Windows Update

Patch Tuesday Preview for April 09

Next Tuesday, April 14, is Patch Tuesday for this month. As usual, Microsoft e-mailed its Advance Notification yesterday to let us all know what’s coming (there’s also a Web version as well). Here’s what to expect, Windows Vista-wise from the 8 bulletins (5 of which are critical) to be released that day:

• Windows (which often involves Vista): 3 Critical, 1 important, 1 moderate. All 3 Critical bulletins pose potential remote code execution vulnerabilities, while the Important one involves an elevation of privilege for attackers. The Moderate item involves a potential elevant of privilege as well.
• Internet Explorer and Excel: Two more critical bulletins, both of the remote code execution variety.
• Internet Security & Acceleration Server (ISA): One important bulletin that could involve Denial of Service for Microsoft Forefront Edge Security software.
• 6 of the 8 items require a system restart, while the other two may require a restart, depending on local conditions on patched PCs.
• Of the 5 Windows bulletins, 3 of them involve Vista (Windows 2, 4, and 5); the IE patch also affects IE7 on Vista as well.

Looks like we’ve got some patching in our future. Stay tuned for details next Wednesday, April 15.

Patch Tuesday March 2009

Tuesday, March 10, was the second Tuesday of the month, the day colloquially known to MS system administrators and security mavens as “Patch Tuesday.” Here’s a smorgasbord of the items that showed up in the list of 3/10/2009 items with relevance for Windows Vista:

• MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (KB958690). This is first kernel vulnerability to come along for a while and as such affects all supported versions of Windows back to Windows 2000. Most fixes go the the Win32k.sys file, which ranks right up there with ntoskrnl.exe at the heart of Windows OSes everywhere. Update this one quick!
• MS09-007 Vulnerability in SChannel Could Allow Spoofing (KB960225). This privately reported item, if exploited, could allow an attacker who gains access to end-user certificates to successfully impersonate (spoof) those users, but only when the public key component of an authentication certificate has also been obtained as well. This affects all supported versions of Windows as well. If you use end-user certificates as part of your authentication mechanisms, you’ll want to apply this update quickly as well.

Another bulletin (MS09-008) was also released with fixes for vulnerabilities in DNS and WINS Server code that could permit address spoofing for potential man-in-the-middle or site impersonation attacks. But you can leave these fixes for the server gang, unless you happen to take care of your organization’s servers as well.

For the record, only MS09-006 is rated Critical, while both MS09-007 and MS09-008 are rated Important. Given the nature of the related vulnerabilities, anyone who’s affected by either Important item should probably expedite pushing this update out as quickly as possible anyway. And of course any Critical item needs to make its way onto Vista (and other Windows) machines as soon as circumstances and testing/deployment requirements permit.

Preview of Patch Tuesday Attractions

Tomorrow, February 11, is the second Tuesday in February–hence, “Patch Tuesday” is once again at hand. Microsoft publishes advance notification for security bulletins each month on the preceding Thursday, so I can tell you what to expect in tomorrow’s updates. There are four items that should be included (though last-minute additions and deletions have been known to occur):

• Critical: Internet Explorer 7 versions remote code execution fix. XP, Vista, Windows Server 2003 and 2008, 32- and 64-bit versions.
• Critical: Exchange Server versions remote code execution fix. Exchange 2000 Server SP3 with 8/04 update rollup, Exchange Server 2003 SP2, Exchange Server 2007 SP1 (32- and 64-bit versions).
• Important: SQL Server remote code execution. Too many versions to enumerate here (check the advance notification link in the first paragraph for details).
• Important: Visio remote code execution. MS Office Visio 2002 SP2, MS Office Visio 2003 SP3, MS Office Visio 2007 SP1.

As usual, there will also be an updated version of the Microsoft Malicious Software Removal tool (KB890830) and the Windows Junk E-mail Filter (KB905866) for February, 2009, included as well. There will also be cumulative updates for Media Center for Windows Vista (KB950644) and Media Center TVPack for Windows Vista (KB958653), plus an update rollup for ActiveX Killbits for Windows (KB960715). These are described in more detail in KB894199 and also in the other KB articles cited for each item.

Given that all the major updates relate to remote code execution and the system compromises such vulnerabilities can produce, it’s probably time to start testing and/or deploying these patches to your clients and servers on an ASAP basis.

Windows Service Pack Blocker soon to lose XP (SP3), Vista (SP1) blocks

Since December 2007, Microsoft has offered a Windows Service Pack Blocker Tool Kit to organizations that wish to prevent deployment of service packs in their environments. Blogging for the Vista Team Blog, Microsoft Windows Communication Manager Matt LeBlanc indicated on 1/29/2008 that this tool will soon relinquish its ability to block XP SP3 and Vista SP1. The expiration date for XP SP3 is 5/19/2008 and for Vista SP1 is 4/28/2009, each 12 months to the day from the original release of those service packs, and each in keeping with the tool’s stated ability to block current service packs up to 12 months after their release dates. After these dates, these SPs will be available directly from Windows Update.

With Vista and Windows Server 2008 shortly to become the focus of a shared SP2 release (currently guesstimated for April, 2009), this tool retains its capability and may be used to block or defer installation of this new SP for up to 12 months after its eventual general availability date. The Blocker offers admins three different ways to manage Service Packs:

• An MS-signed executable that manages a Registry Key (in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate) to block or allow Windows Update delivery of a current SP.
• A script that works like the MS executable except that it allows the admin to supply the name of a remote machine where the block/unblock operations may be performed.
• An administrative (.ADM) template that permits admins to import GPOs to block or unblock delivery of SPs into a Group Policy environment.

As Microsoft observes in connection with the Blocker “this toolkit will not prevent the installation of the service pack from CD/DVD, or from the stand-alone download package. This simply prevents the service pack from being delivered over Windows Update.”

For environments where more time is often needed to test and accommodate SPs, the Blocker can be a handy tool. As long as admins understand it does not last forever–in fact, a year from the SPs general availability date is as much leeway as it can provide–the tool can be a useful element in their Vista, XP, and Windows Server 2008 toolbox.

Windows Malicious Software Removal Tool

Like clockwork, Microsoft proffers up a new version of the Windows Malicious Software Removal Tools on each and every Patch Tuesday. In January, 2009, that item is described in Knowledge Base article KB890830. This tool is not intended to replace anti-virus or anti-spyware tool, but it can be nice for Vista admins to recognize that the tool gets updated monthly and can more or less be guaranteed to be present on Vista PCs as long as:

• Updates get pushed to Vista desktops regularly
• The list of pushed updates includes the current Windows Malicious Software Removal Tool

Just for grins, I decided to dig up and learn the details involved in using this tool. The name of the executable file is mrt.exe, which is actually the recommended string to launch the tool as well (simply type mrt.exe into the Vista search box, and it’s off and to the races).

Once you fire off this program, it presents a window on the desktop that looks like this:

The Malicious Software Removal Tool Reports status as it scans

As it’s running, mrt.exe can consume some resources, however. Check out these screen caps from my Sidebar CPU usage widget and Task Manager’s process window, captured about the same time as the preceding screenshot:

CPU consumption usually runs about 25% for this program

Task Manager shows that the mrt process is pretty active

The good thing about mrt.exe is that if admins need to help users cope with possible malware infestations on the road, it’s nearly always safe to assume that this tool will be available on the machine, ready to use to help track down and possibly clean up what ails it. That said, mrt.exe can be the only tool in the clean-up arsenal, where special purpose diagnostic tools such as HijackThis or various rootkit detectors must often play a role, and where special purpose one shot clean up tools from various antimalware vendors must also occasionally be called into play.

But as tools go, this one ain’t bad, and it’s never too far from any Vista machine, either. If there’s one downside to mrt.exe, it’s speed: on a test scan on my production Vista PC (Ultimate, with about 90 GB of files spread across 3 hard disks) the program took over 3 hours to perform a complete, in-depth scan of my system. Savvy admins will have tired road warriors fire this off before an extended break, or before bedtime, to help their charges avoid excessive losses of computing cycles on their traveling machines.

Patch Tuesday Brings SMB Relief

Microsoft kicked off 2009 with a very interesting critical security update on the first “Patch Tuesday” of this year: MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution addresses issues with the Server Message Block Protocol that go all the way back to Windows 2000 (and would go further except that’s where the Microsoft  “update horizon” kicks in). This update address three vulnerabilities in all:

1. SMB Buffer Overflow Remote Code Execution Vulnerability (CVE-2008-4834)
2. SMB Validation Remote Code Execution Vulnerability (CVE-2008-4835)
3. SMB Validation Denial of Service Vulnerability (CVE-2008-4114)

Of those three, the first is the scariest because it allows forged SMB packets to compromise a machine at the System level on any Windows PC running the Server service (except for Vista and Server 2008). That said, this is a “theoretically possible” exploit, rather than a known or demonstrated one. Number 2 is similar to number 1 except that it could affect Vista and Server 2008, but not in their default configurations. It’s more likely, in fact, that 1 and 2 will produce the same effects as number 3, and result in a denial of service for SMB hosts (again except for default Vista and Server 2008 configurations) than actually resulting in remote code execution. But whether you’re ducking a system takeover or just a DoS, this patch is definitely worth applying to your Vista systems anyway.

Other items from this Patch Tuesday include:

• Updates for the various MS email (Outlook and MS Mail on most Vista machines) Junk Email Filters (KB959141 and KB905866)
• Malicious Software Removal Tool for January, ‘09 (KB890830)

These are entirely routine, and while worth grabbing, don’t really cry out for much attention or coverage. I also found a Realtek RTL8168B/8111B GbE Interface update in my queue, for several of my Vista machines including both notebooks and desktops, so I suspect others will see and welcome this driver update as well (installed without a glitch on all affected machines).

Essential out-of-cycle IE security update now available

When Secunia calls a Windows security update “extremely critical” you know a serious vulnerability is being patched. The Windows security community has been abuzz since last week when a number of remote code execution vulnerabilities originally thought limited only to IE 7 turned out to affect other IE versions, and to involve general XML vulnerabilities as well. For more information on the update see “Microsoft Security Advisory (961051) Vulnerability in Internet Explorer Could Allow Remote Code Execution” and “Microsoft Security Bulletin MS08-078 - Critical.”

Security Bulletin MS08-078 specifically mentions IE 5, 6, and 7, as well as Windows 2000, Windows XP, and Windows Vista on the desktop front, plus Windows Server 2003 and Windows Server 2008, in both 32- and 64-bit versions (where applicable). This update is also associated with Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844 from the Common Vulnerability and Exploits database.

The nature of the vulnerability is called “Remote Code Execution” which essentially means that an attacker can take over a system and run any code he or she wishes to at a very high level of privilege. Please visit Windows Update and download this security fix for testing and evaluation as soon as possible. Zero-day exploits have already been reported, and it is regarded as an active and hostile threat.

Patch Tuesday Posts a Plethora of Critical Items

The second Tuesday in each month is when Microsoft schedules its patches, fixes, and security updates. Recently, Microsoft has begun to offer Advance Notification for its Security Bulletins, which makes it a lot easier to tell what’s coming down the pike. For December, 8 updates have been pushed to the Windows Update servers

Of the 8 items for Vista that appeared on December 9, 6 are rated Critical and 2 Important. Here’s a brief summary of what you’ll find:

MS08-71: Vulnerabilities in GDI Could Allow Remote Code Execution
Permits a specially crafted WMF image file to inject remote code execution at the system level.
MS08-75: Vulnerabilities in Windows Search Could allow Remote Code Execution
Blocks vulnerabilities that could occur if a user opens and saves a specially-crafted save-search file in IE or clicks a similar search URL.
MS08-073: Cumulative Security Update for IE
Resolves 4 privately reported vulnerabilities including remote code execution.
MS08-070: Vulnerabilities in Visual Basic 6 Runtime Extended Files (ActiveX Controls) could allow remote code execution
Resolves 5 private and 1 public vulnerability in ActiveX controls for VB 6.0 Runtime Extended files.
MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
Resolves 8 privately reported MS Office and Outlook vulnerabilities related to Word or RTF file contents that devlier access at the system level.
MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Resolves 3 privately reported vulnerabilities possible from specially-crafted Excel files that provide system-level access.
MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
Resolves a privately reported item that allows elevation ofprivilege when authentication is bypassed by browsing to an admin URL on a SharePoint site (might result in DoS or unauthorized access).
MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
Resolves 2 privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services that could allow remote code execution at system level privilege.

The first six are rated Critical, the last two Important. Vista admins will probably want to start working with all of these that apply to their environments (including SharePoint and Windows Media, where applicable) because all come with potentially dire consequences if they remain unpatched. Hopefully, none of them will cause too many compatibility problems. Nonetheless I advise you to get testing underway ASAP.

I just saw an interesting story from Ryan Naraine on ZDNet that puts these Vista Updates into a different context. He calls this patch Tuesday a “whopper” because it mentions that 28 vulnerabilities in Windows, IE, and Office are addressed, of which 23 are rated “Critical.” He counts each of the reported items addressed in the preceding list of security bulletins to come up with these numbers, which certainly adds to the drama. I guess it’s all in how you play out and drum up those numbers! He also mentions that other security experts from Shavlik agree that it’s wise to start planning a roll-out of these patches ASAP because of the vulnerabilities they expose.

A Somewhat Hidden Secunia Benefit

Last week I blogged about Danish information security firm Secunia’s outstanding Network Software Inspector. In that capsule summary I neglected to mention that Secunia sends out e-mail updates to all registered users any time the rules base gets updated.

This turns out to have significant value, of course, because some updates are more important than others–Microsoft Security Updates are probably the best example, especially those pushed to Windows Update outside the usual Patch Tuesday cycle. In this case, my reminder came in the form of an observation that Sun had released a new set of Java and Java Runtime Executable (JRE) updates, which addressed some reasonably serious (Category 4) vulnerabilities from the previously-current version.

This was all the information I need to go out and grab the updates for the various Vista and XP machines that I work on every day. In an enterprise setting, the same email can trigger the download-test-push cycle that’s more typical for updates in such environments. Either way, timely access to this kind of information is absolutely invaluable, and lets us all respond more quickly as and when known vulnerabilities are patched or fixed.

The Secunia vulnerability scanning toolset is a good one, and this real-time e-mail update service only makes it better. I hope you’ll check it out, and try it out, in your own environments.

–Ed–

Windows Vista SP2 Beta Publicly Available 12/4/08

I guess those guys at TechARP really must have some good sources: less than one week after they shared leaked information about release dates and content for Windows Vista SP2, Microsoft has announced its Customer Preview Program (CPP) for a single SP2 that will cover both Windows Vista and Windows Server 2008. This leads me to several interesting observations:

• There must be much more to the common code base that purportedly exists between Vista and Server 2008 than many had previously thought–including me–because a single set of executables (32-bit and 64-bit binaries, in the usual variations) will address both OSes.
• The Notable Changes document mentions a change to the Windows Update Agent/Windows Update Service stack as a pre-req to installing this service pack.
• The Windows Update versions will be between 302 and 390 MB in size for standalone packages, and from 41 to 47 MB for Windows Update downloads (32-bit packages). For x64 64-bit packages, these numbers vary between 508 and 622 MB for standalone, and 60 and 90 MB for Windows Update versions.
• The new features list matches what I reported from TechARP exactly, except for the omission of updates to the RSS feeds sidebar gadget to improve performance and responsiveness.
• Numerous enterprise (full addition of Hyper-V into 2008, improved power management policies, and improved backward compatibility for Terminal Server license keys) and setup and deployment (single installer for both Vista and 2008, driver incompatibility checks during install, better error handling and reporting, improved installation logging and security, and another clean-up tool to rid the drive of files that SP2 will supersede) features will debut in this service pack.
• There’s also mention of running the clean-up tool offline while creating slipstream install images to reduce overall image size. I’m curious to see how this will play out in day-to-day use.

As I write this blog, the SP2 download is available only to TechNet and MSDN subscribers (drat! I gave up my TechNet subscription as of 1/1/2008, and this is the first time I’ve missed it since then). On Thursday, 12/4/08, it became available on its own Beta CPP page [added 12/5/08].

Of course this information begs a very important question for enterprise Vista admins to ponder: why would they care about this beta? Instead of thinking of it as another distraction from important tasks and activities, think of it as an early opportunity to look for potential install, deployment, and compatibility issues. Although the full-blown release won’t go live until April09 at the earliest, it’s never too soon to start weeding out the potential gotchas from the work that a full-blown rollout will inevitably bring. That’s why you’ll probably want to download and work with this beta, albeit in the context of a safe and isolated test lab setup.

–Ed–