Security Alerts - December 2009

Recently, Microsoft released the December security bulletin, and one of the patches related to IIS. Meant to blog about this earlier but Nazim from IIS team beat me to it :) Been seeing lot of discussions online and patch management related mailing list. So in short, if you are seeing issue on W2k3 IIS 6 after applying the fix via KB973919, you need to repatch SP2 as described in KB2009746.

Update 17th Dec 2009
More details about the fix @ iis.net
http://forums.iis.net/t/1163341.aspx
And it's been confirmed that MS has repackaged the fix, read more here.

More updates 22th Dec 2009
MS Support team released a simple VBS script to check if you have 'broken' sp2 IIS box, get it here.
Also if you getting the fix via Windows Update, the logic now doesn't install the patch if you have a broken sp2 machine.

Published Fri, Dec 11 2009 11:36 by qbernard
Filed under: , , ,

Comments

# Rovastar said on 13 December, 2009 05:52 PM

IS this critical or not?!?!? Will it be automatically installed?!! I thought it was not a crit.......

forums.iis.net/.../1163341.aspx

# qbernard said on 13 December, 2009 07:49 PM

It is critical for certain OS, say w2k8.

See the vulnerability information section on the bulletin.

www.microsoft.com/.../MS09-071.mspx

And more info on IWA with Extended Protection.

msdn.microsoft.com/.../dd639324.aspx.

There are lot more details about the patch though it is still showing important in my w2k8 box. I got 4 at least -

Security Update for Windows Server 2008 (KB974318)

-> MS09-071: Vulnerabilities in the Internet Authentication service could allow remote code execution

support.microsoft.com/.../974318

Update for Windows Server 2008 (KB970430)

-> Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)

support.microsoft.com/.../970430

Update for Windows Server 2008 (KB971373)

-> Description of the update that implements Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP)

support.microsoft.com/.../971737

Update for Windows Server 2008 (KB973917)

-> Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)

support.microsoft.com/.../973917

# qbernard said on 14 December, 2009 08:21 PM

More updates - read it here

forums.iis.net/.../1163341.aspx

it seems like if you are getting the patch yesterday of today, you SHOULD not be getting the 503 error, in my case I can't repro and all files are updated, so I don't think repatch sp2 is required.