation of privilege attacks; I’m used to these being mostly remote code execution items!

Security patches

• MS09-018 / KB971055 - Critical (2000 Server) / Important (XP Professional, 2003): This patch covers two vulnerabilities in Active Directory (KB969805) and Active Directory Application Mode, aka ADAM (KB970437). On Windows 2000 Server, the first vulnerability can result in a remote code execution exploit, allowing an attacker to take over the system (thus, the “critical” rating); on 2003, it is “merely” a denial of service (DOS) attack. On Windows 2003 and XP Professional (with ADAM installed), the exploit also allows DOS attacks. Since your Active Directory should not be exposed to the outside world (especially not on XP), this is not a “must-have” patch yet, except for Windows 2000 Server installations.
• MS09-019 / KB969897 - Critical (XP, Vista, IE 5 on 2000) / Important (IE 6 on 2000) / Moderate(2003, 2008): This is a monster-sized cumulative update for Internet Explorer (including IE 7 and 8). It covers a whopping seven privately disclosed vulnerabilities and one publicly disclosed vulnerability in Internet Explorer, all of which can result in remote code execution attacks. The 2003 and 2008 machines have a lower rating on this issue, probably due to their stricter execution environments for IE. This patch should be installed immediately.
• MS09-020 / KB970483 - Important (XP, 2000, 2003 with IIS 5 and 6): There is a minor bug in IIS 5 and IIS 6 that allows an attacker to bypass the allowed authentication methods in the IIS configuration. Because the ACL permissions will still apply, this is a fairly low-impact item. In addition, the exploit grants the attacker the permissions of only an anonymous IIS user. This bug is an issue, but do not drop everything to install the patch.
• MS09-021 / KB969462 - Critical (Excel 2000) / Important (Excel XP, Excel 2003, Excel 2007, Excel 2004 for Mac, Excel 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer [all versions], Office Compatibility Pack 2007, Office SharePoint Server): Attackers with a malformed Excel file can execute a remote code execution attack on Excel, for every version (and other applications that handle Excel files) from 2000 on up, including Macintosh versions. The vulnerability is considered only “critical” in Excel 2000. Given the prevalence of Excel documents, I’d recommend that you patch this one quickly.
• MS09-022 / KB961501 - Critical (2000) / Important (Vista, 2008) / Moderate (XP, 2003): There are three privately disclosed vulnerabilities in the Windows print spooler that can allow an escalation of privileges attack on Vista, XP, 2003, and 2008, and remote code execution attacks on 2000. Of course, your print spooler should never be open to the outside world, but this is still a troubling issue.
• MS09-023 / KB963093 - Moderate (XP, 2003): Under certain circumstances, Windows Search 4 may expose personal data. However, what needs to happen is that the specially crafted file needs to be the first results for a search query, which makes this a fairly rare event; in addition the search functionality is not installed by default. You will want to include this patch in your next scheduled maintenance.
• MS09-024 / KB957632 - Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Works 8.5, Works 9): A problem with the Microsoft Works converter allows attackers with a specially crafted file to gain the same privileges as the current user to execute code. This isn’t the worst bug in the world, but at the same time, you should patch it at your earliest convenience.
• MS09-025 / KB968537 - Important (XP, Vista, 2000, 2003, 2008): There are four separate holes in Windows addressed by this item, all of which allow an escalation of privilege attack to be executed. However, the attacked needs valid logon credentials to begin with and must be logged on locally, which is why it is rated as less important. All the same, I suggest that you patch this immediately.
• MS09-026 / KB970238 - Important (XP, Vista, 2000, 2003, 2008): An issue with the RPC Marshalling Engine allows attackers to perform escalation of privilege attacks. The rating on this item is low for a few reasons: first, your RPC ports should be closed to the outside world, and second, none of the installed Windows items use this subsystem. Nonetheless, some third-party software may use it. You should install this patch on your next regular patch day.
• MS09-027 / KB969514 - Critical (Office 2000) / Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Word Viewer, Word Viewer 2003, Office Compatibility Pack 2007): Attackers with specially crafted Word files can execute a remote code execution exploit. It is “critical” on Word 2000 and “important” for all others. I suggest you install it as soon as possible, given the prevalence of Word files.

Other updates

• KB966315: Cumulative update for the Media Center TV Pack for Windows Vista. This patch resolves a number of minor and moderate bugs.
• KB967632: Cumulative Update for Media Center on Windows Vista: This patch addresses the same set of minor and moderate issues as KB966315 does, but in the Media Center component of Vista.
• “The Usual Suspects”: Updates to the Malicious Software Removal Tool, ActiveX Killbits, and Junk E-mail filters.
• Changed, but not significantly: IE 8 and Media Center TVPack now includes this month’s cumulative updates.

Updates since the last Patch Tuesday

There have been a number of minor items since the last Patch Tuesday:

• Root certificate updates
  • KB948465: Vista / 2008 SP2 released to updating systems
  • KB963032: Corrects and issue when viewing the Windows Home Server console on resolutions lower than 1024 x 768
  • KB971180: Updates to the IE8 “Compatibility View” list
• Changed, but not significantly:
  • SQL Server 2005 SP3 (KB955706) - Extended the information to be application to Windows 2008 SP2
  • XP SP3 (KB936929) - Updated the metadata so that the service pack blocker tool no longer blocks this service pack from installing

Stay on top of the latest XP tips and tricks with TechRepublic’s Windows XP newsletter, delivered every Thursday. Automatically sign up today!