Product Support Notice © 2009 Avaya Inc. All Rights Reserved. PSN # PSN002704u Original publication date: 30-Nov-09. This is Issue #01, published date: Severity/risk level Medium Urgency Immediately 30-Nov-09. Name of problem Modular Messaging 5.2 Microsoft Patch List Products affected Modular Messaging (MM) 5.2 Problem description Avaya applies a set of Microsoft patches as part of the base installation of MM installed in the factory. The majority of these patches are security updates.
Resolution The following are included in the base software for MM 5.2. This list applies to systems with Exchange and Domino backends and MSS backends with MAS software on a S3500 and S8800. The list for systems with MSS backends with MAS software on a S8730 follows this list.
Common KB Article Type Description Name Number MS07‐021 KB930178 Security Vulnerability in Windows CSRSS could allow remote code execution MS07‐020 KB932168 Security Vulnerability in Microsoft Agent could allow remote code execution KB927891 Update You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update MS07‐012 KB924667 Security Vulnerability in Microsoft Foundation Classes could allow for remote code execution MS07‐034 KB929123 Security Cumulative security update for Outlook Express and for Windows Mail MS06‐078 KB925398 Security Vulnerability in Windows Media Format could allow remote code execution MS07‐039 KB926122 Security Vulnerability in Windows Active Directory could allow remote code execution MS07‐047 KB936782 Security Vulnerability in Windows Media Player could allow remote code execution MS07‐050 KB938127 Security Vulnerability in Vector Markup Language could allow remote code execution MS07‐040 KB933854 Security Vulnerabilities in the .NET Framework could allow remote code execution MS07‐058 KB933729 Security Vulnerabilities in RPC could allow denial of service KB936357 Update A microcode reliability update is available that improves the reliability of systems that use Intel processors
MS07‐061 KB943460 Security Vulnerability in Windows URI Handling could allow remote code execution MS07‐061 KB944653 Security Vulnerability in Windows URI Handling could allow remote code execution MS07‐068 KB941569 Security Vulnerability in Windows Media file format could allow remote code execution
MS08‐006 KB942830 Security Vulnerability in Internet Information Services could allow remote code execution MS08‐005 KB942831 Security Vulnerability in Internet Information Services could allow elevation of privileges MS08‐007 KB946026 Security Vulnerability in WebDAV Mini‐Redirector could allow remote code execution MS08‐008 KB943055 Security Description of the security update for Windows 2000, for Windows XP, for Windows Server 2003, and for Windows Vista: February 12, 2008 KB948496 Update An update to turn off default SNP features is available for Windows Server 2003‐based and Small Business Server 2003‐based computers MS08‐020 KB945553 Security Vulnerability in DNS client could allow spoofing MS08‐032 KB950760 Security Critical security update of ActiveX kill bits MS08‐036 KB950762 Security Vulnerabilities in Pragmatic General Multicast (PGM) could allow denial of service MS08‐037 KB951748 Security Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008 MS08‐048 KB951066 Security Security update for Outlook Express and Windows Mail MS08‐046 KB952954 Security Vulnerabilities in Microsoft Windows Image Color Management could allow remote code execution MS08‐049 KB950974 Security Vulnerability in Event System could allow remote code execution MS08‐067 KB958644 Security Vulnerability in Server service could allow remote code execution MS08‐069 KB955069 Security Description of the security update for XML Core Services 3.0: November 11, 2008 MS08‐068 KB957097 Security Vulnerability in SMB could allow remote code execution
MS08‐076 KB952069 Security Description of the security update for Windows Media Format Runtime 7.1, 9.0, 9.5, and 11 and Media Foundation: December 9, 2008 MS08‐076 KB954600 Security Description of the security update for Windows Media Player 6.4: December 9, 2008 MS08‐071 KB956802 Security Vulnerabilities in GDI could allow remote code execution KB955839 Update December 2008 cumulative time zone update for Microsoft Windows operating systems MS07‐017 KB925902 Security Vulnerability in GDI could allow remote code execution MS08‐066 KB956803 Security Vulnerability in the Microsoft Ancillary Function driver could allow elevation of privilege MS09‐001 KB958687 Security Vulnerabilities in SMB could allow remote code execution KB960715 Update Microsoft Security Advisory: Update Rollup for ActiveX Kill Bits MS09‐007 KB960225 Security Vulnerability in SChannel could allow spoofing MS08‐052 KB938464 Security Description of the security update for GDI+ for all editions of Windows XP, of Windows Vista, of Windows Server 2003, and of Windows Server 2008 and for Windows Server 2000 with Internet Explorer 6 SP1
© 2009 Avaya Inc. All Rights Reserved. Page 2 MS09‐006 KB958690 Security Vulnerabilities in Windows Kernel could allow remote code execution KB967715 update How to disable the Autorun functionality in Windows MS09‐011 KB961373 Security Vulnerability in Microsoft DirectShow could allow remote code execution MS09‐012 KB956572 Security Description of the security update for Windows Service Isolation: April 2009 MS09‐012 KB952004 Security Description of the security update for MSDTC Transaction Facility: April 2009 MS09‐013 KB960803 Security Vulnerabilities in Windows HTTP services could allow remote code execution MS09‐015 KB959426 Security Blended threat vulnerability in SearchPath could allow elevation of privilege MS09‐014 KB963027 Security Cumulative security update for Internet Explorer MS09‐010 KB923561 Security Description of the update for Windows WordPad Converter: April 14, 2009 MS09‐008 KB961063 Security Description of the security update for DNS server: March 10, 2009 MS09‐022 KB961501 Security Vulnerabilities in the Windows Print Spooler could allow remote code execution MS09‐025 KB968537 Security Vulnerabilities in Windows Kernel could allow elevation of privilege MS09‐026 KB970238 Security Vulnerability in RPC could allow elevation of privilege MS09‐020 KB970483 Security Vulnerabilities in Internet Information Services (IIS) could allow elevation of privilege KB951847 SP List of changes and fixed issues in the .NET Framework 3.5 Service Pack 1 MS09‐028 KB971633 Security Vulnerabilities in Microsoft DirectShow could allow remote code execution MS09‐029 KB961371 Security Vulnerabilities in the Embedded OpenType Font Engine could allow remote code execution KB890830 Tool The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows Server 2008, Windows XP, or Windows 2000 MS09‐032 KB973346 Security Cumulative Security Update of ActiveX Kill Bits MS09‐034 KB972260 Update Cumulative security update for Internet Explorer KB973825 Update Error message when you try to install a large Windows Installer package or a large Windows Installer patch package in Windows Server 2003 Service Pack 2: "Error 1718 File was rejected by digital signature policy" MS08‐069 KB954459 Security Description of the security update for XML Core Services 6.0: November 11, 2008 KB961118 Update All the PCL inbox printer drivers become unsigned after you install the Microsoft .NET Framework 3.5 Service Pack 1 MS09‐010 KB923561 Security Description of the update for Windows WordPad Converter: April 14, 2009 KB963707 Update How to remove the .NET Framework Assistant for Firefox KB890830 Tool The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
© 2009 Avaya Inc. All Rights Reserved. Page 3 software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, Windows XP, or Windows 2000 ‐ August 2009 MS09‐029 KB961371 Security Vulnerabilities in the Embedded OpenType Font Engine could allow remote code execution KB968389 Update Extended Protection for Authentication MS09‐040 KB971032 Security Vulnerability in Message Queuing could allow elevation of privilege MS09‐038 KB971557 Security Vulnerabilities in Windows Media file processing could allow remote code execution MS09‐037 KB973540 Security Description of the security update for Windows Media Player: August 11, 2009 MS09‐037 KB973869 Security Description of the security update for the DHTML editing component ActiveX control: August 11, 2009 MS09‐044 KB956744 Security Description of the security update for Remote Desktop Client version 6.0 and 6.1: August 11, 2009 MS09‐054 KB974455 Security Cumulative security update for Internet Explorer MS09‐047 KB968816 Security Description of the security update for Windows Media Format Runtime, Windows Media Services, and Media Foundation: September 8, 2009 MS09‐045 KB971961 Security Vulnerability in JScript Scripting Engines could allow remote code execution KB925876 Update Update Remote Desktop Connection (Terminal Services Client 6.0) KB954550 Update Some Microsoft XPS features are not available in Windows Server 2003 and in Windows XP MS09‐046 KB954550 Security Vulnerability in the DHTML Editing Component ActiveX control could allow remote code execution MS09‐007 KB960225 Security Vulnerability in SChannel could allow spoofing MS09‐048 KB 967723 Security Vulnerabilities in Windows TCP/IP could allow remote code execution MS09‐037 KB973354 Security Description of the security update for Outlook Express
KB973507 Security Description of the security update for the Active Template Library MS09‐042 KB960859 Security Vulnerability in Telnet could allow remote code execution MS09‐037 KB973815 Security Description of the security update for Microsoft MSWebDVD ActiveX Control in Windows XP and Windows Server 2003 MS09‐041 KB971657 Security Vulnerability in the Workstation Service could allow elevation of privilege KB970653 Update August 2009 cumulative time zone update for Microsoft Windows operating systems MS08‐006 KB942830 Security Vulnerability in Internet Information Services could allow remote code execution MS08‐005 KB942831 Security Vulnerability in Internet Information Services could allow elevation of privileges KB954459 Security Description of the security update for XML Core MS08‐069 Services 6.0 KB961118 Update All the PCL inbox printer drivers become unsigned after you install the Microsoft .NET Framework 3.5 Service Pack 1 © 2009 Avaya Inc. All Rights Reserved. Page 4 MS09‐008 KB961063 Security Description of the security update for DNS server MS09‐020 KB970483 Security Vulnerabilities in Internet Information Services (IIS) could allow elevation of privilege KB963707 Update Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox MS09‐061 KB974417 Security Description of the security update for the Microsoft .NET Framework 2.0 Service Pack 2 and the Microsoft .NET Framework 3.5 Service MS09‐054 KB974455 Security Cumulative security update for Internet Explorer MS09‐055 KB973525 Security Cumulative Security Update of ActiveX Kill Bits MS09‐059 KB975467 Security Vulnerability in the Local Security Authority Subsystem Service could allow denial of service MS09‐051 KB954155 Security Description of the security update for Windows Media Audio Voice Decoder MS09‐051 KB975025 Security Description of the security update for Audio Compression Manager MS09‐056 KB974571 Security Vulnerabilities in CryptoAPI could allow spoofing MS09‐052 KB974112 Security Vulnerability in Windows Media Player could allow remote code execution MS09‐058 KB971486 Security Vulnerabilities in Windows kernel could allow elevation of privilege MS09‐062 KB958869 Security Addresses a vulnerability in Microsoft .NET MS09‐057 KB969059 Security Vulnerability in Indexing Service could allow remote code execution MS09‐061 KB953298 Security Description of the security update for the Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 (32‐bit)
This list applies to systems with MSS backends with MAS software on a S8730. Common KB Article Type Description Name Number MS07‐021 KB930178 Security Vulnerability in Windows CSRSS could allow remote code execution MS07‐020 KB932168 Security Vulnerability in Microsoft Agent could allow remote code execution KB927891 Update You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update MS07‐012 KB924667 Security Vulnerability in Microsoft Foundation Classes could allow for remote code execution MS07‐034 KB929123 Security Cumulative security update for Outlook Express and for Windows Mail MS06‐078 KB925398 Security Vulnerability in Windows Media Format could allow remote code execution MS07‐039 KB926122 Security Vulnerability in Windows Active Directory could allow remote code execution MS07‐047 KB936782 Security Vulnerability in Windows Media Player could allow remote code execution MS07‐050 KB938127 Security Vulnerability in Vector Markup Language could allow remote code execution
© 2009 Avaya Inc. All Rights Reserved. Page 5 MS07‐040 KB933854 Security Vulnerabilities in the .NET Framework could allow remote code execution MS07‐058 KB933729 Security Vulnerabilities in RPC could allow denial of service
KB936357 Update A microcode reliability update is available that improves the reliability of systems that use Intel processors MS07‐061 KB943460 Security Vulnerability in Windows URI Handling could allow remote code execution MS07‐061 KB944653 Security Vulnerability in Windows URI Handling could allow remote code execution MS07‐068 KB941569 Security Vulnerability in Windows Media file format could allow remote code execution MS08‐007 KB946026 Security Vulnerability in WebDAV Mini‐Redirector could allow remote code execution MS08‐008 KB943055 Security Description of the security update for Windows 2000, for Windows XP, for Windows Server 2003, and for Windows Vista: February 12, 2008 KB948496 Update An update to turn off default SNP features is available for Windows Server 2003‐based and Small Business Server 2003‐based computers MS08‐020 KB945553 Security Vulnerability in DNS client could allow spoofing MS08‐032 KB950760 Security Critical security update of ActiveX kill bits MS08‐036 KB950762 Security Vulnerabilities in Pragmatic General Multicast (PGM) could allow denial of service MS08‐037 KB951748 Security Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008 MS08‐048 KB951066 Security Security update for Outlook Express and Windows Mail MS08‐046 KB952954 Security Vulnerabilities in Microsoft Windows Image Color Management could allow remote code execution MS08‐049 KB950974 Security Vulnerability in Event System could allow remote code execution MS08‐069 KB955069 Security Description of the security update for XML Core Services 3.0: November 11, 2008 MS08‐068 KB957097 Security Vulnerability in SMB could allow remote code execution MS08‐076 KB952069 Security Description of the security update for Windows Media Format Runtime 7.1, 9.0, 9.5, and 11 and Media Foundation: December 9, 2008 MS08‐076 KB954600 Security Description of the security update for Windows Media Player 6.4: December 9, 2008 MS08‐071 KB956802 Security Vulnerabilities in GDI could allow remote code execution KB955839 Update December 2008 cumulative time zone update for Microsoft Windows operating systems MS07‐017 KB925902 Security Vulnerability in GDI could allow remote code execution MS08‐066 KB956803 Security Vulnerability in the Microsoft Ancillary Function driver could allow elevation of privilege MS09‐001 KB958687 Security Vulnerabilities in SMB could allow remote code execution
© 2009 Avaya Inc. All Rights Reserved. Page 6 KB960715 Update Microsoft Security Advisory: Update Rollup for ActiveX Kill Bits MS09‐007 KB960225 Security Vulnerability in SChannel could allow spoofing MS08‐052 KB938464 Security Description of the security update for GDI+ for all editions of Windows XP, of Windows Vista, of Windows Server 2003, and of Windows Server 2008 and for Windows Server 2000 with Internet Explorer 6 SP1 MS09‐006 KB958690 Security Vulnerabilities in Windows Kernel could allow remote code execution KB967715 update How to disable the Autorun functionality in Windows MS09‐011 KB961373 Security Vulnerability in Microsoft DirectShow could allow remote code execution MS09‐012 KB956572 Security Description of the security update for Windows Service Isolation: April 2009 MS09‐012 KB952004 Security Description of the security update for MSDTC Transaction Facility: April 2009 MS09‐013 KB960803 Security Vulnerabilities in Windows HTTP services could allow remote code execution MS09‐015 KB959426 Security Blended threat vulnerability in SearchPath could allow elevation of privilege MS09‐014 KB963027 Security Cumulative security update for Internet Explorer MS09‐010 KB923561 Security Description of the update for Windows WordPad Converter: April 14, 2009 MS09‐022 KB961501 Security Vulnerabilities in the Windows Print Spooler could allow remote code execution MS09‐025 KB968537 Security Vulnerabilities in Windows Kernel could allow elevation of privilege MS09‐026 KB970238 Security Vulnerability in RPC could allow elevation of privilege KB951847 SP List of changes and fixed issues in the .NET Framework 3.5 Service Pack 1 MS09‐028 KB971633 Security Vulnerabilities in Microsoft DirectShow could allow remote code execution MS09‐032 KB973346 Security Cumulative Security Update of ActiveX Kill Bits MS09‐034 KB972260 Update Cumulative security update for Internet Explorer MS09‐010 KB923561 Security Description of the update for Windows WordPad Converter: April 14, 2009 KB890830 Tool The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, Windows XP, or Windows 2000 ‐ August 2009 MS09‐029 KB961371 Security Vulnerabilities in the Embedded OpenType Font Engine could allow remote code execution MS09‐054 KB974455 Security Cumulative security update for Internet Explorer KB925876 Update Update Remote Desktop Connection (Terminal Services Client 6.0) KB954550 Update Some Microsoft XPS features are not available in Windows Server 2003 and in Windows XP
© 2009 Avaya Inc. All Rights Reserved. Page 7 MS09‐046 KB954550 Security Vulnerability in the DHTML Editing Component ActiveX control could allow remote code execution MS09‐007 KB960225 Security Vulnerability in SChannel could allow spoofing MS08‐006 KB942830 Security Vulnerability in Internet Information Services could allow remote code execution MS08‐005 KB942831 Security Vulnerability in Internet Information Services could allow elevation of privileges KB954459 Security Description of the security update for XML Core MS08‐069 Services 6.0 KB961118 Update All the PCL inbox printer drivers become unsigned after you install the Microsoft .NET Framework 3.5 Service Pack 1 MS09‐008 KB961063 Security Description of the security update for DNS server MS09‐020 KB970483 Security Vulnerabilities in Internet Information Services (IIS) could allow elevation of privilege KB963707 Update Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox MS09‐059 KB975467 Security Vulnerability in the Local Security Authority Subsystem Service could allow denial of service
Workaround or alternative remediation n/a Remarks n/a Patch Notes The information in this section concerns the patch, if any, recommended in the Resolution above. Backup before applying the patch n/a Download n/a Patch install instructions Service-interrupting? n/a No Verification n/a Failure n/a Patch uninstall instructions n/a Security Notes The information in this section concerns the security risk, if any, represented by the topic of this PSN. Security risks n/a Avaya Security Vulnerability Classification Not Susceptible Mitigation n/a
© 2009 Avaya Inc. All Rights Reserved. Page 8 For additional support, contact your Authorized Service Provider. Depending on your coverage entitlements, additional support may incur charges. Support is provided per your warranty or service contract terms unless otherwise specified. Avaya Support Contact Telephone U.S. Remote Technical Services – Enterprise 800-242-2121 U.S. Remote Technical Services – Small Medium Enterprise 800-628-2888 U.S. Remote Technical Services – BusinessPartners for Enterprise Product 877-295-0099 BusinessPartners for Small Medium Product Please contact your distributor. Canada 800-387-4268 Caribbean and Latin America 786-331-0860 Europe, Middle East, and Africa 36-1238-8334 Asia Pacific 65-6872-8686 Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED “AS IS”. AVAYA INC., ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS “AVAYA”), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS’ SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. All trademarks identified by ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.
© 2009 Avaya Inc. All Rights Reserved. Page 9