A Patch Tuesday "Two-Fer" Secures Both Microsoft and Adobe Programs

June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."

Here's what Microsoft patched this week:

Critical remote code execution vulnerabilities in Active Directory on Windows 2000 Server, Windows Server 2003, and ADAM on Windows Server 2003 and Windows XP Professional (MS09-018)

Critical to Moderate remote code execution vulnerabilities in Windows Print Spooler in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-022).

Critical to Moderate remote code execution vulnerabilities in IE5.01, IE6, IE 6SP1, IE7, and IE8. Note that IE8 in Windows 7 RC is not included (MS09-019).

Critical to Important remote code execution vulnerabilities in Microsoft Office Word 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Word Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-027).

Critical to Important remote code execution vulnerabilities in Microsoft Office Excel 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Excel Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-021).

Critical to important remote code execution vulnerabilities for Microsoft Works 8.5, 9 and Office 2000 SP3, Office XP SP3, Office 2003 SP3, and Office 2007 SP1 (MS09-024).

Important elevation of privilege vulnerabilities in the RPC function in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-026).  

Important elevation of privilege vulnerabilities in Windows Kernel in Windows 2000 SP4, Windows XP SP2/SP3, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-025).  

Important elevation of privilege vulnerabilities in IIS 5.0, 5.1, and 6.0 when running on Windows 2000 SP4, Windows XP SP2/SP3 and x64 SP2, and Windows Server 2003 SP2 and x64 SP2 (MS09-020).  

Moderate information disclosure vulnerabilities in Windows Search 4.0 when running on Windows XP SP2, SP3, x64 SP2; Windows Server 2003 SP2 and x64 SP2 only (MS09-023).  

For details about the exploitability rating for each vulnerability (1-3, 1 being the most severe), see the security bulletin summary. To find out about Windows Media Center and other updates, and where to get the Adobe updates, join us on page 2.

Microsoft also rolled out these updates in June:

• The June 2009 version of the Windows Malicious Software Removal Tool (KB890830)
• The June 2009 update for the Windows Mail Junk email filter (KB905866)
• Cumulative updates for Windows Media Center for Windows Vista (KB967632) and Windows Media Center TV Pack for Windows Vista (KB966315)
• An update to the ActiveX kill bits security pack (KB969898).

Adobe was also busy sticking its fingers in the security dike this month, rolling out critical security update APSB09-07 with updates for Adobe Reader and Acrobat 9.x, 8.x, and 7.x. Vulnerabilities patched by the updates include stack overflow, integer overflow, memory corruption and heap overflow, all of which could be used to trigger arbitrary code execution. 

Stay safe out there!