Maximum PC Patch Tuesday RSS Feed

Microsoft Readying Biggest-Ever Patch Tuesday for Next Week

Paul Lilly — Fri, 09 Oct 2009 08:35:14 -0500

It's a good thing most of use have long since moved on from dial-up, because come Tuesday, Microsoft said it will send out its largest-ever number of security updates to fix and plug holes in every version of Windows, including the first update for Windows 7 RTM. Internet Explorer, Office, SQL Server, Forefront Security client, and some developer tools will also be in the mix.

"Thirteen is not a lucky number," said Andrew Storms, director of security operations at nCircle Network Security, in response to the monster update scheduled for October 13. "They've been a busy bunch at Microsoft, that's for sure."

Microsoft will ship 13 updates in all next week, eight of them considered critical. That's enough to break the record of 12 updates shipped in February 2007 and October 2008.

Five of the updates will affect Windows 7, even though the OS has yet to formally launch. However, enterprises with volume licenses, party hosts, and others have been able to obtain and run the finalized the OS for awhile now.

A Patch Tuesday "Two-Fer" Secures Both Microsoft and Adobe Programs

Mark Edward Soper — Thu, 11 Jun 2009 19:11:41 -0500

June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."

Here's what Microsoft patched this week:

Critical remote code execution vulnerabilities in Active Directory on Windows 2000 Server, Windows Server 2003, and ADAM on Windows Server 2003 and Windows XP Professional (MS09-018)

Critical to Moderate remote code execution vulnerabilities in Windows Print Spooler in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-022).

Critical to Moderate remote code execution vulnerabilities in IE5.01, IE6, IE 6SP1, IE7, and IE8. Note that IE8 in Windows 7 RC is not included (MS09-019).

Critical to Important remote code execution vulnerabilities in Microsoft Office Word 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Word Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-027).

Critical to Important remote code execution vulnerabilities in Microsoft Office Excel 2000, 2002 (XP), 2003, and 2007 for Windows; 2004 and 2008 for Mac, Open XML converter for Mac; Microsoft Office Excel Viewers and Compatibility Packs for 2007 file formats SP1 and SP2 (MS09-021).

Critical to important remote code execution vulnerabilities for Microsoft Works 8.5, 9 and Office 2000 SP3, Office XP SP3, Office 2003 SP3, and Office 2007 SP1 (MS09-024).

Important elevation of privilege vulnerabilities in the RPC function in Windows 2000 SP4, Windows XP SP2/SP3 and x64, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-026).

Important elevation of privilege vulnerabilities in Windows Kernel in Windows 2000 SP4, Windows XP SP2/SP3, Windows Server 2003 SP2 and x64 SP2, Windows Vista RTM/SP1/SP2 and x64 and Windows Server 2008 RTM/SP2 (MS09-025).

Important elevation of privilege vulnerabilities in IIS 5.0, 5.1, and 6.0 when running on Windows 2000 SP4, Windows XP SP2/SP3 and x64 SP2, and Windows Server 2003 SP2 and x64 SP2 (MS09-020).

Moderate information disclosure vulnerabilities in Windows Search 4.0 when running on Windows XP SP2, SP3, x64 SP2; Windows Server 2003 SP2 and x64 SP2 only (MS09-023).

For details about the exploitability rating for each vulnerability (1-3, 1 being the most severe), see the security bulletin summary. To find out about Windows Media Center and other updates, and where to get the Adobe updates, join us on page 2.

Microsoft also rolled out these updates in June:

The June 2009 version of the Windows Malicious Software Removal Tool (KB890830)
The June 2009 update for the Windows Mail Junk email filter (KB905866)
Cumulative updates for Windows Media Center for Windows Vista (KB967632) and Windows Media Center TV Pack for Windows Vista (KB966315)
An update to the ActiveX kill bits security pack (KB969898).

Adobe was also busy sticking its fingers in the security dike this month, rolling out critical security update APSB09-07 with updates for Adobe Reader and Acrobat 9.x, 8.x, and 7.x. Vulnerabilities patched by the updates include stack overflow, integer overflow, memory corruption and heap overflow, all of which could be used to trigger arbitrary code execution.

Stay safe out there!

March 2009's Patch Tuesday's a Light, But Important One for Windows Users

Mark Edward Soper — Tue, 10 Mar 2009 19:08:39 -0500

Today, Microsoft released a trio of security bulletins covering all currently-supported Windows versions. Users of Windows 2000 SP4 through Windows Vista SP1 (as well as Windows Server 2003 and 2008) need to install the update for the critical Windows kernel vulnerability noted in Security Bulletin MS-09-006. The other two bulletins (MS09-007 and MS09-008) solve important vulnerabilities in SChannel (007) and DNS/WINS Server (008); these bulletins apply to Windows 2000 SP4 through Windows XP and Server 2003 only.

Other updates to look for include the usual updates to the Malicious Software Removal Tool and the Windows Mail junk email filter. If you're on Automatic Updates, follow instructions to reboot if needed after installation. If you prefer to be in charge, don't forget to download and install these as soon as possible.

February's Patch Tuesday Has Something for Everyone

Mark Edward Soper — Mon, 09 Feb 2009 10:48:26 -0600

Whether you're using Windows and IE, managing Microsoft Exchange or SQL Server at work, or using Microsoft Office, this month's Patch Tuesday has a security update for you. All four security bulletins address Remote Code Execution vulnerabilities in recent and current service packs for each product listed:

IE 7: Windows XP, Windows Vista, Windows Server 2003
Microsoft Office: Visio 2002, 2003, 2007
SQL: SQL Server 2000 Desktop Engine on Windows 2000 and Windows Server 2003; Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008; SQL Server 2000 and SQL Server 2005
Exchange Server: Exchange 2000 Server, Exchange Server 2003, Exchange Server 2007

But Wait, There's More!

Other updates to be released tomorrow include:

Cumulative Update for Windows Vista Media Center (KB960544)
Cumulative Update for Windows Vista Media Center TVPack (KB958653)
Upgrade Rollup for ActiveX Killbits for Windows (KB960715)
February 2009 updates for Windows Mail Junk Email Filter (KB905866) and Windows Malicious Software Removal Tool (KB890830)

For details, look up the KB article numbers starting Tuesday.

Patch Tuesday Followed Immediately By New Exploit Wednesday

Andy Salisbury — Thu, 11 Dec 2008 14:10:00 -0600

Not even a moment after Microsoft fixed 28 vulnerabilities in their software this past Patch Tuesday, a brand new exploit popped up in Internet Explorer 7.

The new exploit allows attackers the ability to execute arbitrary code whenever someone visits a malicious website. Currently only users running Windows XP and Server 2003 are being targeted, so you Vista users haven’t a thing to worry about. Microsoft said they’re currently working on a patch to fix the issue, but they were unable to set a date.

“Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet,” said eEye's director of Research and Preview Services, Andre Protas. “An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.”

Until this issue is taken care of, those of you that are using IE7 can go and snag eEye’s Blink Software for protection from this threat. Or, you could go snag one of the other browsers, such as Mozilla’s Firefox or Google’s Chrome. I hear they’re not too shabby!

Image Credit: Microsoft

Eight Security Bulletins Released for Patch Tuesday

Andy Salisbury — Fri, 05 Dec 2008 16:09:25 -0600

Microsoft’s last Patch Tuesday of 2008 is on its way, and it’s bringing a heavy amount of updates that you’ll want to be ready for.

Yesterday Microsoft announced a whopping eight security bulletins that will be going public on December 9th. The announcement was meant to allow IT departments some prep time before the post-Monday patch fiasco. Six of the bulletins have been listed as “critical” with two posted up as “important.”

Of the patches, two of them are meant directly for Windows itself. The others are for the separate applications of Microsoft’s Office suite.

Image Credit: Microsoft

A Quiet Patch Tuesday for November 2008

Mark Edward Soper — Tue, 11 Nov 2008 13:17:52 -0600

This month's Patch Tuesday, unlike October's, is a quiet one, with just two security bulletins:

MS08-069 solves a remote code execution vulnerability in Microsoft's XML Core Service that is rated as Critical for version 3.0 and Important for later versions. All 32-bit and 64-bit desktop versions of Windows from Windows 2000 SP4 through Windows Vista SP1 are affected, as well as Microsoft Office 2003 and 2007. The Exploitability Index is 1 (Consistent Exploit Code Likely - the most serious ranking) or 2 (Inconsistent Exploit Code Likely), depending upon the version of XML Core Services installed. Windows Server 2003 and some installations of Windows Server 2008 are also affected.
MS08-068 patches a remote code execution vulnerability in the SMB protocol. MS08-068 is rated as Important for Windows 2000 SP4 and Windows XP, and Moderate for Windows Vista. Windows Server 2003 and all Windows Server 2008 installations are also affected. Despite Microsoft's rating this vulnerability as only Important rather than Critical, MS08-068's Exploitability Index is 1 because exploit code targeting Windows XP is already public.

That's it for Patch Tuesday security bulletins, both of which will be arriving soon via Windows Update (or can be downloaded manually if you prefer). What else has Microsoft served up?

The only non-security content this time is the usual monthly update for the Malicious Software Removal Tool (KB890830; ~~not yet updated as this article was posted~~ now updated) and the usual monthly update for the Windows Mail junk mail filter (KB905866), available in 32-bit and 64-bit versions.

Microsoft Patches Critical Vulnerability for XP, Vista, Windows 7, and Others

Mark Edward Soper — Fri, 24 Oct 2008 10:53:38 -0500

Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.

Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.

According to the Security Bulletin summary for October, the vulnerability described in MS08-067 receives the highest Exploitability Index Assessment: 1 - Consistent exploit code likely. From the notes for MS08-067:

Consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003. While this service is enabled by default on all affected platforms, exploitation is most likely on Microsoft Windows 2000, Windows XP, and Windows Server 2003....

If you're running Windows Update, install the update labeled KB958644. If you need to download and install the update manually, open the Windows Operating System and Components section of the October security bulletin and click the link for your operating system. The Windows 7 pre-beta updates for 32-bit and 64-bit versions are not listed in the October security bulletin, but can be obtained by clicking the links provided here.