Patch Tuesday: Microsoft Security Update for July

This is a moderate update from Microsoft for the July Microsoft Patch Tuesday Security release. This month includes six patches, three rated Critical, and three rated as Important.

After loading the ChangeBASE AOK application testing portfolio into an AOK Patch Impact database, all six patches were tested for application level issues and in addition; application dependencies. For this month, all of the six Microsoft Security Updates (MS09-028 to MS09-033) raised very few or no application level or dependency level issues with the AOK Application Test portfolio. Thus, these six patches were rated as Green.

Given the very low numbers of issues for these six security updates, the ChangeBASE AOK team recommends that all these patches are rapidly deployed to a staging environment and then subsequently into Production.

The ChangeBASE AOK team recommends that with all changes to an environment basic UAT testing is performed on all business critical applications. However, for the six July Microsoft Security updates marked as Green, only marginal build level testing should be required.

Here is a sample report extract from one of the few applications in the AOK ChangeBASE Application Test Portfolio that raised a number of dependency level issues with the MS09-032 Security Update.



Testing Summary

• MS09-028: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-029: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-030: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-031: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-032: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-033: Marginal Impact (both Package level and dependencies) detected across portfolio

Patch Name	Total Issues	Matches Affected	Reboot	Rating	RAG
Microsoft Security Bulletin MS09-028	0	<1%	YES	Critical
Microsoft Security Bulletin MS09-029	3	<1%	YES	Critical
Microsoft Security Bulletin MS09-030	2	<1%	YES	Critical
Microsoft Security Bulletin MS09-031	0	<1%	YES	Important
Microsoft Security Bulletin MS09-032	16	<1%	YES	Important
Microsoft Security Bulletin MS09-033	0	<1%	YES	Important

Legend:

No Issues Detected Potentially fixable application Impact Serious Compatibility Issue

Security Update Detailed Summary

MS09-028	Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
Description	This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Quartz.dll
Impact	Critical

MS09-029	Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
Description	This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Fontsub.dll, T2embed.dll
Impact	Critical

MS09-030	Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516).
Description	This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Morph9.dll, Mspub.exe, Prtf9.dll, Ptxt9.dll, Pubconv.dll, Pubtrap.dll
Impact	Critical

MS09-031	Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953).
Description	This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
Payload	Authdflt.dll, Comphp.dll, Complp.dll, Cookieauthfilter.dll, Diffserv.dll, Fweng.sys, Httpfilter.dll, Linktranslation.dll, Msfpc.dll, Msfpccom.dll, Msfpcsnp.dll, Msfpcui.dll, Mspadmin.exe, Ratlib.dll, Socksflt.dll, W3filter.dll, W3prefch.exe, Wploadbalancer.dll, Wspsrv.exe.
Impact	Important

MS09-032	Cumulative Security Update of ActiveX Kill Bits (973346).
Description	This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	No binary files included. Only CLSID kill bits for specific COM objects.
Impact	Important

MS09-033	Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856).
Description	This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights..
Payload	VMM.sys.
Impact	Important

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)

Microsoft Application Compatibility List - Updated

OK, another short post today, but at least I point out that the ChangeBase team will be delivering the Patch Impact Assessment for July tomorrow - so, watch this space.

I wanted to mention that Microsoft has updated it's spreadsheet list of applications that either have known compatibility issues, are supported or have free/paid upgrade options.

The list contains information on 8785applications which have been allocated into the following Windows Vista specific compatibility categories:

• “Certified for/Works With Windows Vista” means that the application has earned the “Certified for Windows Vista”
• "Compatible” means that the application has been reported by the application manufacturer as compatible with, or supported on, Windows Vista.
• “Not Compatible” means the application has been reported by the application manufacturer as not compatible with, or supported on, Windows Vista.
• “Free Update Required” means the application has been reported by the application manufacturer as needing a free upgrade from the application manufacturer to ensure that a product is compatible with, or supported on, Windows Vista.
• “Paid Update Required” means the application has been reported by the application manufacturer as needing a fee-based upgrade from the application manufacturer to ensure that a product is compatible with, or supported on, Windows Vista.
• “Unknown” means that no information is available from the application manufacturer about whether the product is compatible with, or supported on, Windows Vista.

After creating a quick and dirty XL pivot table, I was able to generate the following summary results;

32-bit Windows Vista Compatibility Status	Total
Certified for Windows Vista	656
Compatible	5699
Free Update Required	177
Not Compatible	564
Paid Update Required	312
Works with Windows Vista	1377
Grand Total	8785

There is also mention of 32-bit and 64-bit support. At present, there does not seem to be any references to Windows 7 or Server 2008 R2. As this XLS list is updated monthly, we will see a Windows 7 update when Windows 7 hits RTM later this month.

Just a side note though, the number of "certified for Windows Vista" applications is incredibly small - especially after years of Vista's production release.

The Microsoft Application Compatibility List can be found here:

http://www.microsoft.com/downloads/details.aspx?familyid=9DF23606-7276-4CE2-8993-143E101DDBCD&displaylang=en

And further references on application compatibility and the Windows Logo Program can be found here:

Windows Vista Compatibility Center: http://www.microsoft.com/windows/compatibility

Windows Vista Logo’d Product List for Hardware: http://winqual.microsoft.com/hcl/Default.aspx

Certified for Windows Vista Software List: https://winqual.microsoft.com/member/softwarelogo/certifiedlist.aspx

Works with Windows Vista Software List: https://winqual.microsoft.com/member/softwarelogo/workswithlist.aspx

Windows Vista TechCenter: http://technet.microsoft.com/en-us/windows/aa904820.aspx

Microsoft Asset and Planning Solution Accelerator

Well it has been a little while now since I have updated my blog. Apologies for that - the momentum of work has really pushed me away from the regular updates that I would like to deliver.

There is a number of new tools that I have been "playing" with over the past few weeks. One of the more interesting updates to the Microsoft Application compatibility tool-sets is the Microsoft Asset and Planning (MAP) Solution Accelerator.

Microsoft Solution Accelerators are generally a collection of tools and documentation that attempts to address a particular issue; such as migration to a new platform, Office compatibility or, in the case of the MAP tool-set, to determine which hardware is suitable for Windows 7. Other Microsoft Solution Accelerators that come to mind include;

• Business Desktop Deployment (the infamous BDD)
• Microsoft Assessment and Planning Toolkit 3.2
• Microsoft Deployment Toolkit 2008
• Windows Vista Security Compliance Management Toolkit
• 2007 Microsoft Office Security Compliance Management Toolkit
• Data Encryption Toolkit for Mobile PCs
• Security Compliance Management Toolkit series

The complete list of Solution Accelerators can be found here: http://technet.microsoft.com/en-us/solutionaccelerators/default.aspx

The Microsoft Asset and Planning tool-kit contains a huge amount of desktop deployment documentation and once installed (requires SQL Express) is able to automatically (and agentlessly) scan your network for computer hardware information. This information is then compiled into some great reports. In addition, there are some really good proposal templates ("starters for 10 ") that should get you going in your effort to determine which machines (servers, desktops and virtual machines) are ready for Vista/W7 and what particular deficiencies or components need to be updated or upgraded.

The link to the MAP portion of the Microsoft Connect site can be found here.

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=297&DownloadID=18223

Patch Tuesday -April 14th

As I do now every month, I post up the Patch Impact Report for Microsoft's Patch Tuesday.

This month includes 8 patches, two rated Important, one moderate and the others are rated as Critical. These patches affect all operating systems from Windows 2000, XP through to VISTA and Windows 7 beta and system administrators should be aware that they will require all servers and desktops running these operating systems to be rebooted. Six of the eight patches explicitly state that a reboot is required, however the nature of the changes being made by the other two patches make it highly likely that these will also require a reboot although this is not explicitly stated in the documentation.

After loading the ChangeBase AOK application testing portfolio into a Patch Impact database, all eight patches were tested for application level issues and in addition, application dependencies. Only one update (MS09-014) raised a significant number of issues across a small number of applications across the ChangeBase Patch Testing Application portfolio.

Here is a sample report extract from one of the few applications in the AOK ChangeBase Application Test Portfolio that raised a dependency level issue with the MS09-014 Update.


Testing Summary

• MS09-009: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-010: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-011: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-012: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-013: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-014: Moderate Impact (both Package level and dependencies) detected across portfolio
• MS09-015: Marginal Impact (both Package level and dependencies) detected across portfolio
• MS09-016: Marginal Impact (both Package level and dependencies) detected across portfolio

Patch Name	Total Issues	Matches Affected	Reboot	Rating	RAG
Microsoft Security Bulletin MS09-009	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-010	8	<1%	YES	Critical
Microsoft Security Bulletin MS09-011	<1%	<1%		Critical
Microsoft Security Bulletin MS09-012	<1%	<1%	YES	Critical
Microsoft Security Bulletin MS09-013	<1%	<1%		Critical
Microsoft Security Bulletin MS09-014	96	6%	YES	Important
Microsoft Security Bulletin MS09-015	<1%	<1%	YES	Important
Microsoft Security Bulletin MS09-016	<1%	<1%	YES	Moderate

Legend:

No Issues Detected Potentially fixable application Impact Serious Compatibility Issue

Security Update Detailed Summary

MS09-009	Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
Description	This security update resolves a privately reported and a publicly disclosed vulnerability. The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Excel.exe
Impact	Remote Code Execution

MS09-010	Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
Description	This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word. Do not open Microsoft Office, RTF, Write, or WordPerfect files from untrusted sources using affected versions of WordPad or Microsoft Office Word.
Payload	Html32.cnv, Msconv97.dll, Mswrd632.cnv, Mswrd832.cnv, Wpft532.cnv, Wpft632.cnv
Impact	Spoofing

MS09-011	Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
Description	This security update resolves a privately reported vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted MJPEG file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Quartz.dll
Impact	Remote Code Execution

MS09-012	Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
Description	This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.
Payload	Dtcsetup.exe, Msdtclog.dll, Msdtcprx.dll, Msdtctm.dll, Msdtcui.dll, Mtxclu.dll, Mtxoci.dll, Sp3res.dll, Xolehlp.dll
Impact	Elevation of Privilege

MS09-013	Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
Description	This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Winhttp.dll
Impact	Remote Code Execution

MS09-014	Cumulative Security Update for Internet Explorer (963027)
Description	This security update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload	Browseui.dll, Danim.dll, Dxtmsft.dll, Iecustom.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Url.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
Impact	Remote Code Execution

MS09-015	Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
Description	This security update resolves a publicly disclosed vulnerability in the Windows SearchPath function that could allow elevation of privilege if a user downloaded a specially crafted file to a specific location, then opened an application that could load the file under certain circumstances.
Payload	Secur32.dll
Impact	Elevation of Privilege

MS09-016	Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
Description	This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.
Payload	Cookieauthfilter.dll, msphlpr.dll, wspsrv.exe, Fweng.sys, Fweng64.sys, Fweng64100.sys, Msfpcpatch.dll,
Impact	Elevation of Privilege

Windows 7 - Touching up your legacy apps

It has been quite a while since my last blog posting. I have been travelling pretty extensively over the past few weeks, and one of the challenges (apart from running from flight to flight) of working abroad and on a client site, is that there is generally little time for "background" tasks like blogging.

That said, I am having a great time with working our clients and it looks like we have found a few more legacy application compatibility issues with Windows 7.

Windows 7 now includes "Touch" support - which on top of "Sensor " support (movement, location, temperature) I think will be the "killer apps" for Windows 7. I have been told by the senior powers that be at Microsoft, that Windows 7 does not have killer apps. "We have pillars, that people; developers in our ecosystem, build upon to create killer apps", I am told. "Fine", I replied, "Then Touch and Sensor support are killer pillars". I quite like the sound of that; Killer Pillars.

Back to the application compatibility issues.

Touch under Windows 7 crashes legacy VB applications that use the old (versions 5 and 6) of the COMCTL control (Mscomctl.ocx or Comctl32.ocx). If your application has a dependency on these controls - it will crash with a wonderful "divide by zero error".

The two problem scenarios outlined by Microsoft include;

• You are running an application that sets a WinEvent hook on Microsoft Windows 2000 or a later operating system version.
• You start an application that uses the ListView control or the TreeView control from Microsoft Windows Common Controls 5.0.


For more information, please refer to the Microsoft support link; http://support.microsoft.com/kb/896559

The fix for this issue is clear; you must scan all of your application packages, and get rid of those legacy versions of these controls. This "cleaning" process must include removing all other configuration settings (registry and COM information) from the offending package. In addition, you will need to validate your application for dependencies on these List and Drop-down controls.