Time once again for this month's summary of the latest Microsoft Security updates …
6 updates, with 15 vulnerabilities covered. Here's the breakdown:
MS09-063: Rated Critical. Potential Remote Code Execution via Memory Corruption in Web Services on Devices API, covering 1 vulnerability: CVE-2009-2512. Important to note that this one only affects Windows Vista and Server 2008. Also important to note that attackers must be on the local subnet to exploit this vulnerability, so it would either be an Insider attack or would need to be chained with one or more additional vulnerabilities for an outside attacker to compromise a host.
MS09-064: Rated Critical. Potential Remote Code Execution via Heap Overflow in License Logging Server, covering 1 vulnerability: CVE-2009-2523. Important to note that this one only affects Windows 2000, however no authentication is required to exploit this vulnerability.
MS09-065: Rated Critical. Potential Remote Code Execution in Windows 2000, XP, and Server 2003; Elevation of Privilege in Vista and Server 2008, covering 3 vulnerabilities: CVE-2009-1127 (Win32k NULL Pointer Dereferencing), CVE-2009-2513 (Win32k Insufficient Data Validation), and CVE-2009-2513 (Win32k EOT Parsing). As predicted in our analysis of the Advanced Notification, this is the one on top of everyone's priority list this month. Important to note that the most severe of the 3 vulnerabilities requires a user to view content rendered in a specially crafted Embedded OpenType font. This makes the threat much more severe for client workstations than servers, assuming users follow best practices by not viewing this kind of content from servers.
MS09-066: Rated Important. Potential Denial of Service in Windows 2000, XP, Server 2003 and Server 2008, covering 1 vulnerability: CVE-2009-1928 (LSASS Recursive Stack Overflow). Vista is not affected. Important to note that this vulnerability affects Active Directory, so Domain Controllers are in scope. Although researchers are often dismissive of DoS vulnerabilities, an exhaustion of resources on Domain Controllers would have a significant impact on enterprise operations.
MS09-067: Rated Important. Potential Remote Code Execution in Excel and Excel Viewer as well as Office and supporting components for mac, covering 8 (yes, eight) vulnerabilities: CVE-2009-3127 (Cache Memory Corruption), CVE-2009-3128 (SxView Memory Corruption), CVE-2009-3129 (Featheader Record Memory Corruption), CVE-2009-3130 (Document Parsing Heap Overflow), CVE-2009-3131 (Formula Parsing Memory Corruption), CVE-2009-3132 (Index Parsing), CVE-2009-3133 (Document Parsing Memory Corruption), and CVE-2009-3134 (Field Sanitization). Important to note that customers running Office 2007 must install the security updates for Microsoft Office Compatibility Pack File Format in addition to this update. While Office updates generally get less attention at this time of the month, the sheer number of vulnerabilities and Microsoft's exploitability rating should put this in the top 2-3 updates in customers' prioritized patching efforts.
MS09-068: Rated Important. Potential Remote Code Execution via File Information Memory Corruption in Word, Word Viewer, as well as Office and supporting components for mac, covering 1 vulnerability: CVE-2009-3135. Important to note that a user would need to open a specially crafted Word file for an attacker to exploit this vulnerability.
Overall this is a much lighter month than October's monster update, although it's a busy one by November standards. The Windows updates require a restart; Office updates may require a restart if the updated components are in use when the updates are done. Recommendation to customers that run a full test cycle before distributing updates is to focus on MS09-065 first ... particularly on client workstations. This one has the broadest impact, including Domain Controllers, Member Servers, and workstations. Also recommended for customers to focus on the Excel updates in MS09-067 and the Active Directory Denial of Service addressed with MS09-066.
For customers with PCI Compliance requirements who address their compliance needs first, step one is to inventory your Cardholder Data Environments to see which versions of Windows you're running. If the only Windows versions in your Cardholder Data Environments are XP and Server 2003 (arguably the most common combination in Retail and Financial Services production environments), you can focus your first stage compliance efforts on MS09-065 in preparation for your Quarterly ASV scans. All 5 of the other updates are not applicable to PCI ASV scanning if you are only running XP and Server 2003.
- MS09-063 only affects Vista and Server 2008 (does not affect XP or Server 2003)
- MS09-064 only affects Windows 2000 (does not affect XP or Server 2003)
- MS09-066 is a Denial of Service (DoS does not affect PCI Compliance)
- MS09-067 only affects Office and PCI Approved Scanning Vendors do not assess local vulnerabilities (i.e. require credentials for detection)
- MS09-068 only affects Office and PCI Approved Scanning Vendors do not assess local vulnerabilities (i.e. require credentials for detection)
Certainly these other issues should be addressed as quickly as possible, as compliance with standards such as PCI DSS are a subset of your overall Security and Compliance programs. Nevertheless, we hope this guidance helps you to prioritize your PCI Compliance efforts within your overall Security Program.