Sheldon here again, with a quick summary of this month's Microsoft Security updates …
9 advisories, with 19 vulnerabilities covered. Here's the breakdown:
MS09-036: Rated Important. Potential Denial of Service in ASP.NET in Microsoft Vista and 2008, covering 1 vulnerability: CVE-2009-1536. Important to note that this vulnerability only affects systems where IIS 7.0 is installed and ASP.NET uses integrated mode. IIS 7 using application pools in classic mode are not vulnerable. Other versions of Windows are not affected.
MS09-037: Rated Critical. Potential Remote Code Execution in ATL Components, Outlook Express, Media Player, ActiveX Controls, and anything else Microsoft built with these templates. Every supported version of Windows affected except Windows 7 and 64 bit versions of Server 2008 R2, covering 5 vulnerabilities: CVE-2008-0015 (ActiveX), CVE-2008-0020 (memcopy), CVE-2009-0901 (uninitialized object), CVE-2009-2493 (COM initialization), and CVE-2009-2494 (object type mismatch). Yup - this is the big one, with Microsoft feeling their customers' pain as they try their best to track down every piece of software written on top of the original mess. I don't envy them and I'm sure this isn't over.
MS09-038: Rated Critical. Potential Remote Code Execution in Windows Media File Processing in every version of Windows except Windows 7 and 64 bit versions of Server 2008 R2, covering 2 vulnerabilities: CVE-2009-1545 (malformed AVI header), and CVE-2009-1546 (AVI integer overflow). Malformed AVI makes for an interesting departure from the standard malicious media and speaks volumes about how much rich media has become the new normal in life online.
MS09-039: Rated Critical. Potential Remote Code Execution in WINS, affecting Windows 2000 Server and 2003 only and covering 2 vulnerabilities: CVE-2009-1923 (heap overflow), and CVE-2009-1924 (integer overflow). This would be a bigger deal if it wasn't WINS - that's like getting nervous about a new Telnet vulnerability ... but more on that in a minute. It's 2009 – if you installed WINS on purpose this is a great reason to rethink that strategy. If resolving NetBIOS names across a WAN link is important to you, then it's time to patch.
MS09-040: Rated Important. Potential Elevation of Privilege in Message Queuing affecting Vista pre-SP, Server 2003, 2000, and XP prior to SP3. 1 vulnerability: CVE-2009-1922 - MSMQ Null Pointer Vulnerability, with unvalidated input before passing data to the buffer. On any other Patch Tuesday, this one would be extremely interesting. With ATL & Web Components on one end and WINS & Telnet on the other, this one is suffering from middle child syndrome in this month's post.
MS09-041: Rated Important (Elevation of Privilege) for XP and 2003; Moderate (Denial of Service) for Vista and 2008. 1 vulnerability: CVE-2009-1544 … Workstation Service memory corruption. Valid logon credentials are required to exploit this one.
MS09-042: My favorite update this month is for *TELNET*. Awesome. Rated Important for 2000, XP, and 2003; Moderate for Vista and 2008. 1 vulnerability: CVE-2009-1930 (credential reflection). What a perfect excuse to disable Telnet. As Jabra said a few minutes ago: "Patch your telnet if you're still running it." You shouldn't be.
MS09-043: Rated Critical. Remote Code Execution in Office Web Components in Office XP and 2003, Office 2000/XP/2003 Web Components, ISA 2004 and 2006, BizTalk 2002, Office Small Business Accounting 2006, and oh yeah - Visual Studio .NET 2003. This is the other biggie with 4 vulnerabilities: CVE-2009-0562 (memory allocation), CVE-2009-2496 (heap corruption), CVE-2009-1136 (HTML script), and CVE-2009-1534 (buffer overflow). After much noise and a front row seat in metasploit last month, this update was much anticipated and expected. (You should patch this one).
MS09-044: Rated Critical for affected versions except for 6.0 (more on that shortly). Remote Code Execution in Remote Desktop (RDP 5.0, 5.1, 5.2, 6.0, and 6.1) as well as the Remote Desktop Client for Mac. All Windows Operating Systems affected except for Windows 7 and Windows Server 2008 R2. 2 vulnerabilities: CVE-2009-1133 (heap overflow), and CVE-2009-1929 (ActiveX heap overflow). This one would typically be pretty scary, but again just too much this month that is garnering more attention on first glance with credentials required. Interesting thing here is that the vulnerability on systems running RDP 5.0 through 5.2 and 6.1 are rated Critical; 6.0 is rated Important. The justification for this rating is that 6.0 is not affected by the ActiveX vulnerability and CVE-2009-1133 cannot be exploited by a malicious website invoking the RDP ActiveX control. This is a great example of how important remediation-based reporting can be. On a day like today with so much information to sift through, there is clearly value in cutting through the mess of different (and sometimes confusing) vulnerability ratings and providing sound remediation advice instead of a simple list of vulnerabilities.
There's a very good chance that a couple of this month's sleepers will get some more press after the big hitters settle down. In addition to the obvious 037 and 043 priorities, best advice is to start with remediation for vulnerabilities that are network accessible with no authentication or user interaction required along with those that already have active exploits (in the wild and/or in metasploit).