quick look at sept 2011 microsoft security patches

It’s been a while since I shared my monthly Windows patches write-up that I typically do for work, and I probably should just post them, even though they have a heavy slant towards the server side of things, since that’s what I manage. Ok, so this isn’t verbatim, since I scrub some particulars that apply to my company; specifically I mention our risk to each patch as well as list the actual specific updates that I release because they apply or may some day apply to us. Also, I should add the target audience for this is somewhat technical, but not really other server administrators. More like other IT staff and managers. They’re also largely written for my own notes so I know what is being changed in our environment. I pull all actual updates straight from WSUS syncs.

And for the record, the new look of the Microsoft bulletin pages looks lame. Also, one of the very few months we don’t have any IE patches. Strange.

Further information on patches can be found at isc.sans.org or even eeye.

SEPTEMBER SECURITY UPDATES

MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
An attacker with a valid login could send a specially-crafted WINS packet to a listening WINS server (loopback interface only) and exploit a local escalation of privilege vulnerability. This update fixes that vulnerability, and should be considered critical to install on any servers with WINS listening.

MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
This update fixes the way Windows may load nearby malicious DLL files (DLL linking vulnerability) when opening .txt, .rtf, or .doc files over a network share or WebDAV connection. This isn’t a big deal from an external attacker perspective since we block SMB and WebDAV traffic from exiting our network, but this type of vulnerability is still very important if not critical to get patched on systems, partly because of the ubiquitous nature of .txt and .doc files in a typical enterprise network, but also the commonly-held assumption that .txt files are “safe.” The details of this vulnerability were made public this past month. It is interesting that this patches core Windows components and not software that typically reads these files, like Microsoft Office, Wordpad, or Notepad.

MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)
This update fixes 5 issues with how Microsoft Excel opens specially crafted files. This update should only apply to a handful of servers that have Microsoft Excel or Office components installed.

MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)
This update fixes 2 issues in Microsoft Office, one that loads nearby DLL files when opening other files (DLL linking vulnerability), and another that deals with how Office opens specially crafted Word files.

MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)
This update fixes 5 issues found in Microsoft SharePoint, all generally affecting the web interface and behavior of a SharePoint installation (XSS, script injection, and file disclosure).

MISCELLANEOUS SECURITY UPDATES

DigiNotar fraudulent root certificate revocations
In the past few weeks, a security incident has been discovered with a Dutch Certificate Authority company, DigiNotar, in which malicious hackers were able to get fraudulent SSL certificates issued. These certificates were issued using widely-trusted DigiNotar root certificates. These updates revoke the trust that Windows (and Internet Explorer) had in place for the affected DigiNotar root certificates. Not trusting these certs should have no impact to us, as we have no relationship to DigiNotar or any of their customers. This largely is a client/workstation sort of update, rather than servers, but does still apply.