We don’t normally cover Patch Tuesday unless there is something unusual, but the October 2009 advanced notification appears to be just that. It lists patches for 13 different security bulletins, for what looks like 30 separate security problems. Eight of the bulletins are for critical vulnerabilities with the possibility of remote code execution. The majority of the patches are for Windows itself, with a couple for SQL Server, Office, and Forefront, but it looks like just about every production version of Windows is affected. Given the scope of this security patch and the seriousness of the bugs, it looks like IT departments are going to be working overtime for a while.
Details of each of the vulnerabilities will be released later today, and I will update this post with specific points of interest as I find them. I am assuming that at least one of the patches is in response to the Server Message Block vulnerability discovered back in August. IIS is not listed as one of the affected products, but odds are the underlying OS will be, and folks will be restarting app servers either way. I am still trying to determine the issue with SQL Server. More to come…
==== Updated ==== Microsoft has updated the bulletin and included the security advisory links and some details on the threats. The SQL Server vulnerability is not within the core database engine, but the GDI ActiveX library in the print server. It’s in 2005, not 2000.
When SQL Server Reporting Services is installed, the affected installations of SQL Server software may host the RSClientPrint ActiveX control. This ActiveX control distributes a copy of gdiplus.dll containing the affected code. Customers are only impacted when the RSClientPrint ActiveX control is installed on Microsoft Windows 2000 operating systems. If the RSClientPrint ActiveX control is installed on any other operating system, the system version of GDI+ will be used and the corresponding operating system update will protect them.
The GDI+ vulnerability pretty much allows you to take down any Microsoft platform or function that uses the GDI dll, which is basically anything that uses images for forms, which is just about everything. My earlier comment that IIS was not listed was true, but there is in fact a bug linked to IIS: version 5.0 of the FTP service is vulnerable to remote code exploitation. Some of the exploits have workarounds and can be masked through firewall and web application firewall settings, however given the number and severity of the issues, we do recommend patching as soon as possible.
Reader interactions
3 Replies to “Microsoft Security Updates for October 2009”
I think the point about not removing a firewall rule makes a lot of sense… I don’t personally have confidence that a WAF is a fool-proof answer to flaws. I prefer the better safe than sorry approach.
Chester
@Chester – I have been involved in several discussions about WAF and blocking of late. The question comes up “Why patch if I can successfully block” and “Why remove the firewall rule once the patch is applied”. That’s something I am writing a separate post for, but in this case I think you have to patch.
Thanks for the link.
This is a great point about GDI which I did not discuss in my blog post concerning this months update. SophosLabs have posted an analysis with detail on more of the patches at http://www.sophos.com/blogs/sophoslabs/post/6879. I also discussed the SMB, FTP, and SSL null byte vulnerabilities on my blog at http://www.sophos.com/blogs/sophoslabs/post/6879.
Microsoft has been good at communicating workarounds and mitigation of risks, but we need to be sure this doesn’t lead to complacency about deploying these fixes. If you hide the flaw, and forget to patch you will invite old malware strains onto your network down the road. We have seen this with Conficker at many of our customers and it ultimately leads to pain and confusion. Patch now.
Chester Wisniewski
Senior Security Advisor
Sophos Inc.