The most critical patch involves all versions of Microsoft Internet Explorer. Bulletin MS09-072 () addresses multiple security flaws that could allow an attacker to take control of a computer if its user happens to visit a malicious website.
As with most Internet Explorer vulnerabilities, the attacker's code would run in the context of the currently logged-on user. If a user is logged on with nonadministrative-level credentials, the attacker would only be able to perform tasks that can be performed under that account -- it would be unable to perform any administrative functions like adding new users or modifying the security settings on your machine.
Microsoft said that exploit code for the vulnerabilities addressed in this patch will likely be released within the next 30 days. This is the sixth cumulative IE patch Microsoft released in 2009.
Expert's take: These types of IE flaws are announced every other month. To protect yourself, don't visit malicious websites, and don't log on to your computer as an administrator. If you insist on browsing inappropriate or unsavory websites, use a different browser.
MS09-071 is a critical patch affecting all Microsoft operating systems. It is rated "critical" for Windows Server 2008 and "important" or "moderate" for all other OSes. Microsoft stated that attackers could exploit a flaw in Microsoft Internet Authentication Server via a wireless LAN connection, allowing them to access internal resources without needing to know any specific password.
Microsoft IAS Servers running on Windows Server 2008 should be patched as soon as possible. All other OSes should be patched as time permits -- Microsoft said that these other systems are not vulnerable unless a third-party application has been installed that uses a very specific (and not very likely) set of requirements for authentication.
Expert's take: Not really a big security concern here for most customers. Install the patch and be done with it.
The third critical patch this month is MS09-074 for Microsoft Project. An attacker could run code on a system by convincing a user to open an evil Project file. Simply visiting a malicious webpage could allow this attack to occur on systems running Project 2000 because this version of the software doesn't require any user interaction before opening files. Computers running Project 2002 or 2003 are at less risk from this vulnerability, since the user will be prompted before any unknown, drive-by Project files are opened.
Expert's take: I don't open Project files whether known or unknown.
The three remaining noncritical patches include those for OSes, Internet Information Services (IIS) Web server, Active Directory Federation Services and Microsoft Word.
MS09-069 discusses a flaw that could enable an attacker to initiate a denial-of-service attack on a remote Windows 2000, Windows XP or Windows Server 2003 session. The attacker must be connected and authenticated to one of these systems via an IPsec connection. Once connected, the attacker can send special packets to the remote system that will cause that system to stop functioning until it is rebooted.
Expert's take: Disgruntled users who connect to your servers via IPsec could take out these servers with a handful of malicious packets. Because they must first authenticate to the system before they can crash it, you'll most likely know who did it. However, I'd still recommend patching all systems that use IPsec connections before one of your users decides to give you a bad day.
MS09-070) involves Active Directory Federation Services (ADFS) on IIS and potentially the clients that connect to it. This patch corrects two flaws. One flaw enables a hacker to recall and access websites even after a user has logged off (think public kiosk), and the other allows an authenticated user to run code on the ADFS Web server that will execute with more permissions than are typically granted to end users.
Expert's take: If you're running ADFS anywhere, you should patch this right away. This has danger written all over it for applications accessed via public kiosks or sensitive information protected by ADFS, such as payroll or human resources applications.
MS09-073 includes a patch for Windows 2000, Windows XP and Windows Server 2003 systems as well as those running Office XP and Office 2003. Opening a malicious Word file could allow an attacker to execute code on the local system. The exploit code would run with the privileges of the locally logged-on user.
Expert's take: Even if you don't have Word installed, you should still install this patch because the built-in WordPad application can open the malicious file and cause the code to execute. Of course, this assumes that you have the audacity to open unknown documents. Also, watch for the enticing trapdoor "2009bonuses.doc" that resides on your internal public file share, because this file is more likely to be harmful than contain any juicy information.
Overall recommendation: Install the Internet Explorer patch MS09-072 first, then follow up with all the remaining December patches as time (or the holidays) permits.
|ABOUT THE AUTHOR:|
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.