Windows Enterprise Desktop » MS09-022 http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop Fri, 17 May 2013 15:52:16 +0000 en-US hourly 1 More on Patch Tuesday, July 2009 http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/more-on-patch-tuesday-july-2009/ http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/more-on-patch-tuesday-july-2009/#comments Wed, 15 Jul 2009 13:51:57 +0000 Ed Tittel http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/?p=402 OK, so today is Wednesday, so that means Patch Tuesday has now come and gone, and the finalized version of the Security Bulletin Summary for July 2009 is now available. In addition to six updates, there’s also an updated version of the Windows Malicious Software Removal tool included amidst this month’s offerings. The following table provides some details on the security-related patches and updates, with links to their underlying individual security bulletins.

Bulletin ID Rating Target Remarks
MS09-023 Critical Microsoft Windows 2 privately reported remote code execution items in the Windows Embedded OpenType (EOT) Font Engine
MS09-028 Critical Microsoft Windows 2 vulnerabilities (1 public, 2 private) in Microsoft DirectShow; opening a specially formatted QuickTime media file can lead to remote execution
MS09-032 Critical Microsoft Windows Resolves privately reported vulnerability already being exploited in the MS Video ActiveX control; could lead to remote execution upon viewing a specially crafted Web page in IE with a malicious ActiveX control
MS09-033 Important Virtual PC Virtual Server Privately reported vulnerability allows arbitrary code to be executed, or complete control taken for an affected guest OS
MS09-031 Important ISA Server 2006 Privately reported vulnerability could allow elevation of privilege upon successful impersonation of administrative account on ISA server configured for Radius One time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation
MS09-030 Important Microsoft Office Publisher Privately reported vulnerability could allow remote code execution if a user opens a specially crafted Publisher file; could lead to complete control over affected system.

The critical Windows related items will probably need to be addressed as soon as possible; the other important items may or may not apply to all enterprise situations, but will surely apply to some. For those outfits, the possibility of remote code execution or outright system takeover suggests that they, too, should be addressed quickly.

FWIW, I was able to download and install all these patches on several Vista systems late last night/early this morning without any difficulties. Alas, the same is not true for an optional update to one of my systems Realtek 8111B PCIe GBE Ethernet controller: after three attempts to install same, I’m still scratching my head and wondering why it won’t work. And wouldn’t you know it: the Realtek Web site doesn’t have an update newer than May 2009, while this one is dated for earlier in July. Sigh.

]]> http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/more-on-patch-tuesday-july-2009/feed/ 0 Patch Tuesday June09: A Real Whopper! http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/patch-tuesday-june09-a-real-whopper/ http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/patch-tuesday-june09-a-real-whopper/#comments Wed, 10 Jun 2009 16:43:49 +0000 Ed Tittel http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/?p=340 OK, so yesterday’s Patch Tuesday does the deed for June. It’s a monster: 10 security bulletins, 31 vulnerabilities addressed, and involving most versions of Windows itself, IE, and various MS Office and related elements (Works, Word, and Excel). Even the Windows Print Spooler and OS Kernel get in on the act!

Of the 10 bulletins issues, half (5) are critical, and fill some gaping widely-known holes in MS security. Chief among these: the dual WebDAV gothas for IIS publicized in May (explained in this Ryan Naraine blog from 5/19) and the infamous Pwn2Own vulnerability discovered in March at the CanSecWest conference in Vancouver.

I downloaded mine for Vista yesterday and they appear to have installed and taken without a hitch. You’ll probably want to start testing these right away, if you don’t plan to deploy them as-is.

Bulletin ID Rating Target Remarks
MS09-018 Critical Active Directory, Server 2000/203 2 remote code execution items
MS09-019 Critical IE version 5-8 8 vulnerabilities, including remote code execution items
MS09-020 Important IIS 2 vulnerabiliites allowing elevation of privilege
MS09-021 Critical MS Excel 7 vulnerabilities including remote code execution
MS09-022 Critical Windows Print Spooler 3 vulnerabilities, including remote code execution (Windows
MS09-023 Moderate Windows Search Single vulnerability could allow info disclosure
MS09-024 Critical Microsoft Works converter Could allow remote code execution
MS09-025 Important Windows kernel 4 vulnerabilities that could allow elevation of privilege
MS09-026 Important RPC Could allow execution of arbitrary code or takeover
MS09-027 Critical MS Word 2 vulnerabiltiies could allow remote code execution
]]> http://itknowledgeexchange.techtarget.com/vista-enterprise-desktop/patch-tuesday-june09-a-real-whopper/feed/ 0