Patch Tuesday: MS plugs critical IE, Windows Media Player holes

Patch Tuesday: MS plugs critical IE, Windows Media Player holes

Summary: Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.


Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.

The latest patch batch covers critical vulnerabilities in software products that are bundled with Microsoft's dominant Windows operating system (Internet Explorer and Windows Media Player) -- and several known security problems (SMB v2 and FTP in IIS) for which functioning exploit code has already been publicly released.

The SMB v2 issue, which has been in the news over the last month, has been addressed with MS09-050, a critical bulletin that actually address three separate documented vulnerabilities.

The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

[ SEE: Microsoft FTP in IIS vulnerability now under attack ]

The second known issue, which has been exploited in the wild, is patched with MS09-053:

Two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.

Microsoft also released a cumulative IE security update to fix four documented vulnerabilities that expose users to drive-by download attacks if an IE user is lured to a booby-trapped Web page.  These types of attacks are commonly used by cyber-criminals to load data-stealing Trojans on Windows machines.

A separate bulletin was also released to fix an ActiveX control vulnerability that is currently being exploited.   This issue is related to the security problems that have haunted programs compiled with the Microsoft Active Template Library (ATL).

The 13 bulletins released for October 2009 also fixes multiple ATL-releated vulnerabilities and a trio of holes in Microsoft .NET Framework and Microsoft Silverlight.

The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application.

...The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario.

See this page for more details on this month's updates, including information on Microsoft's exploitability index for each vulnerability.

This chart from Microsoft's security response team (click image for full size) provides a visual representation of the severity of each vulnerability:

Topics: Windows, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is MS going to pay for my Gb/month overage?

    With ISPs grasping for profits I see the day when the "download cost" of these mega-patches become an issue!
    • Master Joe Says...

      I've read a lot of stupid comments in my day, but this is near the top of the list. Granted, it's not THE top of the list by any means, but close enough. If anyone shoudl be complaining about the size of patches, it's Apple users. I bought a MacBook Pro, back when I was a senior in college. At the end of August, I had it fully patched. I was running BottCamp Assistance, so Windows was my primary OS. I decided, in the middle of November, to patch the Mac OS partition of the drive. The patches required were approximately 350 MB in size, and there were no patches anywhere naer equivelant to what a service pack is in Windows. All of these patches being deployed today, aside from this being the largest patch EVER meaning it is one of the biggest, don't add up to 350 MB. In fact, as the past two or so years have unfolded, Microsoft has done an excellent job in REDUCING the size of patches. Apple, on the other hand, has yet to do so, and still refuses to address that issue, even now when there are mroe and more security patches being issued for the Mac OS. So, while it is unlikely that your scenario of pay-per-gig will ever pan out, it would be more consequencial to the Mac user than to any windows user. Not to suggest that this is overly relavent. I just think you're kind of an idiot. No offense. =)

      --Master Joe
      • No offense? "Your an Idiot"?

        WOW! Take a look in a mirror some time! This poster's comment was purely a sarcastic jab! This was VERY obvious and served to make a point!

        Did it escape you bright guy? Is your first name really "MASTER"? Master Debater?

        Just kidding, I don't mean any of this... No offense? :)
      • No offense taken.

        We are ALL idiots in our own "savant" way.
        Some of us about our computers, and some of us about our cars ....
        • Master Joe Says...

          Well, it is that kind of response that makes me take back what I said. The fact that you ADMIT shortcomings, something we ALL have, despite that most people won't admit them, and would rather die than admit they are flawed, is a very admirable trait. Too bad the person who commented directly to my comment, other than you, is lacking that trait. Thanks for the refreshing change of normalcy.

          --Master Joe
    • On this Vista SP2 system the total size...

      ...of these security updates is 35MB. That's 1/3 the size of the last iTunes update I had to download to fix one vulnerability in iTunes. The 2009-005 security update for Tiger came in at a whopping 169.75MB:

      For Snow Leopard it was 71.47MB:

      And for Leopard it was 93.14MB:

      So please, stop trying to pretend that Microsoft is worse than anyone else.

    • And for Win7, it was 8.1MB

      ISPs have bigger fish to fry than people downloading security updates. Torrent much? All rightie then ;)
    • WSUS

      that's why you should run WSUS, download it once and install to your lan.
  • RE: Patch Tuesday: MS plugs critical IE, Windows Media Player holes

    Wow, my Microsoft software is sure to be secure now.

    If only other manufacturers of most other goods could keep up with the changing needs, problems, etc. with a simple automatically-supplied self-installing fix! I for one am glad that MS keeps up with the threats as they emerge! BRAVO!
  • 34 patches and how many patch fixes?

    Buy the time the fix for the patches that were to fix buggy software gets re-fixed in order to fix bad patches,the bad guys will have had plenty of time to work around the patches and their fixed re-patches!

    I'm not sure which is worse, the bad guys and their vandalism or Microsoft with their crappy patches that create the same end; A broken OS that constantly needs surgery.

    I'm just now getting around to updating to last May's patches. MS and everyone else has had plenty of time to ferret out these "IEP's" (Improvised Explosive Patches):) I won't play that game.

    I'm stating the obvious, not criticizing!
    • Examples?

      Where I come from, the sky is blue, water is liquid at room temperature, and Microsoft's security patches very seldom cause a need for a follow-up patch ;) Did you have a particular example in mind?
      • MS patch

        Don't you find it ridiculous to have a "patch Tuesday" day? This OS has more holes than swiss cheese... Now they came up with Win 7, which is supposed to fix all these security holes. I doubt it very much. The least they should do is give away Win 7 for free. But no. I read it cost MS 10 billion dollars to write Vista, so they want to recoop some of that (how the hell can you blow 10 billion and come up with Vista... those Apple commercials have a ring of truth). They must have some serious issues.

        Investors are well aware of MS problems, hence the stock price that has been stuck in neutral for 5 years. Good time to short MS stock...
        • This OS

          Windows has fewer holes than both OS X and Linux.
          Year after year.
          • Do you

            have any relevant data to back that up or is the above statement a biased conjecture on your part? If you have verifiable and reliable data by all means please post it here.
          • Guess you didn't get the memo...


            That's Ok - Not everyone has used NON-MS software. I find it to be a welcomed change from the mediocrity that's been traditionally foisted on me.
        • Good point, what was I thinking?

          Thanks for helping me see the light on this. Even though Windows Vista and 7 have relatively few vulnerabilities, I guess it's still just too much to bear. I'm going back to paper, pencil and a pocket calculator. No wait, a slide rule!

          ...dang, HalfLife 2 just doesn't play as well with paper & pencil, though. [i]Ok, Gordon takes three steps forward, rolls a 14 and fires the shotgun at the headcrab...[/i]
        • First the stock price has been stagnant for a lot longer...

          ..than five years.

          That said, when you compare all the operating systems, Microsoft is the only vendor that provides scheduled patching so that IT folks can do due diligence.

          Apple just tosses them out whenever they feel like it and for Linux they pretty much trickle out every few days (or so I've been told).

          But ALL of them get patches, so seriously, what's your point? You just want to bash Microsoft?

          That's what it looks like from your very obviously biased statement about the Apple commercials.
          • MS patches...

            I'm speaking from experience. I'm a .Net developer and that is what I do during the day. At home I have a MacBook Pro. The user experience and quality is much better than any PC I have ever used. I think Apple can write better software than MS. I had mayby 5 patches this year from Apple and of course, zero viruses. the OS is solid as a rock, no slowdowns, no unexplained behavior...

            In their OS division Apple has about 500 people vs 10,000 for MS. So go figure... Maybe MS has too many cooks in the kitchen...
          • solid as a rock

            unless ya use a guest account, in which case you lose all your data from all accounts.

            Opps, that's explained behavior, so no foul, right?