Originally Posted by Sheldon Malm
Sheldon here, with a quick summary of this month’s Microsoft Security updates …
6 advisories, with 9 vulnerabilities covered. Here’s the breakdown:
MS09-028: Rated Critical. Potential Remote Code Execution in Microsoft DirectShow. This one has been public for a little while and the advisory covers 3 vulnerabilities: CVE-2009-1537, CVE-2009-1538, and CVE-2009-1539. Important to note that this is focused on DirectShow’s interoperability with QuickTime.
MS09-029: Rated Critical. Potential Remote Code Execution in Embedded OpenType Font Engine, covering 2 vulnerabilities: CVE-2009-0231 (Heap Overflow) and CVE-2009-0232 (Integer Overflow). Important to note that this affects Operating Systems across the Windows spectrum, including the Windows 7 Beta.
MS09-030: Rated Important. Potential Remote Code Execution in Microsoft Office Publisher. Single vulnerability: CVE-2009-0566, affecting Microsoft Office Publisher 2007 SP1 only.
MS09-031: Rated Important. Elevation of Privilege in Microsoft ISA Server 2006. Single vulnerability: CVE-2009-1135. Important to note on this one that it only affects ISA Server when configured with Radius OTP (One Time Password). The vulnerability is essentially a bypass of OTP. Given the Security use case(s) for ISA Server, this one is extremely important in environments where Radius OTP is in use.
MS09-032: Rated Critical. This is the one that everyone has been talking about (and I’ll talk a little more about it at the end of the roundup). Cumulative Security Update of ActiveX Kill Bits. Single vulnerability: CVE-2008-0015 (yes, that’s *2008* for those who haven’t had an Internet connection for the last little while). This is certainly the highest profile update this month and should be applied as quickly as possible, given active attacks in the wild.
MS09-033: Rated Important. Elevation of Privilege in Virtual PC and Virtual Server. Single vulnerability: CVE-2009-1542. Important to note that Windows Server 2008 Hyper-V, Virtual PC and XP Mode on Windows 7, and implementations using HAV are not vulnerable.
Now for a short blurb on MS09-032 …
There has been much debate about the time it has taken for Microsoft to address this update. Several people have asked me why it took Microsoft so long to address the issue, and I keep coming back to the same conclusion: process.
The response so far has centered around the number and scope of issues that have been included in this update, reaching beyond the original issue that was disclosed to Microsoft more than a year ago. I do applaud Microsoft’s efforts to address all issues that were uncovered during their investigation and I do appreciate the diligence that goes into ensuring that customers are not impacted by a Security update. At the same time, I do not understand holding back an update for the original issue while updates were in the works for the additional problems.
Microsoft has instituted a pretty mature, repeatable process for superceding their updates, allowing them to address a particular, critical issue and then replacing that update with a more comprehensive patch. As a matter of fact, MS09-032 replaces MS08-032 – another ActiveX Kill Bit update for Microsoft Speech API. With MS09-032, history may show that Microsoft missed the opportunity to leverage its own processes. Their approach to this issue is equivalent to leaving a gaping hole in a dyke while you formulate a plan to fill a dozen other cracks. Everyone is best served by stopping the flood while investigating the drips.
I’m not one of the people targeting Microsoft for the way they handled this update, but I will be watching closely to see if they learned anything from this. With any luck, they will prioritize issues in the future and balance comprehensive coverage with responsiveness. You can do both and they already have a process to do so.