MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

Summary: According to an advance notice from Microsoft, five of the 13 bulletins will be rated "critical" because of the risk of remove code execution attacks.

SHARE:

Microsoft's February batch of security patches will be a biggie -- 13 bulletins with fixes for a whopping 26 vulnerabilities.

According to an advance notice from the Redmond, Wash. software vendor, five of the 13 bulletins will be rated "critical" because of the risk of remote code execution attacks.

[ SEE: Microsoft confirms 17-year-old Windows vulnerability ]

The majority of the vulnerabilities affect the company's flagship Windows operating system while the others will deal with security holes in the Microsoft Office productivity suite.

This chart details the affected OS versions and severity ratings for the bulletins, which will be released next Tuesday (February 9, 2010).

(Click image for larger version)

While the details of the vulnerabilities will be kept a secret until Patch Tuesday, Microsoft says one of the bulletins will address a known privilege escalation flaw (see advisory) in the Windows kernel.

That vulnerability was publicly disclosed by a Google security researcher who code to demonstrate the risk of privilege escalation attacks that affect every release of the Windows NT kernel -- from Windows NT 3.1 (1993) up to and including Windows 7 (2009).

[ SEE: Microsoft warns of new IE data-leakage vulnerability ]

Microsoft has already warned that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode.  For an attack to be successful, the attacker must have valid logon credentials. The flaw does not affect Windows operating systems for x64-based and Itanium-based computers.

There are at least two open, publicly known vulnerabilities that will NOT be patched this month.  They are the most recent Internet Explorer data leakage bug (see advisory) details at Black Hat DC and a denial-of-service vulnerability in the Server Message Block (SMB) protocol.

[ SEE: Microsoft confirms 'detailed' Windows 7 exploit ]

Exploit code for the SMB flaw was released by researcherFollowing the publication of stop responding until manually restarted.

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

123 comments
Log in or register to join the discussion
  • "Sun rises; ZD Net experts predict "likely to set".

    Is this even news anymore?
    jpdemers@...
    • Nothing new, only more windows stinkage

      We're used to it.

      Windows: Stink, stank, stunk.
      The Mentalist
    • Amen

      Its gotten old and boring.
      maskman01
      • These constant failures in an OS backed by a multi billion dollar company..

        ..have gotten old and boring, even longer ago.
        AzuMao
        • Here is some cheap entertainment then

          http://www.ubuntu.com/usn

          Oh, and I missed this part in the shiny new kernel patch that has just been released:

          [i]ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06) the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed.[/i]

          Can this be done without rebooting the system?
          Earthling2
          • Entertaining indeed..

            ..watching Windows users squirm and wish their
            vulnerabilities got fixed nearly as fast.

            And to your question; <a href=http://www.linux-mag.com/cache/7403/1.html>yes</a>.

            Can the same be said for Windows?
            I bet that even if you had the technical prowess to
            reverse engineer the Windows kernel and all of the
            patches to it, you still wouldn't be able to,
            for legal reasons, so good luck with that.
            AzuMao
          • RE: Ubuntu USN

            Yeah, I guess some people prefer that MSFT doesn't patch their system... or will only be happy if MSFT dries up and blows away...

            Every OS needs patching. A static OS is a static target.
            bb_apptix
          • No, but they would prefer that MSFT patched their system..

            ..when they were made aware of vulnerabilities,
            and working exploit code was published to use
            them, and actively in use for over two weeks.
            AzuMao
        • Computing enjoyment for the whole family.

          I think as people move on in computing, it becomes more of a hobby than just a tool. At this point the individuals start buying multiple computers and begin setting up family and friends with systems. Another aspect of this stage is the value concept of computing.

          The people involved may be of an income level to easily to afford thousands of dollars for hardware and software, but there may be no justifiable reason to do so. After all, the hardware will eventually become obsolete or wear out.

          This ability to value shop works well in a business environment as well. Essentially, thousands of dollars can be saved per workstation with no loss of functionality.

          For example, last week I bought the following computer from Geeks.com to work as a family computer.

          New HP de-branded desktop with no OS
          320GB Hard Drive
          2 GB DDR2
          5.1 integrated sound card

          AMD X2 7550 dual core processor 2.6 GhZ(64-bit)
          (the CPU has 450 million transistors)

          CD DVD DL rewritable drive
          Keyboard and mouse

          Cost: $239.00 + $1.99 S+H (Fed Ex Ground shipping)

          I had previously purchased a 19" Acer Wide screen monitor from Tiger Direct for $139.00 with free s+h

          I installed Linux Mint 8 in 15 minutes and had full functionality in a few more minutes. I generally install the following from the Linux Mint Software Portal:

          Opera, Google Earth, K3b (CD Burner), Xgine media player,VCI media player, and a few others.

          Also, Google Chrome and LimeWire have specific downloads for Linux Mint. (.deb extension for the installation file).

          It turned out to be a very fast system.

          To show how simple it is to get features, look at the following commands typed into the terminal window (like the command prompt in Windows).

          <i>This program allows you to download the .flv flash videos from Youtube.com on your hard drive and play them independently on your computer. The ability to isolate videos is very important. If you have kids or send YouTube links to friends, you will notice that an astonishing number of videos have very vulgar comments (that Youtube does NOT remove).These comments can be extremely offensive and placed in the most innocuous videos.</i>

          To install the program:

          <b>sudo apt-get install youtube-dl</b>

          To download the youtube video's:

          <b>youtube-dl -b -o fxxx.flv yxxx</b>

          Where "fxxx.flv" is the filename you want with a .flv extension.

          "Yxxx" is the Youtube URL for that particular video. (copy and paste in)

          Mint will play the .flv videos natively, but if you want to share the files with Windows users, you need to download a free player from the net.
          Joe.Smetona
          • Most people are immensely turned off by the idea of any form of CLI, though

            , and might get the wrong impression from your
            post.

            There are GUIs available by default in most
            distros nowadays, such as the Synaptic Package
            Manager in Mint and Ubuntu (and many others), that
            can be used instead if desired.
            AzuMao
          • RE: Computing enjoyment for the whole family

            Sure, tell this to your Aunt Rosie and watch her eyes glaze over. She'll be longing for Windows.

            "To install the program:
            sudo apt-get install youtube-dl
            To download the youtube video's:
            youtube-dl -b -o fxxx.flv yxxx
            Where "fxxx.flv" is the filename you want with a .flv extension.

            "Yxxx" is the Youtube URL for that particular video. (copy and paste in)

            Mint will play the .flv videos natively, but if you want to share the files with Windows users, you need to download a free player from the net. "
            bb_apptix
          • It's just an example.

            It's actually very convenient. My daughter does
            it all the time. Kids today are computer
            literate, so they pick up very quickly.

            It's the same as using the command prompt. I'm
            sure most Window's users have never heard of the
            command prompt either.

            It depends on what circles you are in, but there
            are plenty of menu driven applications,
            naturally. Mint is so close to Windows, a lot
            of people would not know the difference.
            Joe.Smetona
          • Did you miss my post, or just willfully ignorant?

            [b] [/b]
            AzuMao
          • He's just posting stale, old (false) propaganda.

            99 percent of the anti-Linux posters at ZDNet
            have never even used it. They are not players,
            but act like they have some valuable inside
            information.

            It's similar to Rush L., who flunked out of
            college in his first semester while also
            flunking ballroom dancing, but he has a lot of
            loyal followers. He has to act like he has some
            valuable information that no one else thought of
            to gain credibility. He doesn't know the
            difference between the Constitution and the
            Declaration of Independence (Limbaugh Misquotes
            Constitution During CPAC Speech). I'm constantly
            amazed how people can blindly follow outright
            propaganda with no actual basis in truth.

            In Windows, I have (all) my programs executed
            from batch files that give either high or
            realtime priority and run in separate memory
            space. So I write my own batch files to do this.
            My computer has 8 separate pack downs/defrag
            operations scheduled during the night and it
            runs "ProcessIdle Tasks API" concurrently with
            the pack downs. Just before I come in, it sets
            up a chkdsk and automatically reboots to start
            the process. All I have to do is log on.

            Typing in the above Linux command is easier than
            using any GUI.
            Joe.Smetona
    • What kind of fool goes to a blog expecting news???

      A complete moron....

      No jpdemers, it's not news anymore.. But some of us who have to admin winblows servers appreciate it when Ryan suffers the eye strain of reading and sumarizing those lame MS bulletins on our behalf...

      Granted I don't Patch mine until after "WTF Wednesday"... But I still appreciate the cliff notes version of the bulletins.

      And now for my second question...

      What kind of fool reads and responds to a blog he claims to care nothing about???

      Is this blog cramping your non-existant style??? Is it hurting you in some obsessive compulsive way that makes you feel insecure? Millions of Americans have given their lives for our freedom... Appreciate it, embrace it, and excercise your freedom not to read, and then go the F away... Go tell your mother she needs you... Because this blog was not written for you... It was written for me and thousands of others like me, who appreciate the cliff notes version of a MS bulletin.
      i8thecat
  • RE: MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

    Microsoft does it again, right on schedule and there is this many less vulnerabilities to worry about. Administrators can plan accordingly if they haven't already done so. Go Microsoft!
    Loverock Davidson
    • well after a 17 year wait...

      ... I don't know how you define "on time"!
      ismoore
      • Before you get too smug, the *N*X DNS bug ...

        Has been around for a VERY long time too. And as so many of the ABM crowd like to point out, since *N*X runs the entire internet, this issue was FAR more impactful and more dangerous to EVERYONE running ANY OS and ANY browser on ANY machine ANYWHERE in the world. Right?

        http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug
        de-void-21165590650301806002836337787023
        • DNS is not Unix / Linux; it's everybody

          I read the Linux Journal article you so kindly
          referenced. The DNS exploit is not associated
          with any OS, although most DSN servers are in
          fact hosted on Linux systems. But the exploit
          is (was?) effective on ALL DNS servers, be they
          Win, Linux, Unix, Mac, or even VIC-20.

          ...

          (OK, there aren't any VIC-20 DNS servers.)
          parl
          • But the fact that it's existed in *N*X for many decades ...

            ... since the dawn of the internet while still at ARPA in fact was the meta-point.

            Yes, this issue was actually a flaw in the DNS protocol, but the fact that the implementation of the flaw was present in *N*X for many decades highlights just how hard to find and fix some issues acutally are.
            de-void-21165590650301806002836337787023