Privacy and Legal Notice
DOE-CIRC TECHNICAL BULLETIN

T-207: Microsoft Patch Tuesday Reminder

August 12, 2009 00:00 GMT

PROBLEM:

Multiple vulnerabilities in Microsoft products. Exploit of some of these allows complete compromise of the host.

PLATFORM:

Windows XP SP3 Windows 2000 Windows Vista SP2 Windows Server 2003 SP2 Windows Server 2008 SP2 ASP.NET ATL (Active Template Library) WMF WINS MSMQ (Message Queing Service) Workstation service Telnet Office Web Components Remote Desktop

ABSTRACT:

Microsoft has released patches for critical vulnerabilities in all current versions of Windows and Windows Server, MS Office XP, Office 2003. The bulletin contains links to the individual Microsoft Knowledge Base articles.

LINKS:

 

  DOE-CIRC BULLETIN:

http://www.doecirc.energy.gov/bulletins/t-207.shtml

  OTHER LINKS:

ISC:
http://isc.sans.org/diary.html?storyid=6937
Microsoft Patch Summary:

https://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx

  CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1536 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2493 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2494 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1545 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1546 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1923 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1924 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1922 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1544 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1930 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1534 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2496 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1929

IMPACT ASSESSMENT:

This risk is HIGH. Some of the vulnerabilities are being actively exploited now. These allow the attacker to run arbitrary code (completely own) the attacked host.

 
Discussion:
This is a reminder that the monthly Microsoft patch cycle has been released.

Impact:
At least one of the vulnerabilities allows remote code execution, is being actively exploited now, and affects all current versions of Windows desktop and Server OS's. Prompt testing and deployment of the patches is highly recommended.


Affected Software:
Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Office XP, Office 2003, Office Web Components, Visual Studio.NET, ISA Server and Biztalk Server.

Links to patches, KB articles and CVE's:
MS09-036
http://www.microsoft.com/technet/security/Bulletin/MS09-036.mspx
http://support.microsoft.com/kb/970957
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1536

MS09-037
http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx
http://support.microsoft.com/kb/973908
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2494
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2493

MS09-038
http://www.microsoft.com/technet/security/Bulletin/MS09-038.mspx
http://support.microsoft.com/kb/971557
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1545
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1546

MS09-039
http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx
http://support.microsoft.com/kb/969883
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1923
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1924

MS09-040
http://www.microsoft.com/technet/security/Bulletin/MS09-040.mspx
http://support.microsoft.com/kb/971032
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1922

MS09-041
http://www.microsoft.com/technet/security/Bulletin/MS09-041.mspx
http://support.microsoft.com/kb/971657
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1544

MS09-042
http://www.microsoft.com/technet/security/Bulletin/MS09-042.mspx
http://support.microsoft.com/kb/960859
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1930

MS09-043
http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx
http://support.microsoft.com/kb/957638
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2496

MS09-044
http://www.microsoft.com/technet/security/Bulletin/MS09-044.mspx
http://support.microsoft.com/kb/970927
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1929

DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 

 Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov

UCRL-MI-119788