Upcoming Patch Tuesday for February 10, 2009

Microsoft Today has released the list of patches for February. Here’s the List of things they will patch:

[ad#ad2-right]

The list of affected operating configurations includes Windows 2000, Windows XP (x86 and x64), Windows Server 2003 (x86 and x64), Windows Vista (x86 and x64), and Windows Server 2008 (x86 and x64). Microsoft Exchange Server 2000, 2003, and 2007, Microsoft SQL Server 2000 and 2005, as well as Visio 2002, 2003, and 2007 are also affected.
[Via Arstechnica]

We got several Non-critical updates.  Here’s the List of them, some of these are monthly updates and some are just interesting to look at:

  • Update for Windows Mail Junk E-mail Filter [February 2009] (KB905866)
  • Windows Malicious Software Removal Tool – February 2009 (KB890830)/Windows Malicious Software Removal Tool – February 2009 (KB890830) – Internet Explorer Version
  • Cumulative Update for Media Center for Windows Vista (KB960544)
  • Cumulative Update for Media Center TVPack for Windows Vista (KB958653)
  • Update Rollup for ActiveX Killbits for Windows (KB960715)

We got an Update to Media Center and TVPack for Windows Vista to resolve issues with software.   The ActiveX Killbits issues have been identified in ActiveX controls that could allow an attacker to compromise a system that is running Microsoft Internet Explorer and gain control over it.  So we don’t exactly know what what issues they are talking about.   I hope this helps your system administrators get ready for this update.  If I were you, I’d having Clone of Autopatcher ready for these updates.  Remember to patch as soon as your company will allow, because waiting to long could make you have even more of an headache.   I’ll update the others as soon as I find out the updates.

Microsoft Knows about the SQL Bug — KB961040

Microsoft confirmed some information about the this little SQl bug and issued a Statement in an Security Advisory 961040 and in it Microsoft said:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

[via Microsoft Technet]

[ad#ad2-left-1]One researcher, a Bernhard Mueller, is claiming that Microsoft has the patch available and ready to patch this bug.  According to him Microsoft this patch is done and isn’t scheduled to be release yet.  I don’t know when they will patch this but if Techworld is right it will be an out of cycle patch.   I am sure that if Microsoft does release it in cycle then it will be this coming patch cycle.  January 13, 2009 is the next cycle of patches for Microsoft and should be available at 10pm PST time. If Microsoft doesn’t release the patch soon they will undoubtedly wait till Patch Tuesday.  In my previous article I talked about this to a point the workaround so if you are using an SQL server you need to do this work around.

New Vulnebility in the SQL Server

Microsoft as Issued a warning on a new Vulnerability for:

Microsoft Security Advisory (KB961040)

[ad#ad2-right]Vulnerability in SQL Server Could Allow Remote Code Execution

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

[Via Technet]

[ad#ad2-left]The workaround for the people who use the servers are to deny access to  sp_replwritetovarbin and only should be done by system admins.   Microsoft will probably issue a patch on the next coming next Patch Tuesday unless they hear of anything in the wild.  This does not look to affect anyone who uses Windows XP Home edition or Vista Home  edition just people who has a Microsoft server and use SQL.  It also seem to be CVE-2008-4270 in the Common Vulnerabilities and Exposure database.  If I find out more I’ll let you know.