December Microsoft Patch Tuesday Roundup

Last updated at Wed, 26 Jul 2017 17:07:03 GMT

Time once again for this month's summary of the latest Microsoft Security updates.  NeXpose (including the free NeXpose Community Edition) users will have coverage within 24 hours or less.  Metasploit already had a module for the IE exposure.  Here's the breakdown ... 

6 updates, with 12 vulnerabilities covered. Here's the breakdown: 

MS09-069: Rated Critical. Potential Denial of Service via ISAKMP through IPsec affecting LSASS, covering 1 vulnerability: CVE-2009-3675. Important to note that Windows 2000, XP, and 2003 are affected; newer versions of Windows are not affected. 

MS09-070: Rated Important. Potential Remote Code Execution and Elevation of Privilege in Active Directory Federation Services, covering 2 vulnerabilities: CVE-2009-2508 (Moderate; Spoofing) and CVE-2009-2509 (Important; Remote Code Execution).  Important to note that the Spoofing exposure requires the attacker to obtain a valid authentication token.  While this is a practical exposure on Internet kiosks, etc., most enterprises should have this covered under common best practices.  The Remote Code Execution exposure has a significant impact to ADFS enabled Web servers, however the attacker must have valid credentials to exploit this vulnerability. 

MS09-071: Rated Critical. Potential Remote Code Execution and Elevation of Privilege in Internet Authentication Service, covering 2 vulnerabilities: CVE-2009-2505 (Protected Extensible Authentication Protocol) and CVE-2009-3677 (Challenge Handshake Authentication Protocol version 2).  The CHAP-2 vulnerability allows Elevation of Privilege across all supported Window versions except Windows 7 and Server 2008 R2. The PEAP exposure only affects Vista and Server 2008 when configured to use PEAP with CHAP-2 authentication.  Important to note that IAS is Microsoft's version of a RADIUS proxy and server, and PEAP provides authentication for 802.1x wireless clients, so this exposure presents a real risk for client-side wireless attacks. 

MS09-072: Rated Critical.  Potential Remote Code Execution in Internet Explorer 5.01, 6, 7, and 8, covering 5 vulnerabilities: CVE-2009-2493 (ATL COM Initialization), CVE-2009-3671 (Uninitialized Memory Corruption), CVE-2009-3672 (HTML Object Memory Corruption), CVE-2009-3673 (Uninitialized Memory Corruption), and CVE-2009-3674 (Uninitialized Memory Corruption).  This one needs a little more explanation to lay out what severity ratings map to what: 

BY IE VERSION
- IE 5.01 & 6 are rated Critical on Windows 2000
- IE 6, 7, & 8 are rated Critical on XP
- IE 6 is rated Critical, IE 7 & 8 are rated Moderate on Server 2003
- IE 7 & 8 are rated Critical on Vista
- IE 7 & 8 are rated Moderate on Server 2008
- IE 8 is rated Moderate on Server 2008 R2
- IE 8 is rated Critical on Windows 7 

BY VULNERABILITY
- CVE-2009-2493:
- Critical for IE 5.01 on Windows 2000
- Critical for IE 6 on Windows 2000, XP, and 2003 

- CVE-2009-3671:
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 8 on 2003 and 2008 

- CVE-2009-3672:
- Critical for IE 6 on Windows 2000 and XP
- Critical for IE 7 on XP and Vista
- Moderate for IE 6 on 2003
- Moderate for IE 7 on 2003 and 2008 

- CVE-2009-3673:
- Critical for IE 7 on XP and Vista
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 7 on 2003 and 2008
- Moderate for IE 8 on 2003, 2008, and 2008 R2 

- CVE-2009-3674:
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 8 on 2003, 2008, and 2008 R2 

MS09-073: Rated Important.  Potential Remote Code Execution via Word 97 file conversion, affecting Windows 2000, XP, and 2003, Works 8.5/WordPad, Word 2002, Word 2003, and Office Converter Pack, covering 1 vulnerability: CVE-2009-2506.  It's fun to see WordPad implicated in a vulnerability, but this one is not at the top of the priority list for this month. 

MS09-074: Rated Important.  Potential Remote Code Execution via XXXX affecting MS Project, covering 1 vulnerability: CVE-2009-0102.  Important to note that this one is only Critical for Project 2000; rated Important for Project 2002 and 2003.  While the Impact of this vulnerability is real, the likelihood of successful, widespread attacks against Project is pretty slim (let alone successful attacks against Project 2000).  These are not typically externally facing systems and are not as widely deployed as Operating Systems, Standard Office components, etc. 

So ... patch IE, patch Internet Authentication Server, and prioritize the rest based on your environment and testing/deployment schedule. 

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release.  NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment.  For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft's update release. 

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts. 

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release. 

As always, Happy patching!!