Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

Summary: Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

SHARE:
96

Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.

Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts.  This update is rated "critical" for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.follow Ryan Naraine on twitter

Microsoft also urged system administrators to treat these bulletins with the highest priority:

  • MS10-077: Addresses a vulnerability in .NET Framework that could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs).  This bug only affects 64-bit systems on all supported versions of Windows.
  • MS10-075: Fixes a vulnerability in Windows Media Player that could be exploited via malicious RTSP network packets to Windows Vista and Windows 7 client on the same network.  This only affects Windows users who has opted-in to Windows Media Network Sharing service.  However, keep in mind that Windows 7 Home Edition opts-in by default.

The Microsoft Office productivity suite also underwent a major security makeover in this month's patch batch.  Two of the 16 bulletins address a whopping 26 vulnerabilities in Microsoft Office.

According to Microsoft, some of these Office flaws can be exploited via rigged .doc or .xls (Word or Excel files).

According to Jason Miller, data and security team leader at Shavlik Technologies, Microsoft has released a total of 86 new security bulletins in 2010.

Compared to previous years, you can see this number has far exceeded any previous total:

  • 2009 - Total 74 security bulletins
  • 2008 - Total 78 security bulletins
  • 2007 - Total 69 security bulletins

Miller notes that there are three bulletins this month that affect 3rd party (non-Microsoft) software.

"With these bulletins, vulnerabilities exist in the Microsoft operating system. However, Microsoft software is not affected and cannot be exploited. An attacker must try to exploit the third party product on unpatched systems. MS10-081 and MS10-082 affect non-Microsoft web browsers. MS10-074 affects third party zip programs. Patching the operating system will close these vulnerabilities," Miller said.

Here's a handy cheat sheet from Microsoft's security research and defense team to help you assist the risks involved with each bulletin.

Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes
MS10-071 (IE) Victim browses to a malicious webpage. Critical 1 Likely to see a code execution exploit developed for memory corruption vulnerabilities. Neither IE7 nor IE8 vulnerable to CVE-2010-3326, one of the two Critical issues addressed by this security bulletin.
MS10-076 (EOT) Victim browses to a malicious webpage. Critical 1 Likely to see an exploit released for older platforms ASLR on Windows Vista and later operating systems makes building a successful exploit for code execution much more difficult.
MS10-077 (.Net Framework) Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code. Critical 1 Likely to see an ASP.Net exploit released capable of running arbitrary code. 32-bit platforms not affected.
MS10-075 (WMP) Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default. Critical 1 Likely to see a code execution exploit developed. Unlikely to see wide-spread exploitation due to feature being accessible only on local subnet and being off-by-default on most versions of Windows. Service is reachable only by machines on local subnet.

Domain-joined machines are not vulnerable by default.

Feature is on-by-default only for Windows 7 Home Edition.

MS10-073 (Win32k.sys) Attacker running code on a machine already elevates from low-privileged account to SYSTEM. Important 1 Stuxnet malware currently leverages this vulnerability for local elevation of privilege if run on Windows XP. The local elevation of privilege vulnerability used by Stuxnet (CVE-2010-2743) reachable only on Windows XP, not later platforms.
MS10-082 (WMP) No remote attack vectors using Microsoft software.

Victim using a 3rd party browser could be vulnerable when browsing to a malicious webpage.

Important 1 Likely to see a code execution exploit developed. Internet Explorer users are not vulnerable.
MS10-081 (Comctl32) No known attack vectors using Microsoft software.

Victim using a 3rd party image viewer could be vulnerable when browsing to a malicious webpage.

Important 1 Likely to see a code execution exploit developed. No attack vectors if using only Microsoft software.

See this SRD blog post for more information.

MS10-079 (Word) Victim opens a malicious .DOC file Important 1 Likely to see a code execution exploit developed. Nine of the eleven issues affect only Office 2002 and Office for Mac platforms.
MS10-080 (Excel) Victim opens a malicious .XLS file Important 1 Likely to see a code execution exploit developed. Excel 2010 not vulnerable.

Ten of the thirteen issues affect only Office 2002 and Office for Mac platforms.

MS10-084 (LPC) Attacker running code on a machine elevates from low-privileged account to SYSTEM. Important 1 Proof-of-concept publicly released already.
MS10-078 (OTF font) Attacker running code on a machine elevates from low-privileged account to SYSTEM. Important 1 Likely to see a code execution exploit developed.
MS10-083 (COM) Victim opens a malicious Wordpad document or malicious shortcut file, instantiating a COM object that would otherwise not run. Important 1 May see proof-of-concept code developed.
MS10-072 (SafeHTML) Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential information disclosure. Important 3 No chance for direct code execution.
MS10-085 (SChannel) Attacker sends a malicious client-side certificate to an IIS server, causing it to restart. Important 3 No chance for code execution. Affects only IIS servers that enabled SSL support.
MS10-074 (MFC) Victim uses an application built using MFC to open untrusted content. No Microsoft attack vectors. Moderate n/a No known Microsoft attack vectors.

See this SRD blog post for more information.

MS10-086 (Cluster Disk Setup) Attacker tampers with files to which they would otherwise not have access due to incorrect ACL’s assigned during the setup of shared cluster disks. Moderate n/a See this SRD blog post for more information about this vulnerability.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

96 comments
Log in or register to join the discussion
  • Well... Well... Well...

    All of these security holes target Windows 7, and as Microsoft keeps developing Windows OS's. You'll have to upgrade to Windows 8 in a couple months. The rest of us using Windows XP and Linux Distros will be completely at ease knowing we're safe since mal-ware usually attacks the latest OS's. :) Long live Micro$oft and all it's fanboxes.
    Toque_3D
    • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

      @Toque_3D I've been seriously considering Linux for my next machine. Not only for security reasons, but also because Windows has become such a posterior pain.
      neverhome
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @neverhome

        Welcome to the `Windows free` club. You will appreciate the additional CPU capacity freed up by not having to run real time A/V scans in order to protect your machine. The time wasted in keeping AA/V signatures updated will be an added benefit. You may actually find using a Linux box more enjoyable.
        fatman65535
      • You mean just like Windows.

        @fatman65535: [i]You will appreciate the additional CPU capacity freed up by not having to run real time A/V scans in order to protect your machine. The time wasted in keeping AA/V signatures updated will be an added benefit. You may actually find using a Linux box more enjoyable.[/i]

        I'm not seeing a benefit from Linux in this regard.
        ye
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        [i]I'm not seeing a benefit from Linux in this regard.[/i]

        And you never will, ye. Not with those kinds of blinkers.
        ahh so
      • What "blinkers" are you referring to?

        @ahh so: [i]And you never will, ye. Not with those kinds of blinkers.[/i]
        ye
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        [i]What "blinkers" are you referring to?[/i]

        LOL... See? There ya go. 'Nuff said.

        more LOL.... :D
        ahh so
    • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

      @Toque_3D
      You are so right. Windows XP goes on and on. While Windows 7 will soon be forgotten when #8 comes out. Out with the old and in with the new is Gates motto. So the people who payed for Windows 7 will have pay for Windows 8 too. Xp users get to save their cash.
      jackie33
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @jms29@... : "Xp users get to save their cash." For now anyway. If MS is ever successful at finding something the masses will accept, we'll find them quickly forcing XP into obsolescence exactly as they did with China about a year ago and also the dev-ware that made it so easy for them to obsolete it. A lot of people with legit subscriptions had to buy two more in a row at non-competitive pricing in order to stay in the game over the course of two years, myself included, but ... I knew/know how to get the legit packages through other routes.
        There are STILL also a lot of vendors who, if asked, will pre-install XP for you and give you both win7 and XP disks. Haven't checked in a long time but I bet even Dell would still do it. As of December they were forced o stop advertsing same, but you could still ask for it and get it. I have one right here in front of me; a T3400 3 GHz 8 Gig RAM (yeah, xp only used the ~3.7 Gig) workstation. So if I do get pushed out of XP I'll at least still have the legal win7 available; unless they obsolete it, too<g>. Backup, backup, backup, and then backup again, and again, and ... .
        twaynesdomain-22354355019875063839220739305988
    • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

      @Toque_3D Congratulations, you've just repeated the same B.S. that all Linux fanbois have been repeating for the last 10 years. And yet still nobody is listening. Funny part is you guys still have no clue as to why.

      Hint: Linux is NOT safe.
      Narg
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @Narg - yes and no.

        Linux is not perfectly bullet proof. But it's just as safe as any current OS on the market ("free" or at a cost).

        The justification for that statement: All current operating systems get patches, so yes, all the Linux and Mac fanbois who say their OS is safe from any nasty issues needs to stop drinking the "company" koolaid. Oh, and go to their update manager and run it and get all the latest patches installed on their systems. :)

        Note: I put "free" in quotes (regarding Linux) because while it may not cost you any money to get to the download link, there is a learning curve and also there's hunting down the apps to replace your Windows apps, and then there's another learning curve. And if you want REAL tech support, you have to pay for it. The internet is a great place to find help, but when I first installed Linux, it was a pain in the backside.

        And yes, I use all three of the current OS's in my household, Windows, Linux and OS X Snow Leopard.
        PollyProteus
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @Narg : Agreed, it is not. And it comes pre-loaded with a lot of jump-hoops to jump thru to get it to anything but what the flavor had installed by default; Gimp, OOo and a couple games along with Kompozer or whatever it is. Don't you just have to love the 'nix naming system? Quote from a 'nix developer: "Intuitive interface/naming? What's that?"
        Yes, I dabble in Linux and have installed the latest security updates. Have YOU if you use LInux? Once you're tried to extend 'nix in any way, you'll quickly long for the days of windows. I sort of like Linux, but until they come up with the right drivers for some things and get programs ported to Linux, it'll never make it to the limelight here. Linux is specialized and for the man on the street, only a newbie who doesn't know better would think it was good, at least untl they tried to change something. But I'd switch to it in a second if they only had an answer to the above issues. Hopefully at least the Open Documentation group will take care of a few of the shortcomings but that won't help with drivers that don't exist for some specialized and significantly high priced applications. It's a real catch-22 IMO.
        twaynesdomain-22354355019875063839220739305988
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @Narg says:
        [i]Hint: Linux is NOT safe.[/i]

        Hint: Please cite.
        ahh so
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @Narg Ok Fanboy give me reasons Linux is not safe? You And LD YE must be a happy family!! LOL You are Great! Linux use 4 years (no problems) Windows use 15 year LOTS of problems! Hmm You are LD!! Nice :)
        mintalaska
    • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

      @Toque_3D - Put down the koolaid and run your update manager, it's obvious that you've been neglecting your Linux boxes since there ARE security updates fairly often. I run it about every two weeks and it never fails to find updates for Linux.
      PollyProteus
    • Master Joe Says...Where To Begin

      @Toque_3D Let's consider the following:

      Linux either has no regular upgrade cycle, many of which go YEARS AND YEARS without an upgrade. Or, they have a somewhat regular upgrade cycle, such as Ubuntu, where you have to upgrade every 6 months, if you want to stay on the most current OS. One extreme or the other, it's still bad.

      Second, to claim that you are "safe" on Linux cracks me up. Windows holds over 90% of the market share. Therefore, a person creating malicious code is going to target Windows because that is the OS that will get them the most infected PCs or data back if it is an attack to retrieve personal information. But, there are a lot more eyes on Windows to help secure it as well. If Linux were to ever hold that kind of market share (it won't happen in my lifetime), I would be willing to bet that there would be a lto more security vulnerabilities haunting Linux. Remember what happened when Apple claimed they had a "secure" OS? Does Month of Bugs ring a bell? If not, it was a blog posting, where one bug was published every single day for a month in the Mac OS. By the way, I recall an Apple patch released not six months ago which patched 79 vulnerabilities in their software. So, to claim that this is all about the insecurity of Windows is almost as dumb as to claim that Linux is so much better. If it were, it would have caught on. It has had 20 years to do so, and has barely managed to claw a 1% market share. Linux can't even take the 2nd place position away from Apple's Mac OS, and yet they continue to talk about how much better than Windows they are. The majority of PC users apparently disagree, and they have for the past 2 decades, and they likely will for decades to come. But, keep beating your head against that wall. It's entertaining, at least.

      --Master Joe
      SteelCityPC
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @MasterJoe I call BS on all points.

        http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
        SpikeyMike
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        That's the thing about these windoze fanbuis. They k now more about Linux that the Linux users themselves. Go figure.
        ahh so
    • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

      @Toque_3D : Exactly my own thoughts. I'm suprised it's happening so "early", but ... dummies are buying the hogwash hype about win7 and how great it is, considering it's nothing much more than a re-defaulted Vista and an appearance change, probably with a few bug fixes. I'm happy to see it though, just as I was with 98 when XP came out. Saved a lot of headaches by waiting for the first onslaught of fixes for it before using it. I still have the articles from ZDNet about the Vista-7 likenesses. Everything ends up in the archives; mine, I mean. A new, learning curved OS is exactly what the spoilers love to come across though.

      Cheers,
      twaynesdomain-22354355019875063839220739305988
      • RE: Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

        @twaynesdomain

        You can't both be something and not be something... Windows 7 has pulled a lot from Vista, but it is still its own structure. Furthermore, Vista, although it had a horrid beginning--because of the drastic difference between it and XP (as it should be since XP wasn't made for the internet threats that occured after its inception), much hardware--and many users for that matter--weren't ready for it. From other people who have stuck with Vista, SP2 fixed many issues and provided a much stabler experience.

        There are a lot of likenesses. If you have Vista, stay with it...although I still find 7 to be much faster and able to provide more production. I may not be as ready to jump on Win8, but if I have the money--and hardware to take advantage ofit--I just might.

        To me, it makes no sense to have a state of the art machine, with a clearly inferior OS such as XP...

        As a matter of fact I see your embrace of Toque's comment, but the end of your comment isn't as clear.

        Thus:

        If you're staying on the XP bandwagon or considering Linux...sounds good (I run Win 7 HP-64, Ubuntu 10.10, OSX, and XP), but don't avoid Windows 7 as if you're saving yourself any security headaches, being that Windows XP will probably go down in history as one of the most attacked OSes ever...primarily because it wasn't built for network security, it was built for usability...(usability correlates to vulnerability, simply because many things are automated and dependent on one another...if [this], then [this, this, this, this, and this] to provide you a particular function... that you would've had to type four or five lines of code to otherwise do...

        This is one of the reasons that Linux folks are safer, but by no means are they impervious... That's ridiculous. If you're on a network that leads to the web, you're vulnerable...

        The best advice is to take advantage of the latest software that has modern approaches to security and safety. When IE9 is RC-status, and it starts being attacked, are you somehow going to revert back to IE5 to be safe?

        I don't think so...
        GSystems