News

Huge October Security Patch Arrives

• By Jabulani Leffall
• 10/13/2009

October has proved to be the month of record, landing one whopper of a Patch Tuesday.

The sheer girth of Redmond's October slate of security updates eclipses all others before it. The patch contains the most security bulletins ever, according to the Microsoft Security Response Center's blog. We have to look back to October 2008 for the last record-setting patch.

Microsoft released 13 security bulletins, with eight deemed "critical" and five considered "important, to address 34 vulnerabilities. The software giant is also re-releasing one bulletin to offer new updates.

Not only are the vulnerabilities large in number but there is a wide swath of applications affected in this month's rollout. The products targeted for patching this time include Windows, Internet Explorer, Silverlight, Microsoft Office, Forefront and SQL Server.

IT pros should consider tackling this patch one step at a time, according to Sheldon Malm, director of security strategy at the Rapid 7 security services firm.

"Start with operating systems, Internet-facing systems and SQL Server database boxes," Malm said. "This [patch slate] may take weeks or even months to test and deploy in larger environments, so prioritizing by most critical assets within this update will be key to reducing risk as quickly and effectively as possible."

Remote code execution (RCE) once again rules the day as a top patching concern. As many as 10 bulletins have RCE exploit implications. Spoofing, elevation-of-privilege and denial-of-service risks round out the batch of incursion considerations to be patched.

Critical Fixes
Critical item No. 1 is the long-awaited patch for Server Message Block Version 2 (SMBv2). It only touches Vista and Windows Server 2008.

"IT administrators should pay attention to this critical vulnerability as its reportedly is currently being exploited in the wild and impacts both Vista and Windows 2008 platforms," said Paul Henry, security and forensic analyst at Lumension.

The second critical item affects every OS except for Windows 7, addressing two privately reported vulnerabilities in Windows Media Runtime.

Critical item No. 3 affects Windows Media Player running on every Windows OS except Windows 7, Vista and Windows Server 2008. This vulnerability could "allow remote code execution if a specially crafted ASF file is played using Windows Media Player 6.4," according to Microsoft.

The fourth critical item is yet another cumulative security fix for Internet Explorer, resolving three bugs and covering IE versions 5.01 through 8.

The fifth critical fix addresses all supported versions of Windows. This security bulletin finally resolves the Active Template Library (ATL) bug issue of the last few months. It's a fix for an ActiveX vulnerability that could lead to an RCE attack.

In that vein, the sixth critical fix represents part two of a very comprehensive ATL hotfix. It resolves "several privately reported vulnerabilities in ActiveX controls" with vulnerable ATL components. The patch affects Microsoft Office components sitting mainly on XP operating systems. Outlook, Visio and Visio Viewer are all affected by this patch.

Critical fix No. 7 touches on Microsoft Silverlight developer tools, resolving vulnerabilities in the Microsoft .NET Framework.

The final critical item involves those pesky Graphic Device Interfaces (GDI) and is by far the most thoroughly wide-reaching of the slate. If users click on a corrupt image or corrupt Web page, remote code execution could be triggered in Internet Explorer, Microsoft Report Viewer, SQL Server, Forefront, Visual Studio.NET and Visual Studio FoxPro.

"The primary danger the GDI+ graphics library and Internet Explorer vulnerabilities pose is that these vulnerable components are present on the majority of Windows machines," said Ben Greenbaum, senior research manager at Symantec Security Response.

Important Fixes
The first important item resolves two publicly disclosed vulnerabilities in the File Transfer Protocol for Internet Information Services (IIS), the subject of numerous off-cycle security advisories in recent months. Redmond says that IIS 5.0, 5.1, 6.0 and 7.0 could all be affected by RCE bugs.

The second important item is designed to thwart spoofing attack vulnerabilities in Windows CryptoAPI.

Important item No. 3 is an RCE fix for ActiveX components used in Web traffic indexing in Windows. The fourth important item is a Windows kernel hotfix with elevation-of-privilege implications.

Watch out for important item No. 5, which addresses a potential headache for enterprise IT pros. This fix is aimed at thwarting potential denial-of-service attacks in the Local Security Authority Subsystem Service, which assigns and allocates access parameters for enterprise users.

All five important patches address Windows 7. Four of them affect every Windows OS that's currently supported. The only exception is the fifth important patch, which covers everything except for Windows 2000 Service Pack 4.

All 13 patches may require a restart.

The October security release represents the busiest patch release for IT pros in the history of Microsoft security bulletin rollouts, according to Andrew Storms, director of security operations at nCircle. On top of that, Adobe Systems is releasing patches on the same day, he added.

"Compound today's Microsoft release with the impeding Adobe quarterly release and we are certain to see some enterprise teams become flustered," Storms said. "The key for security and IT organizations managing today's deluge of patches is to maintain focus and diligence with patch management practices."