Inside Patch Tuesday: MS patches IIS WebDav, PWN2OWN flaws

Author: Eric Schultze
minute read

By Eric Schultze
Microsoft released 10 security bulletins today.  Six of the bulletins impact the Windows operating system, while one applies to the Internet Explorer browser and three affects Microsoft Office (Word, Excel, Works).
Some interesting notes for today:

Microsoft released 10 security bulletins today.  Six of the bulletins impact the Windows operating system, while one applies to the Internet Explorer browser and three affects Microsoft Office (Word, Excel, Works).

Some interesting notes for today:

1. Microsoft has patched the IIS WebDav 0-day.  This flaw enables information disclosure but does not directly allow code execution.  Some of the information that could be obtained via information disclosure could lead to code execution via other applications on the system (SQL usernames and passwords, etc), depending upon how the system was configured.  Users should patch their IIS webservers soon with this patch.

2. Microsoft has patched the IE8 0-day that was identified at the CanSecWest conference.  This flaw enables code execution against Windows XP systems running IE8.  Get XP IE8 systems patched right away.

3. Microsoft has NOT released a patch for the DirectShow QuickTime parsing 0-day vulnerability.  We expect we’ll see a patch for this next month.  In the meantime, Microsoft has published a one-click workaround for this issue.  Go to this KB article and click the “Fix It” button.  The workaround cures the vulnerability and still enables QuickTime and DirectShow applications to function.  Customers who have tested the workaround say that they’ve suffered no negative consequences from applying the workaround.  The above referenced KB article also includes information on how enterprises can push out this fix using Group Policy.

4. Microsoft has released a Mac patch for PowerPoint for the MS09-017 vulnerability.  This issue was patched in May for Windows systems – Microsoft didn’t have the Mac patch available at that time.  It’s now available and should be installed on PowerPoint for the Mac systems.

5. Microsoft has released a non-security update (KB971888) to more fully address wpad configuration concerns.  This update limits devolution to 2 levels and should mitigate concerns that some customers voiced about the previously released wpad security patch.

We recommend installing  the following patches first:

  • IIS patch (for webdav 0-day)
  • IE8 patch (for IE8 0-day)
  • Active Directory patch for Windows 2000

* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.