10 Mar Patch Tuesday
12 Jan Patch Tuesday - Jan 2010
11 Nov Patch Tuesday
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
This month’s patch Tuesday is a big one. Not only did Microsoft release their bulletins, but Adobe also released critical updates for Adobe Reader and Acrobat 9.3.1 for Windows and Mac and Unix along with updates for Reader and Acrobat 8.2.1 for Windows and Mac. These updates address multiple issues including memory corruption, buffer overflows and cross-site scripting.
Adobe has also decided to activate their new updater that will allow users to easily keep their Adobe products up to date. The updater will determine a time when your computer isn’t busy and silently install Adobe’s updates.
Considering Adobe is one of the programs exploited regularly this sounds great right? Well here is the thing, Adobe is releasing the updater, but they have no plans on activating this feature by default in this release. What this means is that people won’t be getting automatic updates unless they choose to turn on the updater.. Adobe however does say they feel this is the best option for most users and they are currently evaluating options for the best long-term solution. One of the solutions they might choose would be to provide users with an opt-in screen as part of the next phase in the roll out.
My feeling is that Adobe needs to take security seriously and start using the more secure methods as default settings.
In the Microsoft world today brings 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office and Exchange. This month’s bulletins affect all operating systems including Windows 7. The ratings for the 11 bulletins range from moderate to critical with 5 critical, 5 important and one moderate. This month’s updates include bulletins addressing the critical SMB vulnerability Microsoft notified us about last November and the vulnerability in VBScript from March of this year.
MS10-019 - is resolving two vulnerabilities in Windows Authenticode Verification. These vulnerabilities may allow attackers to modify executables (PE and CAB files) without making the signature invalid. This bulletin addresses this issue by performing additional verification operations when signing and verifying a portable executable or cabinet files.
MS10-020- is the bulletin Microsoft released addressing the SMB vulnerability. This affects both SMBv1 and SMBv2. The SMB client is mainly used to provide shared access to files and printers on a network. If exploited this could lead to a Denial of Service attack.
MS10-022 - Addresses the vulnerability in VBScript that could allow remote code execution. Users can be exploited by visiting a specially crafted web page and tricked into pressing the F1 key. This bulletin is rated important for users running windows 2000, XP or Server 2003. Users running Windows 7, Server 2008 or server 2008 R2 there is no severity rating. Microsoft is calling it a defense-in-depth measure.
MS10-025 - Resolves a vulnerability in which by modifying the way Windows Media Unicast Services handles transport info network packets. An attacker would be able to take complete control of the computer. Something to note is that on Windows 2000 server Windows Media Services is an optional component and isn’t installed by default.
MS10-026 - Is addressing a vulnerability in how Windows handles MPEG Layer-3 (MP3) audio stream. If a user were to open a specially crafted AVI file the attacker would have complete control of the system.
MS10-027 - Is fixing a vulnerability in Windows Media Player. For users to be exploited they would need to view the malicious web site and open the specially crafted media.
While updating, keep in mind all of these updates require a restart so make sure you’re ready for a reboot.
Today Microsoft released 2 bulletins addressing 8 vulnerabilities affecting Windows and Microsoft Office products. Both of the bulletins are rated important meaning some users interaction is needed to exploit the vulnerability and allow remote code execution. One thing that this month's updates have in common is that they both are addressing issues that require some social engineering and there are no network based attack vectors. However neither one is addressing Advisory 981169 the vulnerability in VBScript pertaining to IE. This is where a user visiting a specially crafted webpage will be presented with a popup asking to press the F1 key to become infected.
MS10-016 affects Windows XP SP2, SP3, Vista SP1, SP2 and Windows 7 32 and 64bit versions. It addresses a vulnerability in movie maker versions 2.1 and 6.0 that ships with both in XP and Windows Vista. Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. For users who have version 2.6 installed on a supported versions of Windows including 7, you will be offered the update. However Movie Maker 2.6 is optional on Windows 7 so if you don't have this installed you are not affected and don’t need the bulletin. For those users who do have it installed, to become infected users would need to open a specially crafted Movie Maker project file.
MS10-016 also affects Microsoft Producer 2003. This is a free download but has what Microsoft calls a "limited distribution" so they are not currently offering an update to resolve the issue.
This seems a little odd to me. I mean no matter how “limited” why would you not want to fix the issue. Not only is it a bug in your software but it leaves users vulnerable and isn’t that what we are trying to prevent? With that said a current workaround is to disassociate the project file type from the application. This isn't a complete fix but Microsoft says it adds an extra layer of security.
MS10-017 is addressing issues in multiple versions of Microsoft Office for both Windows and Mac. On the Windows platform the versions affected are Office XP, 2003 and 2007 along with supported versions of Excel viewer and SharePoint 2007. The Mac versions affected are 2004, 2008 and open XML file format converter for the Mac. To take advantage of this exploit there will need to be some user interaction by opening a specially crafted file.
As always I suggest downloading and installing the bulletins at your earliest convenience.
From the look of things Microsoft is starting off slow this year with only one of each in today's release – one bulletin, one advisory and one re-released bulletin. However, there is still no bulletin for Security Advisory 977544 - the Vulnerability in SMB Could Allow Denial of Service. Microsoft says they are still working on an update for this issue and are not aware of any attacks using the exploit code.
The bulletin they did release is MS09-035 Active Template Library (ATL) bulletin after adding Windows Embedded CE 6.0 to the affected product list. This release only affects developers and OEMs building application on top of CE 6 or producing devices that use the operating system.
The last release from Microsoft was a Security Advisory 979267 to increase awareness regarding reports of vulnerabilities in Adobe Flash player 6 which shipped with Windows XP. I would like to mention that Flash 6.0 is a very old version, considering it came with XP, so please update to the latest version of Flash.
Please note that Adobe is releasing APSB10-02 Security Advisory today to resolve critical vulnerabilities being actively exploited in Adobe Reader and Acrobat 9.2 on Windows, Mac, and UNIX.
Even with only one update from Microsoft, I would suggest that everyone installs it as a matter of standard procedure. But I would make the Adobe update my first priority this month.
This month Microsoft released 6 bulletins to plug 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of them are rated Critical and the other three Important. These bulletins affect all supported versions of Windows and IE; regarding Office the bulletins impact Project, Word and Works 8.5. The other important piece of information is that all of the updates require a reboot so plan accordingly.
MS09-072 covers Security Advisory 977981 (HTML Object Memory Corruption) and due to the fact that the vulnerability was publicly disclosed and affects IE 6 and IE 7 Microsoft put this at the top of the priority list. It's the only bulletin that has both a critical severity rating and the maximum Exploitability rating. Those users running IE 8 on any version of Windows and IE 5.01 on Windows 2000 are not affected by this vulnerability. With that said how many people are still running IE 5.01 on systems? I'd like to think that sometime in the last 8 years most if not everyone has updated their systems.
MS09-070 resolves two reported vulnerabilities in Windows which allow maliciously crafted HTTP request to an ADFS-enabled Web server. However for the attack to be effective valid log on credentials are needed – because of this, Microsoft placed this lower on the deployment list. This patch is for any machine running Windows Server 2003 32 and x64 Edition, Windows Server 2008 and Windows 2008 x64 Edition.
MS09-071 addresses vulnerabilities in the Internet Authentication Services where if a message is copied incorrectly into memory when handling PEAP authentication attempts it could allow compromise. This security update is rated Critical for Windows Server 2008 for 32-bit Systems Service Pack 2 and Windows Server 2008 for x64-based Systems Service Pack 2 and for other versions of Windows the rating drops to either Important or Moderate. However those running Windows 7 or Server 2008 R2 x64 or Itanium versions are not affected.
MS09-073 patches a vulnerability in Microsoft's WordPad and Office text converters. For users to be affected by this they would need to open a malicious Word 97 file in either WordPad or MS Word. This security update is rated Important for WordPad on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. It's also rated Important for all supported editions of Microsoft Office Word 2002 and Microsoft Office Word 2003, Microsoft Office Converter Pack, and Microsoft Works 8.5. This does not affect Vista SP1, SP2 32 or x64, Windows 7 32 or x64, Server 2008 R2x64 or Itanium versions of windows.
MS09-074 covers a vulnerability in Microsoft Project where if a user opens a maliciously crafted project file the attacker can get complete control of the affected system. This has a Critical rating for MS Project 2000 SP1 and an important rating for MS project 2002 SP1 and MS Project 2003 SP3.
MS09-069 fixes a vulnerability in Local Security Authority Subsystem Service (LSASS) that could allow for a denial of service (DNS) attack. For this to take place the attacker would have to send ISAKMP messages to the LSASS communicating through Internet Protocol security (IPsec). This is rated Important for all supported Windows 2000, Windows XP and Windows Server 2003.
I also want to highlight the rerelease of MS08-037. This addresses the vulnerability in both DNS client and DNS server that could allow spoofing. This is for Microsoft Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. For Windows 2000 users, if you've downloaded and installed this already, you need to install it again to be completely updated.
As I always say, no matter what the severity rating from Microsoft you should download and install all the updates needed for your system.
For more detailed information, take a look at the Microsoft blog about these updates.
The first patch Tuesday since the release of Windows 7 wasn’t as historic as last month – this time Microsoft released 6 patches addressing 15 vulnerabilities.
Today’s patches did not include a patch for Windows 7 but there is one for Vista. Could this be an indication of things to come or I should say not to come?
Four of today's patches address issues in pre-Win7 versions of Windows and Windows Server and the other two are for Office products. Three of the six patches are considered critical with the other half labeled important.
Microsoft considers MS09-065 the most critical of the bunch. This patch mitigates 3 vulnerabilites, one of which has been publicly disclosed. This patch prevents users running Windows 2000 SP4, XP SP2 and SP3 or Server 2003 SP2 from being exploited when visiting specifically crafted maliscious websites. If you are running Windows Vista or a more recent OS this is not critical and lowered to a severity rating of important as the impact is only Elevation of Privilege.
The other two updates included in this patch require the attacker to have valid logon credentials to successfully exploit.
MS09-063 affects Windows Vista and Windows Server 2008 and is for Web Services on Devices API (WSDAPI). This is the service that allows Windows clients to discover and access remote devices such as PDAs, cameras, printers and other devices. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. The key here is that the attacker will need to be on the local subnet to exploit this vulnerability.
MS09-064 affects only Windows 2000 Server SP4 and addresses the License Logging Service (LLS) which is enabled by default. Microsoft suggests that administrators with Windows 2000 Servers on public facing networks should put this patch higher on the list in priority.
MS09-067 and MS09-068 are the Microsoft Office patches. In this case the exploit will only work with some user interaction, specifically if the user opens a malicious excel or word file. Because those of us who run Office 2003 or later are prompted to open, save or cancel before opening any files from emails, Microsoft lowered the severity and deployment priority.
I would like to point out here that if you don’t know who sent you the file or why they would have sent it, you might want to hold off on opening it.
Clearly it is too early to say Window 7 has been the improvement Microsoft says it is and over the next few months it should be interesting to see how things go for Win7.
As always I suggest downloading and installing the patches, but I would like to note that 4 out of the 6 patches will require a reboot so make sure to plan accordingly.
For more information on these patches please visit Microsoft’s blog.