October Microsoft Patch Tuesday Roundup

Blog Post created by rapid7-admin on Oct 13, 2009

Originally Posted by Sheldon Malm



Time for this month's summary of the latest Microsoft Security updates … 

13 advisories, with 34 vulnerabilities covered. Here’s the breakdown: 

MS09-050: Rated Critical. Potential Remote Code Execution and Denial of Service in SMBv2, covering 3 vulnerabilities: CVE-2009-2526 (Infinite Loop DoS), CVE-2009-2532 (Command Value Remote Code Exec), and CVE-2009-3103 (Negotiation Remote Code Exec). Important to note that this one was listed as a DoS on NVD while Metasploit and others were insisting that it was Remote Code Execution. Turns out the folks at Metasploit were right. 

MS09-051: Rated Critical. Potential Remote Code Execution in Media Runtime, covering 2 vulnerabilities: CVE-2009-0555 (Voice Sample Rate), and CVE-2009-2525 (Heap Corruption). The Windows Media Audio Voice components in DirectShow and Voice Decoder on Vista/Server 2008 are affected. If you're running DirectShow, Vista, or Server 2008 to any reasonable degree, get them patched ... this one was active before today. If you're not running these technologies to a large degree in your environment, this can take a bit of a back seat on such a busy month. 

MS09-052: Rated Critical. Potential Remote Code Execution in Windows Media Player 6.4 (affecting Windows 2000/XP/Server 2003 only), covering 1 vulnerability: CVE-2009-2527. I don't see this being on the top of sysadmin's priority lists this month. 

MS09-053: Rated Important. Potential Remote Code Execution and Denial of Service in FTP Service for IIS, covering 2 vulnerabilities: CVE-2009-2521 (DoS), and CVE-2009-3023 (RCE and DoS). Important to note that there is only potential for Remote Code Execution on IIS 5.0 with FTP Service 5.0; all other combinations are cited as DoS only. 

MS09-054: Rated Critical. Potential Remote Code Execution; Cumulative update for IE, covering 4 vulnerabilities: CVE-2009-1547 (data stream header corruption), CVE-2009-2529 (html component handling), CVE-2009-2530 (uninitialized memory corruption), and CVE-2009-2531 (also uninitialized memory corruption). Important to note that this is a cumulative IE update, meaning that it replaces MS09-034 and odds are it will be replaced within the next 2 months. 

MS09-055: Rated Critical. Potential Remote Code Execution addressed with a Cumulative Security Update of ActiveX Kill Bits, covering 1 vulnerability: CVE-2009-2493. This one is only moderately interesting because the ActiveX controls were compiled using the vulnerable ATL. 

MS09-056: Rated Important. Potential Spoofing in Windows CryptoAPI, covering 2 vulnerabilities: CVE-2009-2510 (Null Truncation in X.509 Common Name), and CVE-2009-2511 (Integer Overflow in X.509 Object Identifiers). The null truncation vulnerability is the one that was discussed by Moxie Marlingspike and Dan Kaminsky this summer at Blackhat and Defcon. It's a big deal and worthy of attention, but again not at the top of the list straight away on a month like this. 

MS09-057: Rated Important. Potential Remote Code Execution in Indexing Service, covering 1 vulnerability: CVE-2009-2507 (Memory corruption). This is another ActiveX related issue and affects Windows 2000, XP, and Server 2003. Vista, Server 2008, and Windows7 are not affected. 

MS09-058: Rated Important. Potential Elevation of Privilege in Windows kernel, covering 3 vulnerabilities: CVE-2009-2515 (Integer Underflow), CVE-2009-2516 (NULL Pointner Dereference), and CVE-2009-2517 (Exception Handler). An Elevation of Privilege vulnerability is not going to get a lot of attention this month, but the NULL Pointer Dereference issue is broad enough to get this on your test and patch schedule. 

MS09-059: Rated Important. Potential Denial of Service in LSASS on just about every Windows Operating System released in the last 8 years, covering 1 vulnerability: CVE-2009-2524 (Integer Overflow). Improper handling of NTLM authentication request malformed packets could crash the LSASS service and force a restart. 

MS09-060: Rated Critical. Potential Remote Code Execution and Information Disclosure in Outlook and Visio, covering 3 vulnerabilities: CVE-2009-0901 (ATL Uninitialized Object), CVE-2009-2493 (ATL COM Initialization), and CVE-2009-2495 (ATL Null String). This one continues the ATL saga and it is interesting to watch from the outside as Microsoft chews through their own code, compiled on vulnerable libraries. There will be more of these ... ATL is not finished yet. 

MS09-061: Rated Critical. Potential Remote Code Execution in .NET CLR, covering 3 vulnerabilities: CVE-2009-0090 (Pointer Verification), CVE-2009-0091 (Type Verification), and CVE-2009-2497 (CLR). Silverlight 2 is also affected; .NET framework 3.0 and higher and Silverlight 3 are not affected. 

MS09-062: Rated Critical. Potential Remote Code Execution on just about everything Microsoft has ever shipped. Seriously, it would be easier to list technologies that this doesn't affect. 8 vulnerabilities covered with this monster, mostly with GDI+: CVE-2009-2500 (WMF Integer Overflow), CVE-2009-2501 (PNG Heap Overflow), CVE-2009-2502 (TIFF Buffer Overflow), CVE-2009-2503 (TIFF Memory Corruption), CVE-2009-2504 (.NET API), CVE-2009-3126 (PNG Integer Overflow), CVE-2009-2528 (Memory Corruption), and CVE-2009-2518 (Office BMP Integer Overflow). 

The breadth of this one looks more like a Service Pack than a Security Update, affecting everything from Windows versions, Office components, Visual Studio, and Forefront Client Security, to MS SQL Server. Start with Server Operating Systems including Domain Controllers, Internet-facing systems, and SQL Server boxes - then work your way down the list. 

This one will take weeks or even months to test and deploy in larger environments, so prioritizing by most critical assets within this update will be key to reducing risk as quickly and effectively as possible. 

As always, Happy patching!!