Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-184: Microsoft Monthly Updates

July 15, 2009 15:00 GMT
PROBLEM: Microsoft has released updates that address vulnerabilities in, Microsoft Windows, Windows Server, DirectShow, Virtual PC and Server, Office Publisher, and ISA Server.
PLATFORM: Microsoft Windows and Windows Server Microsoft DirectShow Microsoft Virtual PC and Server Microsoft Office Publisher Microsoft Internet Security and Acceleration (ISA) Server
ABSTRACT: As part of the Microsoft Security Bulletin Summary for July 2009, Microsoft has released updates that address several vulnerabilities in Microsoft Windows, Windows Server, DirectShow, Windows Virtual PC and Server, Office Publisher, and ISA Server. Microsoft indicates that two of these vulnerabilities, CVE-2009-1537 and CVE-2008-0015, are being actively exploited.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-184.shtml
  OTHER LINKS: Microsoft Summary Bulletin
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
Internet Storm Center
http://isc.sans.org/diary.html?storyid=6790

IMPACT ASSESSMENT: This risk is high. Results of a successful exploit include privilege escalation, denial of service (crashing) and running of arbitrary code (complete compromise). Some of these vulnerabilities are being actively exploited now. 
Solutions: 
Micrisoft has released patches for the vulnerabilities listed in this bulletin. Administrators are encouraged to test and apply these patches especially those rated as critical or critical currently being exploited - as soon as possible. Individual Security bulletins for each vulnerability are listed below.

Important Note: The Activex vulnerability (CVE-2009-1135), patches and workaround released in Tuesday's bulletin are NOT the same as the Spreadsheet ActiveX control vulnerability and workaround released a few days ago (CVE-2009-1136). That vulnerability is also being actively exploited. Even if all of Tuesday's patches are applied, separate measures must be taken to protect against the Spreadsheet ActiveX control vulnerability. See bulletin T183.

Security Bulletins:

DirectShow:
http://www.microsoft.com/technet/security/Bulletin/MS09-028.mspx

Embedded OpenType:
http://www.microsoft.com/technet/security/Bulletin/MS09-029.mspx

Publisher:
http://www.microsoft.com/technet/security/Bulletin/MS09-030.mspx

Isa Server 2006:
http://www.microsoft.com/technet/security/Bulletin/MS09-031.mspx

ActiveX:
http://www.microsoft.com/technet/security/advisory/972890.mspx

VirtualPC, Virtual Server:
http://www.microsoft.com/technet/security/Bulletin/MS09-033.mspx
DOE-CIRC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788