Friday 12 December 2008

December Patch Tuesday - Will we have time?

Though is this a more personal blog - I do like to post our results for Microsoft monthly security update release bonanza - Patch Tuesday. I have included the results

It would be too easy, if I just posted the Patch Impact summaries for each update. No, I have to weigh-in with an opinion.

First, I think that M$ is doing a great job here. I think that the patches included in the following summary are necessary and judging from the CVS reports were sorely needed. Secondly, I think that we may need to re-think the schedule for Patch Tuesday to accomodate holiday season.

Most organizations will implement Change Control (or, Change Freeze) sometime this week; which is a self-induced state of paralysis that precedes each Christmas and New Year. The intent of this "Change Control" restriction is to reduce the nature and number of changes over the holiday season due to the increased risk something going wrong due to;

- missing staff (potenial reasons: holiday, sickness, drunkeness)
- reduced 3rd party or contractor staff due to the above reason
- possible end-of-year focus or other business restrictions

While Microsoft has release a massive update this month, it normally requires most organizations at least 2-weeks to deploy their patches/updates. This schedule places the likely update window right in the middle of the Christmas break; which is a bad time for IT systems to break.

My suggestion is this; for December, roll-out the patches early. Let the business end of IT have some time to determine what is critical to deploy this side of the year and then have some time to deploy it.


And, as threatened, here is the testing summary;

  • MS08-070: Marginal impact with Medium numbers of applications affected
  • MS08-071: Medium impact with High numbers of applications affected
  • MS08-072: Marginal impact with Low numbers of applications affected
  • MS08-073: High impact with High numbers of applications affected
  • MS08-074: Marginal impact with Low numbers of applications affected
  • MS08-075: Marginal impact with Low numbers of applications affected
  • MS08-076: Marginal impact with Low numbers of applications affected
  • MS08-077: Marginal impact with Low numbers of applications affected


Patch NameTotal Issues% of apps
Affected
RebootRatingRAG
Microsoft Security Bulletin MS08-070<1%<13%YESCIssue
Microsoft Security Bulletin MS08-07116%<39%YESCSerious Issue
Microsoft Security Bulletin MS08-072<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-073<70%<35%YESCSerious Issue
Microsoft Security Bulletin MS08-074<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-075<1%<1%YESCNo Issue
Microsoft Security Bulletin MS08-076<1%<1%YESINo Issue
Microsoft Security Bulletin MS08-077<1%7%YESINo Issue

Legend: 
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

M = Moderate 
I = Important 
C = Critical 

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab) 

Security Update Detailed Summary
MS08-070Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
DescriptionThis security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. These vulnerabilities could allow remote code execution if a user browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadComct232.msm, Comct232.ocx, Mschrt20.msm, Mschrt20.ocx, Mscomct2.msm, Mscomct2.ocx, Msflxgrd.msm, Msflxgrd.ocx, Mshflxgd.msm, Mshflxgd.ocx, Msmask32.msm, Msmask32.ocx, Mswinsck.msm, Mswinsck.ocx
ImpactRemote Code Execution

MS08-071Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
DescriptionThis security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadGdi32.dll, Mf3216.dll
ImpactRemote Code Execution

MS08-072Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
DescriptionThis security update resolves eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWinword.exe, Wwlib.dll, Msword.olb, Wrd12cnv.dll, Wordcnv.exe
ImpactRemote Code Execution

MS08-073Cumulative Security Update for Internet Explorer (958215)
DescriptionThis security update resolves four privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadBrowseui.dll, Danim.dll, Dxtmsft.dll, Iecustom.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Url.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
ImpactRemote Code Execution

MS08-074Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
DescriptionThis security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exe, Excel.man, Excel.pip, Xlcall32.dll
ImpactRemote Code Execution

MS08-075Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
DescriptionThis security update resolves two privately reported vulnerabilities in Windows Search. These vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExplorer-ppdlic.xrm-ms, Explorer.exe
ImpactRemote Code Execution

MS08-076Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)
DescriptionThis security update resolves two privately reported vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload 
ImpactRemote Code Execution

MS08-077Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)
DescriptionThis security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.
PayloadAdodb.dll, Bdcconn.dll, Chsbrkr.dll, Chtbrkr.dll, Danlr.dll, Dbghelp.dll, Docxpageconverter.exe, Adodb.dll, Microsoft.mshtml.dll, Microsoft.stdformat.dll, Msdatasrc.dll, Grclr.dll, Grcste.dll, Huczlr.dll, Korwbrkr.dll, Lrpolish.dll, Microsoft.office.server.dll, Microsoft.office.server.dll, Microsoft.office.server.native.dll, Microsoft.office.server.ui.dll, Microsoft.sharepoint.publishing.dll, Microsoft.mshtml.dll, Microsoft.stdformat.dll, Mir.fi.dll, Msdatasrc.dll, Msgfilt.dll, Msscntrs.dll, Mssdmn.exe, Mssearch.exe, Mssph.dll, Mssrch.dll, Natlang6.dll, Natlangnlsd0000.dll, Natlangnlsd0001.dll, Natlangnlsd0002.dll, Natlangnlsd0003.dll, Natlangnlsd0007.dll, Natlangnlsd0009.dll, Natlangnlsd000a.dll, Natlangnlsd000c.dll, Natlangnlsd000d.dll, Natlangnlsd000f.dll, Natlangnlsd0010.dll, Natlangnlsd0011.dll, Natlangnlsd0013.dll, Natlangnlsd0018.dll, Natlangnlsd0019.dll, Natlangnlsd001a.dll, Natlangnlsd001b.dll, Natlangnlsd001d.dll, Natlangnlsd0020.dll, Natlangnlsd0021.dll, Natlangnlsd0022.dll, Natlangnlsd0024.dll, Natlangnlsd0026.dll, Natlangnlsd0027.dll, Natlangnlsd002a.dll, Natlangnlsd0039.dll, Natlangnlsd003e.dll, Natlangnlsd0045.dll, Natlangnlsd0046.dll, Natlangnlsd0047.dll, Natlangnlsd0049.dll, Natlangnlsd004a.dll, Natlangnlsd004b.dll, Natlangnlsd004c.dll, Natlangnlsd004e.dll, Natlangnlsd0414.dll, Natlangnlsd0416.dll, Natlangnlsd0816.dll, Natlangnlsd081a.dll, Natlangnlsd0c1a.dll, Natlangnlsl0009.dll, Notesph.dll.oss, Offfiltx.dll, Office.odf, Osrvintl.dll, Oss.intl.dll, Pkmexsph.dll, Pkmnpw.dll, Portal.dll, Portal.dll, Query9x.dll, Searchom.dll, Searchom.dll, Sharepointpub.dll, Sharepointpub.gac.dll, Spsimpph.dll, Spsintl.dll, Srchipp.dll, Srchpml.dll, Ssocli.dll, Ssoom.dll, Ssoom.dll, Ssoperf.dll, Ssoprvad.e xe, Ssosec.dll, Ssosec.dll, Ssosrv.exe, Stdole.dll, Stdole.dll, Svrsetup.dll, Svrsetup.exe, Thawbrkr.dll, Tquery.dll, Trklr.dll, Upgrade.dll
ImpactElevation of Privilege

No comments: