Thursday 14 August 2008

Patch Tuesday - August 2008

ChangeBase AOK – Patch Tuesday Update
July 2008


As part of the July release of the regularly scheduled Microsoft Updates, there are currently eleven scheduled for release; six with the maximum rating of Critical and five with the maximum rating of Important.

Here is a brief summary of the patches that affect the Microsoft Windows operating system;

1) Microsoft Security Bulletin MS08-045
Description: Cumulative Security Update for Internet Explorer (953838). This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

2) Microsoft Security Bulletin MS08-046
Description: Vulnerability in Microsoft Windows Image Colour Management System Could Allow Remote Code Execution (952954). This update resolves a privately reported vulnerability in the Microsoft Image Colour Management (ICM) system that could allow remote code execution in the context of the current user.

3) Microsoft Security Bulletin MS08-047
Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied.

4) Microsoft Security Bulletin MS08-048
Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text.

5) Microsoft Security Bulletin MS08-049
Description: Vulnerabilities in Event System Could Allow Remote Code Execution (950974). This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution.

6) Microsoft Security Bulletin MS08-050
Description: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702). This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user.

Note: These are not all of the patches that have been released by Microsoft today as the following only apply to Microsoft Office products;

• Microsoft Security Bulletin MS08-042
• Microsoft Security Bulletin MS08-041
• Microsoft Security Bulletin MS08-043
• Microsoft Security Bulletin MS08-051
• Microsoft Security Bulletin MS08-044

Using the ChangeBase AOK Workbench to analyse each of these patches against a sample of approximately 700 unique application packages with the intention of providing some insight into the following questions;

What patches when released are likely to cause my applications to fail?
What patches contain files and settings already included in my application portfolio?
What order should I test my applications?
What patches should I test most and why?

Results
The following table details the results from the ChangeBase AOK Patch Impact Analysis and includes information on what application packages in the sample portfolio;

What is the total number of applications affected by each patch?
What applications also include files and configuration data that were embedded in the patch update?
What applications had specific dependencies on changes includes in these updates



Special Notes:

• MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)
• MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software
• MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger



Conclusion

From the results derived from the ChangeBase AOK Patch Impact Analysis, it appears that the following patch updates could be deployed with relatively light testing and with an expected minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49 and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) appears to cause application level conflict issues and has been raised a direct dependency for a number of applications. This could mean that these applications may be adversely affected by the MS08-045 update and this patch should be fully tested prior to deployment to production environments.

No comments: