This month there were 3 security bulletins released and 1 re-released:
First, let's tackle the bulletin which was re-released. MS08-052, which was issued for a remote code execution vulnerabilities in GDI+ (graphics rendering). The bulletin was re-released to cover situations where Windows XP SP2 had been applied, then the security patch, and then Windows XP SP3, or Windows Server 2003 SP1, then the security patch, and the Windows Server 2003 SP2. In these cases the new service pack would have overwritten the files, rendering the system vulnerable once again. The new patch release covers those situations. So if you had Windows XP SP2 or Windows Server 2003 SP1 on a system and patched when the security patch came out but then upgraded the service pack, you will need to re-patch the system.
Next, let's look at the three new security bulletins for the month of March. The first two (MS09-006 and MS09-007) affect the Windows operating system. MS09-006 deals with three kernel vulnerabilities and is rated critical. Of these vulnerabilities, the most serious one can allow remote code execution on the system through a specially crafted graphics file. MS09-007 corrects a spoofing vulnerability which would allow an attacker to gain access to an end user certificate and therefore the attacker could then use the certificate to authenticate as the user when certificate-based authentication is used. The last one, MS09-008, affects DNS and WINS Servers. The security patch corrects 3 DNS Server and 1 WINS Server vulnerabilities. Two of the DNS Server vulnerabilities would allow for DNS cache poisoning to be more likely to succeed. The remaining DNS and the WINS vulnerabilities deal with Web Proxy Auto-Discovery (WPAD) records and the lack of proper validation on the submitter. This would allow an attacker to submit a system as a valid web proxy for any computers doing autodiscovery to locate a proxy server to use. As a result, the attacker could then redirect traffic accordingly. While none of the three vulnerabilities affect SQL Server directly, all three require a system reboot, thereby rendering a potential outage of the SQL Server during the reboot process.
If you're an IT pro but not really a security pro, there is a new resource to help you understand the security bulletins as they are released. It is a podcase entitled:
I've listened to the first one and it is easy to understand, covers the new vulnerabilities, and is over in less than 15 minutes. You can download the podcast directly or subscribe with your Zune or iPod.
