Microsoft Patch Tuesday - 34 security vulnerabilities addressed

Barely a single Microsoft system has been left out in this October's patch day. The company has released 13 update packages which fix a total of 34 security vulnerabilities. There's something for every supported version of Windows, from Windows 2000 to Windows 7 including server versions, Internet Explorer 5.01 to 8, Media Player and its runtime components, Office XP, 2003 and 2007, the .NET runtime environment 1.0 to 2.0, SQL Server 2000 and 2005, Visual Studio 2003, 2005 and 2008, Visual FoxPro, Report Viewer 2005 and 2008, Forefront and Silverlight 2 (including Macs). The majority of the updates are classified as critical and fix security problems which allow remote injection of malicious code, thereby enabling attackers to gain control of vulnerable systems.

Microsoft has also, for the first time, released updates for Windows 7, which in many places is already in productive use. Comparing against the advance notices for the October patch day, there are no surprises. In particular, the hotly awaited patch for the critical vulnerability in the SMB2 implementation of the Windows network protocol is now finally available. Functioning exploits for this vulnerability have been circulating online for several weeks. The long-known FTP vulnerabilities are also now confined to the dustbin of history.

The cumulative update for all versions of Internet Explorer fixes three security vulnerabilities which allow remote injection of malicious code. Microsoft has also now set the kill bit for the vulnerable ATL-COM ActiveX control.

There are two "important" patches for the CryptoAPI for all Windows versions. By using null characters or crafted ASN.1 strings, attackers have been able to feed fake SSL certificates to the encryption library - also used in many Windows programs - allowing them to view or modify secure network data. A spoof certificate for paypal.com relating to this problem has recently been published.

The Malicious Software Removal Tool has also undergone its monthly update and now detects additional malware. In view of the sheer number of patches and of components affected, the advice must be to install the patches as soon as possible using Microsoft or Windows Update. A detailed list of individual vulnerabilities and the components affected can be found in Microsoft's patch day summary and individual bulletins.

See also:

• Microsoft Security Bulletin Summary for October 2009, security advisory from Microsoft.
• MS09-050 - Vulnerabilities in SMBv2 Could Allow Remote Code Execution (Critical), security advisory from Microsoft.
• MS09-051 - Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (Critical), security advisory from Microsoft.
• MS09-052 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (Critical), security advisory from Microsoft.
• MS09-053 - Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (Important), security advisory from Microsoft.
• MS09-054 - Cumulative Security Update for Internet Explorer (Critical), security advisory from Microsoft.
• MS09-055 - Cumulative Security Update of ActiveX Kill Bits (Critical), security advisory from Microsoft.
• MS09-056 - Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (Important), security advisory from Microsoft.
• MS09-057 - Vulnerability in Indexing Service Could Allow Remote Code Execution (Important), security advisory from Microsoft.
• MS09-058 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Important), security advisory from Microsoft.
• MS09-059 - Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (Important), security advisory from Microsoft.
• MS09-060 - Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (Critical), security advisory from Microsoft.
• MS09-061 - Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (Critical), security advisory from Microsoft.
• MS09-062 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (Critical), security advisory from Microsoft.

(crve)