Patch Tuesday: Microsoft plugs critical Windows worm holes

Patch Tuesday: Microsoft plugs critical Windows worm holes

Summary: The company urged customers to prioritize and deploy four updates because of the "critical" severity rating and the fact that "consistent exploit code" is likely within the next 30 days.


Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.

The company urged customers to prioritize and deploy four updates because of the "critical" severity rating and the fact that "consistent exploit code" is likely within the next 30 days.

Here's the skinny on the three updates that should be applied immediately:

  • MS10-013: Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.
  • MS10-006: This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.
  • MS10-007: Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

A fourth bulletin -- MS10-008 -- includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.

Eleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.

This chart from Microsoft's Security Research & Defense Blog provides useful information to help assess the risks associated with these vulnerabilities:


Most likely attack vector

Max Bulletin Severity

Max Exploit- ability Index

Likely first 30 days impact

Platform mitigations



Victim opens malicious AVI or WAV file.



Likely to see working exploit in next 30 days.



Attacker hosts a malicious webpage, lures victim to it.



Likely to see exploit code released resulting in binary on WebDAV share being executed.

For more detail, see this SRD blog post.


(SMB Client)

Locally logged-in attacker with low privilege runs a malicious executable to elevate to high privilege.



Likely to see working exploit code for local attacker escalation.

For more detail, see this SRD blog post.


(ActiveX kill-bits)

Attackers host a malicious webpage, lures victim to it



Likely to see working exploit for vulnerabilities in third party ActiveX controls.


(SMB Server)

Attacker sends network-based malicious connection to remote Windows machine via SMB.



Likely to see working proof-of-concept in next 30 days for CVE-2010-0231 resulting in attacker luring remote victim user to open file on attacker server and initiating a connection back to machine where remote victim is logged on.

Less likely to see working exploit code for the authenticated code execution vulnerability (CVE-2010-0020) or unauthenticated denial-of-service vulnerabilities (CVE-2010-0021 and 0022)

For more detail, see this SRD blog post.



Attacker already able to execute code as low-privileged user escalates privileges.



Proof of concept code already widely available. No active attacks.



Attacker who logs onto console of system where victim later logs onto console of same system can potentially run code with victim’s identity.



Likely to see proof-of-concept code published for this vulnerability.  However, unlikely to see wide-spread exploitation due to extensive user interaction required.



Attacker sends network-based attack against system on local subnet.



May see denial-of-service proof-of-concept code published leveraging CVE-2010-0239 or CVE-2010-0241.  Attackers are less likely to discover real-world attack surface in next 30 days for CVE-2010-0240.

/GS effective mitigation for CVE’s:




CVE-2010-0242 is denial of service only.



Attack sends malicious .xls file to victim who opens it with Office XP or lower.  (Office 2003, 2007 not affected.)



Likely to see working exploit file effective on Office XP in first 30 days.

Office 2003 and Office 2007 not affected.



Attacks malicious .ppt file to victim who opens it with Powerpoint Viewer 2003.



Likely to see working exploit file effective on PowerPoint Viewer 2003.  However, PowerPoint Viewer 2003 was replaced online by PowerPoint Viewer 2007.  Only victims who use

PowerPoint Viewer 2003 from Office 2003 install disk would be vulnerable to the PowerPoint Viewer vulnerabilities.

Less likely to see working exploit for other PowerPoint vulnerabilities.



Attacker running code on virtual machine crashes host OS.



Unlikely to see working exploit code in next 30 days.



Attacker potentially able to cause denial of service via Kerberos traffic if victim server configured with trust relationship to MIT Kerberos realm.



Unlikely to see public exploit code in next 30 days.



Attacker sends malicious JPEG to victim.   Victim saves JPG, launches mspaint, and then file->opens the malicious JPEG



Likely to see exploit code developed.  Unlikely to have broad impact as mspaint is not registered file association for JPEG.

Microsoft also updated the malicious software removal tool to add detections for the Win32/Pushbot malware family.

Topics: Collaboration, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Secure Development Lifecycle paying off

    2 critical, 2 important, 1 low vulnerabilities
    for Windows 7.

    A few more for Vista, but OS vulns are mainly
    found in XP.

    None for Office 2007 (a few for Office 2003 and
    some for Office XP)

    It appears that if you stay current on software
    and keep your system up-to-date you are quite

    It also appears that Microsoft SDL (Security
    Development Lifecycle) is paying off. They are
    seriously reducing number of vulns in their
    latest software.
    • How many RPMs are you doing there, Honey?

      Too much spin can make you dizzy ... ;-)
      • Well...

        Since both Stallman Cultists and Jobs Cultists also spin in different directions, it breaks the RPM meter therefore, he has currently a RPM reaching 0...
        • Nah, he just spins on a different axis.

          RPM over 9000.
      • Yes, there's good news out there badware land.

        Help the dizzymonster out, will ya?
      • i agree with you

        i agree with you
    • huh?

      Is your nose brown?
    • Two responses which lacked any form of counter...

      ...argument. Just juvenile name calling.
      • Yes, that is why I don't respond.

        That is why I do not respond. Don't feed the

        Do not dignify personal attacks by responding. Let
        their vicious comments stand by themselves for
        everyone to see.
        • Then quit spinning

          You're not convincing any of us on Windoze security, or lack thereof...
          • Try again Wintel boy. He's completely convinced me of Windows'

            lack of security, by claiming it having vulnerabilities left in it
            until after working exploit code had been widely distributed was
            somehow a huge improvement and something to celebrate.
          • AzuDude

            I was trying to be magnanimous with the old boy. Apparently it didn't work.

          • I was just responding to the "or lack thereof" part. :p

            [b] [/b]
      • What kind of "argument" were you expecting?

        The article is an announcement of bug-fixes, nothing more. And I found Honey's spin on it amusing.

        If you're looking for an argument, then might I suggest you go here instead?
    • Agreed.

      It's wonderful to know that Microsoft SDL (Security Development
      Lifecycle) is paying off, by not fixing vulnerabilities in the
      Windows kernel that allow any code to elevate itself to the
      equivalent of root, quietly and without user interaction, even if it
      was running under restricted privileges, until the exploit code has
      been "already widely available" (direct quote from MS).

      +1 for Microsoft's amazing pro-activeness!
    • RE: Patch Tuesday: Microsoft plugs critical Windows worm holes

      Thanks for your share. Your site is really good, and it is very worthy to visit again. Welcome to our cheap wedding dresses online store
  • KB979099 for XP

    On fully updated XP Pro SP3, got failed update for KB979099. Downloaded it manually, install error was "The older version of Windows Rights Management Client with Service Pack 2 cannot be removed." Researched, found needed to rollback WMP, but in small print found warning it might fail. Don't want WMP not working (MS would charge me for a WMP fix!), so that update is the only one on the Windows Update ignore list. All else went ok both for XP and Vista32 Ultimate.
    Tech Maven
    • Just wonderful

      An obsolete, non-removable DRM blob prevents you from applying a security update. Thank you so much Microsoft. Sounds like you really tested this fix well.


      A cheap solution that doesn't work is neither,
      Say What?
    • Don't worry.

      According to Loverock and honey, this kind of
      thing happens with Linux all the time.

      Nevermind the fact that that's complete hogwash.
      • So you never had Lilo crashed?

        I have, and when Lilo crashed it not only crashed Linux Partition but the Windows Partition.

        To be fair the has only happened to me twice, once on a home computer, and once on a company computer that was supposed to had everything preinstalled and configured for a site I was installing.

        The solution, delete old partition, make new partition, format and reinstall.

        Also Linux is still plagued by lack of drivers for newer hardware and some older hardware.

        Just look at the forums sites.

        Which OS is more secure? Depends, who is running the computer? I can gaurentee my Brother in-Law sister can have it crashed with in a day of using, because they have no clue what they are doing no matter how much I help them.