In today’s Patch Tuesday, Microsoft delivers 6 bulletins that fix vulnerabilities targeting Windows, Office and Internet Explorer.
Jason Miller, Data and Security Team Leader at Shavlik Technologies provides quick rundown of today’s patches.
MS09-072 is the first security bulletin administrators should address on their network. This bulletin is a cumulative update for Internet Explorer. Microsoft usually releases a cumulative update for Internet Explorer every other month, and typically contains multiple fixes in it. This bulletin addresses five vulnerabilities, with one of the vulnerabilities publicly known. There is one vulnerability patched with this bulletin that administrators should pay close attention to. Microsoft released a Security Advisory for this vulnerability late last month in Security Advisory 977981. With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer. The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer. In this scenario, this can lead to remote code execution on the target system.
MS09-070 affects Microsoft Active Directory Federation Service (ADFS). Web servers that have ADFS enabled are at risk, clients are not at risk from this vulnerability. The attacker needs to be an authenticated user to carry out an attack, so this reduces the risk of this vulnerability. Companies that have implemented ADFS on their network should apply this patch as soon as possible.
MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2. IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections. This security bulletin addresses two vulnerabilities. One of these vulnerabilities is publicly known, but the vulnerability is not being actively exploited at this time. An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, Client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system. However, third party products can be installed on client systems that can be vulnerable.
MS09-069 affects the Microsoft LSASS service on Windows 2000, XP and 2003. An attacker can send a specially crafted packet to a target machine that will cause the system to be unresponsive. The LSASS service can use up all system resources that will cause the machine to be unresponsive. Users will need to reboot their systems to gain back those resources and make the system responsive once again. This security bulletin addresses one vulnerability that is not publically known at this time.
MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003. This security bulletin fixes one software vulnerability which is not publicly known at this time. A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document. Upon opening, the document will be converted to a new version of a Word document. A successful exploit can lead to remote code execution.
MS09-074 affects Microsoft Project. The one security vulnerability this bulletin addresses is not publicly known at this time. In an attack scenario, a user would need to be enticed into opening a malicious Project document. This can lead to remote code execution.
Microsoft has also re-released security bulletin MS08-037. The bulletin was updated to include the DNS client on Windows 2000 Service Pack 4. Anyone who has previously installed this patch will need to apply this latest patch offering.