14 responses to “MS-DEFCON 2: August Black Tuesday unleashed”

1. 

   Martin Sapsed August 12th, 2009 at 14:40

   “…although I don’t recommend that you follow their “damn the torpedoes, patch it now” advice.”

   ISC haven’t marked any of this months bulletins as “Patch Now”. The worst are marked “Critical” – “Best approach is to test and deploy ASAP. Workarounds can give more time to test.” – which seems broadly in line with what you’re saying?

2. 

   woody August 13th, 2009 at 05:56

   Martin -

   ISC has a tendency to recommend installation much more aggressively than I do. In part, that’s because ISC is working with a different set of users – they’re geared to system admins and people in large companies who handle thousands of PCs used by people who don’t have a lot of control over their machines. (So, for example, ISC can’t make a blanket recommendation like, “Install and update IE but don’t use it.”) They also have to be concerned about targeted threats that are directed at specific companies.

   My readership tends to be quite different – people who have full control over their own PCs, who care about protecting their systems, but don’t want to be editing Registry entries every week. That’s why ISC frequently has a “patch it now” slant that I feel is overkill for individual users.

   And you’re right – this month they haven’t (yet) applied a “Patch Now” warning. That’s in direct contrast with Microsoft, which has placed Exploitability Index ratings very high.

3. 

   Yuhong Bao August 13th, 2009 at 06:36

   “MS09-037 is the patch for the Active Template Library that I talked about two weeks ago. If you recall, there was an out-of-band patch that was supposed to fix the problem. Again. Security Advisory 973882 goes into the details of how MS09-032, MS09-034, MS09-035 and MS09-037 are inter-related. Man, what a mess. Keystone Kops time.”
   Part of this problem here is that to properly patch the ATL hole require changes to the programs linking with ATL. These changes were documented for developers here:
   http://msdn.microsoft.com/en-us/visualc/ee309358.aspx

4. 

   Angry Jim August 13th, 2009 at 21:56

   These patches slipped past me earier on today. Normally I stop them and take a look, but they seem to have autorun and installed.

   Now, when I come to open an Office XP application, it says it needs to run something from the install disk – which I don’t have, because Office was pre-loaded on the machine when I bought it from the manufacturer. Wtf? Well done MS.

5. 

   Angry Jim August 13th, 2009 at 22:00

   Further to the previous comment, it’s just Excel that’s affected, not every Office app. I got carried away.

6. 

   Vaughn Bentley August 14th, 2009 at 01:13

   Woody: All my updates are submitted with KB #’s and you don’t include these with your monthly summaries any more. Can you once again start referencing the KB #’s, too. Appreciate it. Thanks

7. 

   woody August 14th, 2009 at 03:51

   Vaughn -

   Here are the KB numbers for the August Black Tuesday patches:

   MS09-036
   Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)

   MS09-037
   Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)

   MS09-038
   Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)

   MS09-039
   Vulnerabilities in WINS Could Allow Remote Code Execution (969883)

   MS09-040
   Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)

   MS09-041
   Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)

   MS09-042
   Vulnerability in Telnet Could Allow Remote Code Execution (960859)

   MS09-043
   Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)

   MS09-044
   Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)

8. 

   Maghullyback August 16th, 2009 at 22:35

   I read the news today Wood Dog
   Four thousand holes In-ternet Explorer
   And ‘cos the holes were ActiveX
   They’ve had to patch them all
   Now they know how many holes
   it takes to start a browser war.
   I’d love to turn UAC off.

   Nice One Wood Dog

9. 

   Liz August 16th, 2009 at 23:09

   Hello,
   I have also been offered Security updates for Windows KB956744, KB973507, KB973540and update for Windows Vista KB968389 which I don’t see on your list. Are they part of the Black Tuesday crop of patches as well?
   Thanks
   

10. 

    Bob M August 17th, 2009 at 22:02

    Woody,

    Why do I always have additional updates sent to my laptop that are not on your list. While I received 971557 and 971657 I got none of the others. However, I did get 956744, 973507, 973540 and 968389. Can you help me out here?

11. 

    woody August 18th, 2009 at 08:32

    I wonder how many holes are in Albert Hall?

12. 

    woody August 18th, 2009 at 08:34

    Sometimes the KB numbers don’t match up exactly, and it’s confusing. Your best bet is to do a Google search on, for example,

    KB 956744

    that will usually pinpoint the patch and you can take it from there.

13. 

    Cindy August 27th, 2009 at 07:11

    I am so confused about all of this patch business. Can anyone offer some help as to which ones I should patch? I have not installed any updates dated 8/11/09. Should I still avoid those?
    Thanks

14. 

    rcprimak September 1st, 2009 at 11:32

    I also sometimes get offered different KB numbers on some patches. But the MS numbers (e.g., MS09-037) are still the same. MS Numbers are more constant, so I usually reference patches by this system. It is confusing, but not unmanageable.