Patch Tuesday: Six expected patches, two surprise revised ones

Microsoft's November Patch Tuesday consists of six updates, three critical, that fix 15 holes.

As expected, Microsoft's November Patch Tuesday consists of six updates, three critical, that fix 15 holes. The company also re-released two more patches, both critical

Here is the low-down, provided by Microsoft, of each new patch issued today:

• MS09-063 (Maximum severity rating of Critical): This update resolves one privately reported vulnerability in Windows, which could allow remote code execution if an affected Windows system receives a specially crafted packet. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This update received a 2 rating from Microsoft’s Exploitability Index.
• MS09-064 (Maximum severity rating of Critical): This update resolves one privately reported vulnerability in Windows, which could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system .This update received a 2 rating from Microsoft’s Exploitability Index.
• MS09-065 (Maximum severity rating of Critical): This update resolves three privately reported vulnerabilities in Windows, which could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability. This update received a 1 rating from Microsoft’s Exploitability Index.
• MS09-066 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Windows, which could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests. This update received a 3 rating from Microsoft’s Exploitability Index.
• MS09-067 (Maximum severity rating of Important): This update resolves eight privately reported vulnerabilities in Office, which could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. This update received a 1 rating from Microsoft’s Exploitability Index.
• MS09-068 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Office, which could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. This update received a 1 rating from Microsoft’s Exploitability Index.

The two revised patches are MS09-045 and MS09-051 , both rated critical:

• MS09-045 Microsoft re-released Security Bulletinto add the detection for JScript 5.7 on Microsoft Windows 2000 Service Pack 4 (KB975542) to Affected Software and Security Update Deployment sections.
• MS09-051 Microsoft re-released Security Bulletinto address the update for Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue. This is a detection change only; there were no changes to the binaries. Customers who have successfully updated their systems do not need to reinstall this update.

According to Jason Miller, Data and Security Team Leader, Shavlik Technologies, St. Paul, Minn., the place to start is with MS09-065, as exploit code is likely to be coming soon. He says, "This bulletin affects the Windows Kernel and can lead to remote execution on a target system.  This bulletin addresses three vulnerabilities. One of the vulnerabilities was disclosed to Microsoft, but it was also disclosed publicly. This vulnerability affects the way the Windows Kernel parses Embedded OpenType fonts.  These are typical on websites.  If a user visits a specially crafted website, an attacker can take control of the system."

MS09-066 should be looked at quickly, too, as it fixes a problem with Active Directory, but the risks are relatively lower, as it could be difficult to pull off and the result is a denial of service attack, not a PWN'd machine.

Note that MS09-063 affects Windows Vista and 2008 only. It fixes a critical hole in the WSDAPI service that "allows users to easily find devices such as printers and cameras on their network," Miller describes.  The upside is that this vulnerability is reported to not be widely known. MS09-064 affects only Windows 2000 but any most computers that are still running 2000 are doing so as servers and that makes this patch especially important.

Like this post? Check out these others.

• Windows Server 2008 R2: Security Changes and Additions Part III
• AppLocker in Server 2008 R2
• Microsoft Linux: Why one free software advocate wants it
• Are you ready for Windows 7 and Windows Server 2008 R2?
• Torvalds offers a thumbs-up to Windows 7
• Exchange 2010 Prerequisites Made Easy
• Microsoft, Dell, Spectrum Bridge launch first public white spaces network
• 7 tools for Windows 7 rollouts

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter

• Microsoft
• Security
• Microsoft security
• Microsoft Security alert
• Patch Tuesday