Microsoft Corp. released nine security updates on patch Tuesday that touch almost every Microsoft product in the enterprise, from servers to client systems, giving IT administrators plenty to worry about.
"This is one of the most widespread patch months Microsoft has ever done. The patches run the gamut and touch everything in the enterprise except for Internet Explorer," said Eric Schultze, CTO of St. Paul, Minn.-based patch management and security software company Shavlik Technologies LLC.
Schultze laid out the patches that IT administrators should put on the top of their priority list and said one of the most critical is the Internet Information Services (IIS7) Web server patch (MS09-036). It addresses a flaw that lets attackers send packets to your Web server that cause it to stop functioning (denial of service). IIS7 websites are safe if they are running in "classic" mode, but those running in integrated (non-classic) mode are vulnerable. The patch for this IIS7 issue is really a patch for .Net Framework versions 2 and 3, Schultze said.
"If you're running IIS7 [classic or otherwise], I'd recommend patching this one soon, unless you want your .asp and .aspx pages to stop functioning," he said.
Another critical patch that should be installed immediately is MS09-039, affecting WINS Servers. "Almost every Microsoft customer has a WINS server, so this is probably the most critical patch," Schultze said.
He said MS09-039 is a critical issue for WINS server part of the network infrastructure because without it, "attackers can point to the server with no permissions whatsoever and do whatever they want," he said. "They could create their own admin account without any permissions and execute code."
Microsoft also patched five different ActiveX controls, following one ActiveX fix last month and an out of band patchout-of-band patch the company issued a couple of weeks ago. This month's patches fix a related but different issue, where "evil websites could run code on your computer," Schultze said.
"If you think your users might visit any websites when they are bored, it's a good idea to issue the patch right away," he said.
And some other patches that should be high on IT administrators' priority list this month are MS09-040 and -041 addressing privilege escalation attacks. These flaws let anyone with user-level access to systems like print servers, file servers and domain controllers point packets to those systems and execute code, or read files with sensitive information, like payroll, Schultze said.
"This one really bothers me because it breaks down internal security controls," he said. "Patch this one while patching your WINS servers to keep idle internal miscreants from owning your machines."
Information on the other patches can be found on Microsoft's Security Bulletin website.
Let us know what you think about the story; email Bridget Botelho, News Writer
Dig Deeper on Enterprise desktop management
Microsoft has issued six security bulletins for December, bringing the total for 2009 to 74, compared with 77 in 2008, 69 in 2007 and 78 in 2006.