Wednesday 14 October 2009

Microsoft Security Updates for October: The Results...


The big story with the October 2009 Patch Tuesday Security Update from Microsoft is the sheer size (both breadth and depth) of the update. This is the largest update in the history of patch Tuesday.
Thirteen updates this month, with eight updates rated critical and the other five updates rated as Important.
The good news is that despite what one might think the impact on application compatibility is not huge across all the patches.
Based on the results of our application compatibility lab (c. 1000 sample packages), twelve of the 13 patches have very limited impact on applications. The one patch with issues is MS09-061 (Vulnerabilities in GDI+ Could Allow Remote Code Execution Which affects c. 13% of a sample application portfolio. We would recommend technical teams focus their testing on this patch.

We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following picture.



Testing Summary
  • MS09-050 : : Marginal impact and negligible testing profile.
  • MS09-051 : : Marginal impact and negligible testing profile.
  • MS09-052 : : Marginal impact and negligible testing profile.
  • MS09-053 : : Marginal impact and negligible testing profile.
  • MS09-054 : : Marginal impact and negligible testing profile.
  • MS09-055 : : Marginal impact and negligible testing profile.
  • MS09-056 : : Marginal impact and negligible testing profile.
  • MS09-057 : : Marginal impact and negligible testing profile.
  • MS09-058 : : Marginal impact and negligible testing profile.
  • MS09-059 : : Marginal impact and negligible testing profile.
  • MS09-060 : : Marginal impact and negligible testing profile.
  • MS09-061 : : Marginal impact and negligible testing profile.
  • MS09-062 : : Strong potential impact and large testing profile.


Patch Name
Total
Issues
Matches
Affected
Reboot
Rating
RAG
Microsoft Security Bulletin MS09-050
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-051
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-052
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-053
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-054
1%
1%
YES
Critical
Amber
Microsoft Security Bulletin MS09-055
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-056
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-057
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-058
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-059
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-060
1%
1%
YES
Critical
Amber
Microsoft Security Bulletin MS09-061
1%
1%
YES
Critical
Amber
Microsoft Security Bulletin MS09-062
11%
<1%
YES
Critical
Red

Legend:
No Issue
No Issues Detected
Fixable
Potentially fixable application Impact
Serious
Serious Compatibility Issue

Security Update Detailed Summary
MS09-050
Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
Description
This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Payload
Srv2.sys
Impact
Critical – Remote Code Execution

MS09-051
Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
Description
This security update resolves two privately reported vulnerabilities in Windows Media Runtime. The vulnerabilities could allow remote code execution if a user opened a specially crafted media file or received specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
wmavds32.ax, wmspdmod.dll, msaud32.acm
Impact
Critical – Remote Code Execution

MS09-052
Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
Description
This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if a specially crafted ASF file is played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
strmdll.dll
Impact
Critical – Remote Code Execution

MS09-053
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
Description
This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.
Payload
ftpsvc2.dll
Impact
Important

MS09-054
Cumulative Security Update for Internet Explorer (974455)
Description
This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Iecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
Impact
Critical – Remote Code Execution

MS09-055
Cumulative Security Update of ActiveX Kill Bits (973525)
Description
This security update addresses a privately reported vulnerability that is common to multiple ActiveX controls and is currently being exploited. The vulnerability that affects ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library (ATL) could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
No Files – Registry Settings Only
Impact
Critical – Remote Code Execution

MS09-056
Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
Description
This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.
Payload
msasn1.dll
Impact
Important

MS09-057
Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
query.dll
Impact
Important

MS09-058
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
Description
This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Payload
ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, ntoskrnl.exe
Impact
Important

MS09-059
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process.
Payload
Msv10.dll, Netlogon.dll
Impact
Important

MS09-060
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
Description
This security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft that were compiled with a vulnerable version of Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Cnfnot32.exe, Contab32.dll, Dlgsetp.dll, Dumpster.dll, Emablt32.dll, Emsmdb32.dll, Envelope.dll, Exsec32.dll, Impmail.dll, Mimedir.dll, Mlcfg32.cpl, Mlshext.dll, Mspst32.dll, Oladd.fae, Olappt.fae, Oljrnl.fae, Olkfstub.dll, Olmail.fae, Olmapi32.dll, Olnote.fae, Oltask.fae, Omsmain.dll, Omsxp32.dll, Outlctl.dll, Outlmime.dll, Outlook.exe, Outlph.dll, Outlrpc.dll, Outlvba.dll, Outlvbs.dll, Pstprx32.dll, Recall.dll, Rm.dll, Rtfhtml.dll, Scanost.exe, Scanpst.exe, Scnpst32.dll, Scnpst64.dll
Impact
Critical – Remote Code Execution

MS09-061
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
Description
This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.
Payload
mscordacwks.dll, mscorlib.dll, SOS.dll, mscorwks.dll
Impact
Critical – Remote Code Execution

MS09-062
Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
Description
This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
gdiplus.dll
Impact
Critical – Remote Code Execution

No comments: