November 2009 Security Bulletin Release

Summary of Microsoft’s Security Bulletin Release for November 2009

Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.

To better demonstrate the affected products and important aspects of MS09-065, I am including a more detailed overview slide (below). As you can see, only one of the three vulnerabilities (CVE-2009-2514) is critical. That vulnerability only affects Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 (it does not affect Windows Vista or Windows Server 2008 so if you are using either of these platforms, you can lower the deployment priority to a two). The vulnerability was publicly disclosed and could be used to create a malicious web page which could potentially exploit vulnerable systems just by visiting the website. The other two vulnerabilities are Elevation of Privilege (EoP) which would require the attacker to have valid logon credentials in order to be able to exploit.

The following deployment priority guidance is based on a combination of severity rating, exploitability index rating, available mitigations and workarounds and range of affected products. All customers should perform their own prioritization assessment as each environment is different and other factors may apply. Microsoft recommends that all security updates be deployed as soon as possible.

· MS09-063 affects Windows Vista and Windows Server 2008. There is a potential for unauthenticated remote code execution (RCE) but only from the local subnet. Attacks cannot originate from outside of the network. This mitigation along with the exploitability index rating of 2 lowers the deployment priority. Obviously, this is still a critical bulletin so customers should deploy as soon as possible.

· MS09-064 affects only Windows 2000 Server SP4. This one also has the potential for unauthenticated RCE between systems running the License Logging Service. This service is enabled by default on Windows 2000 Server so this deployment priority should be moved up for customers who have Windows 2000 servers on public-facing networks.

· MS09-067 and MS09-068 both have similar attack vectors. A user would have to open a maliciously crafted Excel or Word file developed to exploit these vulnerabilities. Users of Office XP or later will be prompted to Open, Save, or Cancel before opening a document. These mitigations lower the severity and deployment priority. However, users should never open file attachments they receive in emails from unknown sources and should always question attachments from known sources if they are unexpected.

Adrian Stone from the Microsoft Security Response Center (MSRC) and I give a brief overview of this month’s bulletin release in the video below.

Get Microsoft Silverlight More listening and viewing options:

For more in-depth technical detail on MS09-063, MS09-064 and MS09-065, please visit our Security Research & Defense team blog at this link.

We also re-released MS09-045 and MS09-051. The former was re-released to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4 machines and the latter is a re-release of the update for Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.

As always, we encourage all customers to join us for our live security bulletin webcast which we conduct every month after release. Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us tomorrow, Nov 11 at 11:00 a.m. PDT (UTC -8). You can register for the webcast at this link.

The last item I want to mention this month is that the Microsoft Malware Protection Center (MMPC) team has added Win32/fakevimes and Win32/privacycenter to the Windows Malicious Software Removal Tool (MSRT) this month. Please check their blog post for more information.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*