Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.
Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts. This update is rated "critical" for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.
Microsoft also urged system administrators to treat these bulletins with the highest priority:
- MS10-077: Addresses a vulnerability in .NET Framework that could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). This bug only affects 64-bit systems on all supported versions of Windows.
- MS10-075: Fixes a vulnerability in Windows Media Player that could be exploited via malicious RTSP network packets to Windows Vista and Windows 7 client on the same network. This only affects Windows users who has opted-in to Windows Media Network Sharing service. However, keep in mind that Windows 7 Home Edition opts-in by default.
The Microsoft Office productivity suite also underwent a major security makeover in this month's patch batch. Two of the 16 bulletins address a whopping 26 vulnerabilities in Microsoft Office.
According to Microsoft, some of these Office flaws can be exploited via rigged .doc or .xls (Word or Excel files).
According to Jason Miller, data and security team leader at Shavlik Technologies, Microsoft has released a total of 86 new security bulletins in 2010.
Compared to previous years, you can see this number has far exceeded any previous total:
- 2009 - Total 74 security bulletins
- 2008 - Total 78 security bulletins
- 2007 - Total 69 security bulletins
Miller notes that there are three bulletins this month that affect 3rd party (non-Microsoft) software.
"With these bulletins, vulnerabilities exist in the Microsoft operating system. However, Microsoft software is not affected and cannot be exploited. An attacker must try to exploit the third party product on unpatched systems. MS10-081 and MS10-082 affect non-Microsoft web browsers. MS10-074 affects third party zip programs. Patching the operating system will close these vulnerabilities," Miller said.
Here's a handy cheat sheet from Microsoft's security research and defense team to help you assist the risks involved with each bulletin.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
| MS10-071 (IE) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see a code execution exploit developed for memory corruption vulnerabilities. | Neither IE7 nor IE8 vulnerable to CVE-2010-3326, one of the two Critical issues addressed by this security bulletin. |
| MS10-076 (EOT) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see an exploit released for older platforms | ASLR on Windows Vista and later operating systems makes building a successful exploit for code execution much more difficult. |
| MS10-077 (.Net Framework) | Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code. | Critical | 1 | Likely to see an ASP.Net exploit released capable of running arbitrary code. | 32-bit platforms not affected. |
| MS10-075 (WMP) | Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default. | Critical | 1 | Likely to see a code execution exploit developed. Unlikely to see wide-spread exploitation due to feature being accessible only on local subnet and being off-by-default on most versions of Windows. | Service is reachable only by machines on local subnet. |
Domain-joined machines are not vulnerable by default.
Feature is on-by-default only for Windows 7 Home Edition. MS10-073 (Win32k.sys) Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Stuxnet malware currently leverages this vulnerability for local elevation of privilege if run on Windows XP. The local elevation of privilege vulnerability used by Stuxnet (CVE-2010-2743) reachable only on Windows XP, not later platforms. MS10-082 (WMP) No remote attack vectors using Microsoft software.
Victim using a 3rd party browser could be vulnerable when browsing to a malicious webpage. Important 1 Likely to see a code execution exploit developed. Internet Explorer users are not vulnerable. MS10-081 (Comctl32) No known attack vectors using Microsoft software.
Victim using a 3rd party image viewer could be vulnerable when browsing to a malicious webpage. Important 1 Likely to see a code execution exploit developed. No attack vectors if using only Microsoft software.
See this SRD blog post for more information. MS10-079 (Word) Victim opens a malicious .DOC file Important 1 Likely to see a code execution exploit developed. Nine of the eleven issues affect only Office 2002 and Office for Mac platforms. MS10-080 (Excel) Victim opens a malicious .XLS file Important 1 Likely to see a code execution exploit developed. Excel 2010 not vulnerable.
Ten of the thirteen issues affect only Office 2002 and Office for Mac platforms. MS10-084 (LPC) Attacker running code on a machine elevates from low-privileged account to SYSTEM. Important 1 Proof-of-concept publicly released already. MS10-078 (OTF font) Attacker running code on a machine elevates from low-privileged account to SYSTEM. Important 1 Likely to see a code execution exploit developed. MS10-083 (COM) Victim opens a malicious Wordpad document or malicious shortcut file, instantiating a COM object that would otherwise not run. Important 1 May see proof-of-concept code developed. MS10-072 (SafeHTML) Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential information disclosure. Important 3 No chance for direct code execution. MS10-085 (SChannel) Attacker sends a malicious client-side certificate to an IIS server, causing it to restart. Important 3 No chance for code execution. Affects only IIS servers that enabled SSL support. MS10-074 (MFC) Victim uses an application built using MFC to open untrusted content. No Microsoft attack vectors. Moderate n/a No known Microsoft attack vectors.
See this SRD blog post for more information. MS10-086 (Cluster Disk Setup) Attacker tampers with files to which they would otherwise not have access due to incorrect ACL’s assigned during the setup of shared cluster disks. Moderate n/a See this SRD blog post for more information about this vulnerability.