Overview

On December 8, 2009, Microsoft released its final Patch Tuesday updates for the year, comprising six security bulletins that addressed a total of 12 vulnerabilities across various products, including Windows operating systems, Internet Explorer, and Microsoft Office. Of these bulletins, three were rated as "Critical," indicating vulnerabilities that could allow remote code execution, while the remaining three were classified as "Important."

Detailed Breakdown of the Security Bulletins

MS09-072: Cumulative Security Update for Internet Explorer

Severity: Critical Affected Products: Internet Explorer versions 5.01, 6, 7, and 8 Impact: Remote Code Execution Description: This update addressed five vulnerabilities in Internet Explorer, including a publicly disclosed zero-day flaw affecting IE6 and IE7. Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code if a user viewed a specially crafted web page. Notably, this bulletin was prioritized due to the active exploitation of the zero-day vulnerability in the wild. (learn.microsoft.com)

MS09-071: Vulnerabilities in Internet Authentication Service

Severity: Critical Affected Products: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 Impact: Remote Code Execution Description: This bulletin addressed two vulnerabilities in the Internet Authentication Service (IAS). The more severe of these could allow remote code execution if messages received by the IAS server were improperly handled during PEAP authentication attempts. Servers using IAS or Network Policy Server (NPS) were affected when configured to use PEAP with MS-CHAP v2 authentication. (learn.microsoft.com)

MS09-074: Vulnerability in Microsoft Office Project

Severity: Critical Affected Products: Microsoft Office Project 2000, 2002, and 2003 Impact: Remote Code Execution Description: This update resolved a vulnerability in Microsoft Office Project that could allow remote code execution if a user opened a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (learn.microsoft.com)

MS09-069: Vulnerability in Local Security Authority Subsystem Service

Severity: Important Affected Products: Windows 2000, Windows XP, Windows Server 2003 Impact: Denial of Service Description: This update addressed a vulnerability in the Local Security Authority Subsystem Service (LSASS) that could allow a denial of service if a remote, authenticated attacker sent a specially crafted ISAKMP message to the LSASS on an affected system. (learn.microsoft.com)

MS09-070: Vulnerabilities in Active Directory Federation Services

Severity: Important Affected Products: Windows Server 2003, Windows Server 2008 Impact: Remote Code Execution Description: This bulletin addressed two vulnerabilities in Active Directory Federation Services (ADFS). The more severe of these could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled web server. Exploitation required the attacker to have valid logon credentials. (learn.microsoft.com)

MS09-073: Vulnerability in WordPad and Office Text Converters

Severity: Important Affected Products: Windows 2000, Windows XP, Windows Server 2003, Microsoft Office Word 2002, Microsoft Office Word 2003 Impact: Remote Code Execution Description: This update resolved a vulnerability in WordPad and Microsoft Office text converters that could allow remote code execution if a specially crafted Word 97 file was opened. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. (learn.microsoft.com)

Implications and Impact

The December 2009 Patch Tuesday updates were significant due to the critical nature of the vulnerabilities addressed, particularly the zero-day flaw in Internet Explorer. The active exploitation of this vulnerability underscored the importance of timely patch deployment to mitigate potential threats. Organizations and individual users were urged to apply these updates promptly to protect their systems from potential attacks.

Technical Details

  • Internet Explorer Vulnerabilities: The vulnerabilities addressed in MS09-072 included issues related to memory corruption and improper handling of objects in memory, which could be exploited to execute arbitrary code. (learn.microsoft.com)
  • Internet Authentication Service Vulnerabilities: The vulnerabilities in MS09-071 were due to improper handling of PEAP authentication attempts, leading to potential remote code execution. (learn.microsoft.com)
  • Microsoft Office Project Vulnerability: The vulnerability addressed in MS09-074 involved memory validation issues that could be exploited by opening a malicious Project file. (learn.microsoft.com)

Conclusion

Microsoft's December 2009 Patch Tuesday release was a critical update cycle that addressed several high-severity vulnerabilities across its product suite. The prompt application of these patches was essential to maintain system security and integrity, highlighting the ongoing need for vigilance in software maintenance and cybersecurity practices.

Reference Links