Wednesday 15 April 2009

Patch Tuesday -April 14th

As I do now every month, I post up the Patch Impact Report for Microsoft's Patch Tuesday.

This month includes 8 patches, two rated Important, one moderate and the others are rated as Critical. These patches affect all operating systems from Windows 2000, XP through to VISTA and Windows 7 beta and system administrators should be aware that they will require all servers and desktops running these operating systems to be rebooted. Six of the eight patches explicitly state that a reboot is required, however the nature of the changes being made by the other two patches make it highly likely that these will also require a reboot although this is not explicitly stated in the documentation.

After loading the ChangeBase AOK application testing portfolio into a Patch Impact database, all eight patches were tested for application level issues and in addition, application dependencies. Only one update (MS09-014) raised a significant number of issues across a small number of applications across the ChangeBase Patch Testing Application portfolio.

Here is a sample report extract from one of the few applications in the AOK ChangeBase Application Test Portfolio that raised a dependency level issue with the MS09-014 Update.


Testing Summary
  • MS09-009: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-010: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-011: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-012: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-013: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-014: Moderate Impact (both Package level and dependencies) detected across portfolio
  • MS09-015: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-016: Marginal Impact (both Package level and dependencies) detected across portfolio










Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS09-009<1%<1%YESCritical Critical
Microsoft Security Bulletin MS09-010 8<1%YESCritical Critical
Microsoft Security Bulletin MS09-011<1%<1%
Critical Critical
Microsoft Security Bulletin MS09-012<1%<1%YESCritical Critical
Microsoft Security Bulletin MS09-013<1%<1%
Critical Critical
Microsoft Security Bulletin MS09-014 96 6%YESImportantImportant
Microsoft Security Bulletin MS09-015<1%<1%YESImportantImportant
Microsoft Security Bulletin MS09-016<1%<1%YESModerate Moderate


Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue


Security Update Detailed Summary
MS09-009Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
Description This security update resolves a privately reported and a publicly disclosed vulnerability. The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Excel.exe
Impact Remote Code Execution

MS09-010Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
Description This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word. Do not open Microsoft Office, RTF, Write, or WordPerfect files from untrusted sources using affected versions of WordPad or Microsoft Office Word.
Payload Html32.cnv, Msconv97.dll, Mswrd632.cnv, Mswrd832.cnv, Wpft532.cnv, Wpft632.cnv
Impact Spoofing

MS09-011Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
Description This security update resolves a privately reported vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted MJPEG file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Quartz.dll
Impact Remote Code Execution

MS09-012Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
Description This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.
Payload Dtcsetup.exe, Msdtclog.dll, Msdtcprx.dll, Msdtctm.dll, Msdtcui.dll, Mtxclu.dll, Mtxoci.dll, Sp3res.dll, Xolehlp.dll
Impact Elevation of Privilege

MS09-013Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
Description This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Winhttp.dll
Impact Remote Code Execution

MS09-014Cumulative Security Update for Internet Explorer (963027)
Description This security update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Browseui.dll, Danim.dll, Dxtmsft.dll, Iecustom.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Url.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
Impact Remote Code Execution

MS09-015Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
Description This security update resolves a publicly disclosed vulnerability in the Windows SearchPath function that could allow elevation of privilege if a user downloaded a specially crafted file to a specific location, then opened an application that could load the file under certain circumstances.
Payload Secur32.dll
Impact Elevation of Privilege

MS09-016Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
Description This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.
Payload Cookieauthfilter.dll, msphlpr.dll, wspsrv.exe, Fweng.sys, Fweng64.sys, Fweng64100.sys, Msfpcpatch.dll,
Impact Elevation of Privilege

Thursday 9 April 2009

Windows 7 - Touching up your legacy apps

It has been quite a while since my last blog posting. I have been travelling pretty extensively over the past few weeks, and one of the challenges (apart from running from flight to flight) of working abroad and on a client site, is that there is generally little time for "background" tasks like blogging.

That said, I am having a great time with working our clients and it looks like we have found a few more legacy application compatibility issues with Windows 7.

Windows 7 now includes "Touch" support - which on top of "Sensor " support (movement, location, temperature) I think will be the "killer apps" for Windows 7. I have been told by the senior powers that be at Microsoft, that Windows 7 does not have killer apps. "We have pillars, that people; developers in our ecosystem, build upon to create killer apps", I am told. "Fine", I replied, "Then Touch and Sensor support are killer pillars". I quite like the sound of that; Killer Pillars.

Back to the application compatibility issues.

Touch under Windows 7 crashes legacy VB applications that use the old (versions 5 and 6) of the COMCTL control (Mscomctl.ocx or Comctl32.ocx). If your application has a dependency on these controls - it will crash with a wonderful "divide by zero error".

The two problem scenarios outlined by Microsoft include;

• You are running an application that sets a WinEvent hook on Microsoft Windows 2000 or a later operating system version.
• You start an application that uses the ListView control or the TreeView control from Microsoft Windows Common Controls 5.0.


For more information, please refer to the Microsoft support link; http://support.microsoft.com/kb/896559

The fix for this issue is clear; you must scan all of your application packages, and get rid of those legacy versions of these controls. This "cleaning" process must include removing all other configuration settings (registry and COM information) from the offending package. In addition, you will need to validate your application for dependencies on these List and Drop-down controls.