November 2008, Microsoft Patch Tuesday

ChangeBASE have announced their findings of Microsoft's Patch Tuesday update of November, 2008. There were two patch releases this week (MS08-068 and MS08-069) and one last week (MSO8-067). MS067 and MS068 were critical releases as they addressed potential serious security issues. However from an application compatibility perspective they will have minimal impact on an organisation's application portfolio. This comes as good news for enterprises as it gives them a month off the full testing cycle with patch updates. In recent months the impact of patches on applications has been significant and has required a huge amount of testing to ensure business critical applications continue to work. From our discussions with larger companies their testing activity generally falls into one of three camps: Light sample testing of a small number of business critical applications - This requires limited testing resource but leaves organisations vulnerable to applications problems/failures Medium testing - This takes significant resource and time but means that a wider portfolio of applications can be tested Heavy testing - Many organisations do not have the resource to do this on a monthly basis and we have come across examples of corporates who only release new patches to their live environment twice a year as a result of this. The plus side of this approach is that applications are likely to be unaffected by the patch updates. The downside is that critical patches are not deployed, leaving organisations vulnerable to, for example, security breaches ChangeBASE AOK Patch Impact Monitor identifies in minutes applications that are affected by new Microsoft releases and provides detailed information on potential compatibility issues. This can cut the testing time down to the point that heavy testing can be done on a greater number of applications in a short period of time. Thankfully November should be a quiet time for testing as the new patches will have minimal impact on an organisation's applications. Testing Summary MS08-68: Marginal impact with low numbers of applications affected MS08-69: Marginal impact with low numbers of applications affected Patch Name Total Issues % of apps Affected Reboot Rating RAG MS08-067 <1% <1% YES C MS08-068 <1% <1% YES C  MS08-069 <1% <1% YES I Legend:  No Issues Detected Potentially fixable application Impact Serious Compatibility Issue M = Moderate  I = Important  C = Critical  c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)  Security Update Detailed Summary MS08-067 Vulnerability in Server Service Could Allow Remote Code Execution (958644) Description This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Payload Netapi.dll Impact Remote Code Execution MS08-068 Vulnerability in SMB Could Allow Remote Code Execution (957097) Description This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Payload Mrxsmb.sys Impact Information Disclosure MS08-069 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) Description This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Payload Msxml5.dll Impact Remote Code Execution