Wednesday 10 September 2008

Patch Tuesday - September 2008

The good news this month is that the patches and updates are relatively light. 

The updates MS08-055 and MS08-053 relate to Windows Media player which has a minimal impact on the Operating system and few applications have a direct dependency on Windows Media player. More importantly, MS08-052 includes an update to a core element of the operating system (GDIPLUS.DLL). This file is part of the graphics library for Window XP. Several applications we ran through AOK can load a version of this file from their source media/download process when they are installed and so there is a danger that if this happens the installation will result in an out of date version of this file being loaded and overwriting the version in the patch update this month.

IT departments need to identify which applications can do this and have a process in place which stops this happening. 3% of the applications we tested have this capacity including Microsoft Messenger and Macromedia Dreamweaver. Here is a sample of the AOK Workbench analysis which illustrates that Messenger both includes this key file in its installation package and has a key dependency on GDIPLUS.DLL.

Test

In terms of which applications use or have a dependency on this component, we found that 30% of the applications we tested fall into this category. We recommend organisations test all applications with such dependencies.

Specific reboot Information
Also it should be noted that all machines (servers and desktops) with this patch update will need to be rebooted for the update to take affect as per the table below.

Testing Summary
  • MS08-052: updates key components of Microsoft Messenger and Digital Imager
  • MS08-055: Updates key Microsoft Office components - full application test required
  • MS08-053: Marginal impact and negligible testing profile
  • MS08-054: Marginal impact and negligible testing profile


Patch NameIssues% Affected
(with dependencies)
RebootRAG
MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution23730%YESSerious
MS08-053 Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution<1%<1%YESTest
MS08-054 Vulnerability in Windows Media Player Could Allow Remote Code Execution<1%<1%NOTest
MS08-055 Vulnerability in Microsoft Office Could Allow Remote Code Execution91%NOTest

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue
Test

Security Update Detailed Summary
MS08-052Vulnerabilities in GDI+ Could Allow Remote Code Execution
DescriptionVulnerabilities in GDI+ Could Allow Remote Code Execution This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payloadgdiplus.dll
ImpactMS08-052 updates a core OS level DLL that is responsible for Windows XP/2000 graphics interface. A number of applications contain this file in their application installation routine including; Reuters Messaging, Microsoft Messenger, Macromedia Dreamweaver and Microsoft Digital Image which could cause application compatibility issues when these packages are deployed. In addition, a significant portion of our testing portfolio had a file level dependency on this updated DLL.
 
MS08-053Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Windows Media Encoder 9 Series. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadThe following file is updated in this security update; Wmex.dll
ImpactThis update had a marginal impact on the AOK Workbench application package portfolio through direct file and configuration overlaps with the update payload and the portfolio packages.
 
MS08-054Vulnerability in Windows Media Player Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadThe following file is updated in this security update; Wmpeffects.dll
ImpactThis update had a marginal impact on the AOK Workbench application package portfolio through direct file and configuration overlaps with the update payload and the portfolio packages.
 
MS08-055Vulnerability in Microsoft Office Could Allow Remote Code Execution
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadThe following files are updated in this security update; Onbttnie.dll, Onenote.exe, Onenotem.exe, Onfilter.dll, Onlibs.dll, Onmain.dll, Mso.dll, Mso.dll, Ietag.dll
ImpactThis Microsoft security update, while not affecting a large portion of the AOK application portfolio did directly affect a number of Microsoft application packages including Office 2003 (standard and professional), Microsoft Visual Basic, and Microsoft Project.

Details of Lab process
c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)

No comments: