September 2009 Security Bulletin Release

Summary of Microsoft’s Security Bulletin Release for September 2009

Hello again,

This month we released five critical bulletins to address vulnerabilities in Windows and protect customers from two types of threats:

1. Browser based attacks where websites hosting malicious code attempt to compromise visitors. This includes MS09-045, MS09-046 and MS09-047.

2. Network based scenarios where attackers attempt Remote Code Execution (RCE) or Denial-of-Service (DoS) type attacks. This includes MS09-048 and MS09-049.

For this set of bulletins, we consider the first category to be the biggest threat to customers overall as reflected in our Severity and Exploitability Index slide where we present a high level, aggregate view of each bulletin:

We also refer to the slide above as our risk and impact assessment. The risk of exploitation combined with the impact of the vulnerability should help customers prioritize these bulletins for deployment. To provide further guidance in this area, this month we are providing a new deployment prioritization assessment. As noted on the slide below, there are several factors that we used to determine the priority. However, there are many other potential variables that may be unique to your environment so we recommend each customer perform their own assessment and install all security updates as soon as possible.

As you can see, we give MS09-045 and MS09-047 the highest deployment priority mainly due to these being browse and own attack scenarios and a high exploitability index rating. Exploits for MS09-047 can also be created through specially crafted files such as ASF and MP3 audio files. These files could then be sent via email.

Concerning MS09-046, our Security Research & Defense (SRD) team has determined that reliable exploit code would be difficult to produce hence the lower exploitability index rating. In this case and with MS09-045, users with Internet Explorer 8.0 are at reduced risk due to the protections provided by Date Execution Prevention (DEP). Also, while this is an ActiveX control update, it is not related to the ATL issue discussed in security advisory 973882.

The wireless update provided in MS09-049 addresses an issue with the Wireless AutoConfig Service in both Windows Vista and Windows Server 2008. We consider this one hard to exploit due to the work that has gone in to hardening the Windows Heap Manager. The SRD blog has a great write up on this.

MS09-048 contains updates for three vulnerabilities. One of those is a Remote Code Execution vulnerability affecting only Windows Vista and Windows Server 2008. We think this one would be difficult to produce reliable exploit code for as well. The SRD team did a write up on this one to provide additional details so I recommend reading it. The other two vulnerabilities are both Denial-of-Service issues and I want to point out that while Windows 2000 is affected by these, an update is not being provided. This is because the architecture to protect TCP/IP properly does not exist in Windows 2000. Customers on this platform who cannot update their systems to Windows Server 2003 or 2008 will need to carefully monitor their networks and assure that firewall best practices are followed.

Also, we re-released MS09-037. This bulletin for vulnerabilities in the Active Template Library (ATL), affecting components that shipped with Windows, was originally released in August 2009. In our ongoing investigation into the ATL issue, we identified a related vulnerable control so this bulletin has been updated to include it. This additional update affects users of Windows XP Media Center 2005 and Windows Vista systems. It is important to note that to date, we have not seen any new controls being used in active attacks. The Video ActiveX control that was under limited exploitation and which drove our out of band update in July, is still the only one we have seen used in attacks. Please refer to Security Advisory 973882 for the latest information and guidance from our investigation.

In this month’s overview video, Adrian Stone and I discuss the severity and exploitability index slide and the new deployment priority slide in a little more detail:

Get Microsoft Silverlight More viewing and listening options:

Please join Adrian and I for a live webcast tomorrow, Wednesday Sept. 9 at 11:00 a.m. PDT (UTC -7) where we will go in to detail on each bulletin and answer all of your questions, with the help of a room full of subject matter experts. Go here to register >>

In this post I also want to provide some clarity on Windows 7 and Windows Server 2008 R2. After the Advance Notification went out last Thursday, we saw speculation that these new products may be affected because they were not specifically listed. To be clear, Windows 7 and Windows Server 2008 R2 are not affected by any of the September security updates. Since the date these products were released to manufacturing (July 09), they have been part of our standard security update process. As such, they would have been called out in the ANS if they were affected.

Finally, we are not addressing the IIS/FTP vulnerability announced in Security Advisory 975191 with this month’s security bulletin release. Our teams are still working on an update for this issue and we encourage customers to review the advisory for the most current guidance on this issue.

That’s it for this month. If you cannot join us for the webcast tomorrow, come back to the blog Friday afternoon as we will be posting the webcast video and Q&A from the session.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*