Softpedia >News >Microsoft >Patches and Vulnerabilities
Softpedia Homepage   

Microsoft Patches 34 Security Vulnerabilities

Across IE, Windows and Office

Oct 14, 2009 16:11 GMT  ·  By
Windows 7
   Windows 7

On October 13th, 2009, Microsoft started serving to Windows users patches for no less than 34 vulnerabilities, releasing the most security bulletins in the company’s history. The 13 security bulletins made available are designed to offer fixes for a range of security issues affecting Windows, Internet Explorer, Silverlight, Microsoft Office, Developer Tools, Forefront and SQL Server. Microsoft underlined that, despite the large number of patches, all security updates had been thoroughly tested, and only received the green light for broad release once they met specific quality standards.

Out of the total 13 security bulletins released, eight have received Microsoft’s maximum severity rating, namely Critical, indicating that they are designed to patch severe vulnerabilities that could allow for remote code execution in the eventuality of a successful attack. The remaining six patch packages have all been deemed Important, a less severe rating. However, customers should apply the patches offered by the Redmond company immediately. The simplest way to access the security updates is through Windows Update. Users with Automatic Updates enabled will have all patches automatically downloaded to their machines.

Microsoft revealed that no less than seven security bulletins with a maximum severity rating of Critical out of the total eight also had an exploitability index of 1. The highest possible exploitability index: 1 is indicative of the fact that Microsoft considers the possibility of exploit code becoming available in the wild for the seven flaws extremely likely, perhaps even within the first 30 days since the patches were released. This just in case you needed additional incentive to deploy the security updates.

Not even Windows 7 managed to emerge untouched from the October 2009 Microsoft patch release. Below you will be able to find a summary of the Microsoft October Security Bulletin Release, courtesy of Christopher Budd, security response communications lead, Microsoft:

MS09-050 (Maximum severity rating of Critical) This update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The more severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-051 (Maximum severity rating of Critical) This security update resolves two privately reported vulnerabilities in Windows Media Runtime. The vulnerabilities could allow remote code execution if a user opened a specially crafted media file or received specially crafted streaming content from a website or any application that delivers web content. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-052 (Maximum severity rating of Critical) This security update resolves one privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if a specially crafted Advanced Systems Format (ASF) file is played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-053 (Maximum severity rating of Important) This security update resolves two publicly disclosed vulnerabilities in the File Transfer Protocol (FTP) Service in Microsoft Internet Information Services (IIS) 5.0, IIS 5.1, IIS 6.0, and IIS 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution on systems running FTP Service on IIS 5.0, or denial of service on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-054 (Maximum severity rating of Critical) This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-055 (Maximum severity rating of Critical) This security update addresses one privately reported vulnerability in ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library (ATL) and could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. This update received a 3 rating from Microsoft’s Exploitability Index.

MS09-056 (Maximum severity rating of Important) This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if the attacker gains access to the certificate used by the end user for authentication. This update received a 3 rating from Microsoft’s Exploitability Index.

MS09-057 (Maximum severity rating of Important) This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious webpage which invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system under the privileges of the user browsing the webpage. This update received a 2 rating from Microsoft’s Exploitability Index.

MS09-058 (Maximum severity rating of Important) This security update resolves three privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. This update received a 2 rating from Microsoft’s Exploitability Index.

MS09-059 (Maximum severity rating of Important) This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process. This update received a 3 rating from Microsoft’s Exploitability Index.

MS09-060 (Maximum severity rating of Critical) This security update resolves three privately reported vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office. The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control hosted on a malicious website. This update received a 3 rating from Microsoft’s Exploitability Index.

MS09-061 (Maximum severity rating of Critical) This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight Applications, or if an attacker succeeds in persuading a user to run a specially crafted .NET application. This update received a 1 rating from Microsoft’s Exploitability Index.

MS09-062 (Maximum severity rating of Critical) This security update resolves eight privately reported vulnerabilities in Microsoft Windows Graphics Device Interface (GDI)+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a website that contains specially crafted content. This update received a 1 rating from Microsoft’s Exploitability Index.

Microsoft re-released Security Bulletin MS08-069 to add detection for MSXML on Windows 7 and Windows Server 2008 R2.