Microsoft Ships Largest Batch of Security Patches

Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.
The latest patch batch covers critical vulnerabilities in software products that are bundled with Microsoft’s dominant Windows operating system (Internet Explorer and Windows Media Player) — and several known security problems (SMB v2 and FTP in IIS) for which functioning exploit code has already been publicly released.

Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.

The latest patch batch covers critical vulnerabilities in software products that are bundled with Microsoft’s dominant Windows operating system (Internet Explorer and Windows Media Player) — and several known security problems (SMB v2 and FTP in IIS) for which functioning exploit code has already been publicly released.

The SMB v2 issue, which has been in the news over the last month, has been addressed with MS09-050, a critical bulletin that actually address three separate documented vulnerabilities.

The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

[ SEE: Microsoft FTP in IIS vulnerability now under attack ]

The second known issue, which has been exploited in the wild, is patched with MS09-053:

Two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.

Microsoft also released a cumulative IE security update to fix four documented vulnerabilities that expose users to drive-by download attacks if an IE user is lured to a booby-trapped Web page.  These types of attacks are commonly used by cyber-criminals to load data-stealing Trojans on Windows machines.

A separate bulletin was also released to fix an ActiveX control vulnerability that is currently being exploited.   This issue is related to the security problems that have haunted programs compiled with the Microsoft Active Template Library (ATL).

The 13 bulletins released for October 2009 also fixes multiple ATL-releated vulnerabilities and a trio of holes in Microsoft .NET Framework and Microsoft Silverlight.

The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application.

…The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario.

See this page for more details on this month’s updates, including information on Microsoft’s exploitability index for each vulnerability.

This chart from Microsoft’s security response team provides a visual representation of the severity of each vulnerability.

Suggested articles