Qualys Blog

www.qualys.com
wkandek

Patch Tuesday Bottomline – July 2009

Microsoft’s July Security Bulletin does not have any surprises due to the intense pre-release activity around the 3 zero-day advisories that came out in the last 6 weeks. Microsoft had already announced that they would address 2 advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday’s zero-day is left for later and users should apply the work-around published in KB973472. The 3rd critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included.These 3 advisories should be addressed immediately as they allow the attacker to fully control the victim’s computer.

Microsoft proxy server ISA 2006 has a vulnerability rated as "important" that allows remote unauthenticated users to access the server. However paired with a knowledge of the administrators user name attackers can take full control of the server. As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organizations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031. The ISA blog has some more in depth information.

MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite is rated as "important" as well, but can be used to take full control of the system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as "critical" as well.

Microsoft also provided patches for their virtualization product VPC and Virtual Server on all versions (MS09-033) preventing an elevation of privilege in the guest operating system. This is classified as "important" because local access to the guest OS is required. This bulletin is interesting because this vulnerability is introduced by the fact that the OS is running under a virtual environment and allows the user to access to privileged kernel mode.

In addition we are working on the Oracle CPU patch release and are monitoring the Firefox 3.5 zero-day.

References:

Leave a Reply