Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

Summary: It's a very busy Patch Tuesday for Windows users: 14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block

SHARE:

It's a very busy Patch Tuesday for Windows users:  14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

As previously reported, eight of the bulletins are rated "critical" because of the risk of remote code execution attacks.  The other six are rated "important."

The company also released a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature. follow Ryan Naraine on twitter

Windows users are urged to pay special attention to these four bulletins:

  • MS10-052 resolves a privately reported vulnerability in Microsoft’s MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
  • MS10-055 resolves a privately reported vulnerability in the Cinepak codec that could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
  • MS10-056 resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.
  • MS10-060 resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.

As Computerworld's Gregg Keizer points out, the August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches,

Jonathan Ness from the MSRC Engineering team provides a useful chart that assesses the risk factors with each bulletin:

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes
MS10-055 (Cinepak) Victim browses to a malicious webpage or opens a malicious AVI movie with Media Player. Critical 1 Likely to see an exploit released able to exploit the vulnerability in the Cinepak codec. Vulnerable DLL does not exist on Windows Server 2003 or Windows Server 2008.
MS10-052 (MPEG-3) Victim browses to a malicious webpage or opens a malicious ASX file with Media Player. Critical 1 Likely to see an exploit released able to exploit the vulnerability in MPEG-3 codec. Only Windows XP and Windows Server 2003 are vulnerable.
MS10-056 (Word, RTF) Victim opens malicious RTF file using Microsoft Word or views RTF email using Outlook 2007. Critical 1 RTF exploit likely to be developed. Office 2010 not affected. Versions of Outlook prior to 2007 did not use Word as RTF parser so are not susceptible to Outlook attack vector.
MS10-060 (Silverlight, .NET framework) Victim browses to a malicious webpage. Critical 1 Likely to see an exploit released able to exploit the vulnerability in Silverlight.
MS10-054 (SMB) Windows XP system compromised via over-the-network SMB packet. Critical 2 Exploiting this vulnerability for code execution will be difficult. For more information on risk by platform, please see this SRD blog post.
MS10-053 (Internet Explorer) Victim browses to a malicious website. Critical 1 (IE6 only) Consistent, reliable exploit affecting IE7 or IE8 will be difficult to develop. Vulnerabilities significantly more difficult to exploit on IE7 and IE8 due to platform mitigations.
MS10-051 (MSXML ActiveX) Victim browses to a malicious website. Critical 2 Difficult to build reliable exploit.
MS10-049 (schannel) Victim browses to a malicious https website. Critical 2 Exploiting CVE-2010-2566 for code execution will be difficult. Successful attacks would result in code execution as SYSTEM, making this an attractive target, despite its difficulty. Windows Vista and newer platforms are Important Severity. For more information please see this SRD blog post and this SRD blog post.
MS10-050 (Windows Movie Maker) Victim opens malicious MSWMM file sent via email or downloaded via website. Important 1 MSWMM exploit likely to be developed. Does not affect Windows Live Movie Maker shipped by default with Windows 7.
MS10-057 (Excel 2002, Excel 2003) Victims opens malicious XLS file sent via email or downloaded via website. Important 1 XLS exploit likely to be developed. Does not affect Office 2007 or Office 2010.
MS10-048 (Win32k) Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level. Important 1 Likely to see an exploit developed for CVE-2010-1897 and potentially others.
MS10-058 (TCP/IP) Remote attacker causes victim machine to bugcheck. Attacker logged-in to machine locally exploits vulnerability to elevate to a higher privilege level. Important 1 Likely to see an exploit developed for one or both vulnerabilities. 64-bit Windows not affected by vulnerability allowing local elevation of privilege.
MS10-059 (Tracing service) Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level. Important 1 Likely to see proof-of-concept code released
MS10-047 (Kernel) Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level. Important 1 Likely to see proof-of-concept code released. The security impact on Windows Server 2008 R2 and Windows 7 is limited to denial of service.
It's interesting to note that Google researcher Tavis Ormandy is credited by Microsoft with reporting several kernel vulnerabilities that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application.

Ormandy drew the ire of Microsoft recently over his decision to publicly disclose a code execution flaw before Microsoft could get a fix out the door.

Topics: Security, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Microsoft security is a big problem for corporate America!

    One of my good friends who manages thousands of Windows servers for a Fortune 50 corporation called me this morning. I had never heard him sound so excited in my life! He let me know that in light of this record security update, his company was planning to replace every single Dell blade in their datacenter with Xserves running Mac OS X.<br> <br>When the suits at the company ran the numbers, they found that patching the Windows servers for massive numbers of security vulnerabilities each month was costing the company millions of dollars. By switching to Xserves, they would no longer have to pay millions of dollars for a support infrastructure just to patch security vulnerabilties. As everyone knows, such issues do not, and have never existed on the Mac platform.<br><br>The best part is this: the cost of upgrading all the ugly Dell 1U servers to new sleek, brushed aluminum Xserves was cheaper than the monthly cost of updating all the Windows servers in the datacenter!
    Trolleur
    • very nicely done!

      @Trolleur

      You're really coming along!
      SonofaSailor
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur
      Great news! I wonder why they did not decide to replace all servers with iPads. That would be way way way cooler!
      paul2011
      • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

        @pauliusp
        iPad would be too big.
        They would be able to fit more iPhones in a 1U rack.
        live.tiles
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur

      So how many are going to get laid off?
      MoeFugger
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur 6/10

      Didn't go far enough into the rdf.
      rtk
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur - I'd recommend the following for you:<br><br>Rx Stelazine 5mg tid

      Edit : Are you over 18 ? - If not, Stelazine is contraindicated.
      dev/null
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur

      I almost believed this until the part about you having friends.
      Turd Furgeson
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur
      Good luck with that.... As a systems analyst I would have to say you are mistaken to believe that the cost of replacing an entire platform within an entire IT infrastructure is less costly than patching the existing systems. If true I am sure there are more convincing business reasons behind this than simple security patches.
      ryanstrassburg
      • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

        @ryanstrassburg - WSUS makes it simple :

        http://technet.microsoft.com/en-us/wsus/default.aspx
        dev/null
    • Must be Mike Cox 2.0

      @Trolleur... nt.
      Snooki_smoosh_smoosh
    • Do you realize how retarded your post sounds?

      @Trolleur
      Seriously...

      Didn't OSX have one massive patch following the CanSecWest outing this year consisting of a whopping 88 bulletins/patches?

      Since when is 34 larger than 88...?

      And how would this have saved a dime? IF your alleged friend's company has "thousands" of blade servers, wouldn't it be prudent on their part to download the patches first to ONE machine, test it to make sure they won't blow something up before deploying it on their "thousands" of systems? If so, you STILL need to pay someone to do the testing, and then pay the guy to log into each machine in order to deploy them manually. That would mean it would take longer to get those patches out to each machine.

      With Windows, you still need to do the testing, but once it's done, you've got a LOT of tools that make it easy to deploy patches to ALL of their systems automatically. It's quite painless.

      And then there's the matter of your contradiction. Do they have blade servers? Or are they 1u servers? A blade makes more sense if you've got thousands of servers. Each 10u blade enclosure can host up to 16 individual blade servers. You can therefore cram 6 additional Dell Blades into the space occupied by 10 Xserves.

      And then there's the issue of power. I would assume the bean counters would have included that in the figures. XServe systems are traditional 1u servers. Blade servers are more power efficient. Sucking up more electricity isn't very politically correct. Nor is it cheaper.

      And then there's the cost of rejiggering all the apps and services that run on those blade servers...

      And lastly... It's a data center. Who the heck gives a flying fig about what they look like? It's not like data centers are places people visit very often. Aesthetics are irrelevant.

      So please... If you're gonna troll, do a bit more homework and come up with something better.
      Wolfie2K3
      • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

        @Wolfie2K3
        Oh, you fell for it.

        Do you take Mike Cox seriously too?

        For all we know, this IS Mike.
        Jkirk3279
      • Er.. Did you not read the last paragraph...?

        @Jkirk3279
        For what it's worth - I don't take Mike Cox seriously. The thing is with Mike Cox's posts - the way he puts things - it's a bit more believable. Outrageous to the nth degree, yes, but there's at least a semblance of "well, it could happen". This guy's posts are weak at best.

        And besides... If this were Mike, he would include something about his Apple rep, some fine dining and possibly a cigar.
        Wolfie2K3
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur <br>You and your friend are mistaken. Purchasing new equipment is a capital expense, and software maintenance (including patching) is an operating expense. The two are treated differently. And... if the existing Dell servers have depreciation left, they would likely be sold for less than current value, meaning the company would lose money.<br><br>What about the cost of re-training the staff that supports the servers on a completely new platform? If your friend's company is a primarily Windows environment, I seriously doubt that all their internal, critical business applications could easily be ported to OSx, nor could they be without additional high costs.<br><br>I could go on and on, but ultimately, I'm not buying what you're selling.
      smtp4me@...
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Trolleur

      I'll give it a 9. Only because you didn't work in a mention of your Microsoft Rep going on a drinking binge from despair...

      The irony is that incorporating Xserves into your fictional server farm could create a firewall effect.

      Mac OS X Server isn't vulnerable to the SAME exploits. I think you could design a system that would prevent your network from going down in the event of an exploit.
      Jkirk3279
  • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

    Big deal. Only 14? That is a pretty small number. Since they all get downloaded at once its really just like only installing 1 patch, which is quite impressive for any operating system and since Microsoft achieved this difficult feat they should be given big props.
    Loverock Davidson
    • RE: Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

      @Loverock Davidson : I agree. 14 bulletins but under 50mb [if you exclude the standard updates]. Seen last months updates from Oracle? Massive! Even worse. Download the latest update for OS X? 607 MB! [that depend on what - can go over 800 MB]. Do that 6-8 times a year.
      Gis Bun
      • Other crappy software...

        used to justify crappy software. Some of us would like to see a software company actually interested in setting the bar, not squeezing under a bar set by someone else and claiming victory. There's nothing worse than a market that accepts "yeah, we know it's crap, but it's better than the crap over there". At the end of the day, there aren't degrees of crap...crap is crap.
        jasonp@...
      • The reality is there is no perfect software.

        @Gjasonp@...: [i]There's nothing worse than a market that accepts "yeah, we know it's crap, but it's better than the crap over there".[/i]

        Holding software vendors to an unrealistic standard is foolish.
        ye