Microsoft drops record 14 bulletins in largest-ever Patch Tuesday

It's a very busy Patch Tuesday for Windows users:  14 bulletins covering 34 serious security vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

As previously reported, eight of the bulletins are rated "critical" because of the risk of remote code execution attacks.  The other six are rated "important."

The company also released a security advisory to warn of a new elevation of privilege issue in the Windows Service Isolation feature.

Windows users are urged to pay special attention to these four bulletins:

• MS10-052resolves a privately reported vulnerability in Microsoft’s MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
• MS10-055resolves a privately reported vulnerability in the Cinepak codec that could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.
• MS10-056resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.
• MS10-060resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.

As Computerworld's Gregg Keizer points out, the August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches,

Jonathan Ness from the MSRC Engineering team provides a useful chart that assesses the risk factors with each bulletin:

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-ability Index	Likely first 30 days impact	Platform mitigations and key notes
MS10-055 (Cinepak)	Victim browses to a malicious webpage or opens a malicious AVI movie with Media Player.	Critical	1	Likely to see an exploit released able to exploit the vulnerability in the Cinepak codec.	Vulnerable DLL does not exist on Windows Server 2003 or Windows Server 2008.
MS10-052 (MPEG-3)	Victim browses to a malicious webpage or opens a malicious ASX file with Media Player.	Critical	1	Likely to see an exploit released able to exploit the vulnerability in MPEG-3 codec.	Only Windows XP and Windows Server 2003 are vulnerable.
MS10-056 (Word, RTF)	Victim opens malicious RTF file using Microsoft Word or views RTF email using Outlook 2007.	Critical	1	RTF exploit likely to be developed.	Office 2010 not affected. Versions of Outlook prior to 2007 did not use Word as RTF parser so are not susceptible to Outlook attack vector.
MS10-060 (Silverlight, .NET framework)	Victim browses to a malicious webpage.	Critical	1	Likely to see an exploit released able to exploit the vulnerability in Silverlight.
MS10-054 (SMB)	Windows XP system compromised via over-the-network SMB packet.	Critical	2	Exploiting this vulnerability for code execution will be difficult.	For more information on risk by platform, please see this SRD blog post.
MS10-053 (Internet Explorer)	Victim browses to a malicious website.	Critical	1 (IE6 only)	Consistent, reliable exploit affecting IE7 or IE8 will be difficult to develop.	Vulnerabilities significantly more difficult to exploit on IE7 and IE8 due to platform mitigations.
MS10-051 (MSXML ActiveX)	Victim browses to a malicious website.	Critical	2	Difficult to build reliable exploit.
MS10-049 (schannel)	Victim browses to a malicious https website.	Critical	2	Exploiting CVE-2010-2566 for code execution will be difficult. Successful attacks would result in code execution as SYSTEM, making this an attractive target, despite its difficulty.	Windows Vista and newer platforms are Important Severity. For more information please see this SRD blog post and this SRD blog post.
MS10-050 (Windows Movie Maker)	Victim opens malicious MSWMM file sent via email or downloaded via website.	Important	1	MSWMM exploit likely to be developed.	Does not affect Windows Live Movie Maker shipped by default with Windows 7.
MS10-057 (Excel 2002, Excel 2003)	Victims opens malicious XLS file sent via email or downloaded via website.	Important	1	XLS exploit likely to be developed.	Does not affect Office 2007 or Office 2010.
MS10-048 (Win32k)	Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see an exploit developed for CVE-2010-1897 and potentially others.
MS10-058 (TCP/IP)	Remote attacker causes victim machine to bugcheck. Attacker logged-in to machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see an exploit developed for one or both vulnerabilities.	64-bit Windows not affected by vulnerability allowing local elevation of privilege.
MS10-059 (Tracing service)	Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see proof-of-concept code released
MS10-047 (Kernel)	Attacker logged-in to a machine locally exploits vulnerability to elevate to a higher privilege level.	Important	1	Likely to see proof-of-concept code released.	The security impact on Windows Server 2008 R2 and Windows 7 is limited to denial of service.

It's interesting to note that Google researcher Tavis Ormandy is credited by Microsoft with reporting several kernel vulnerabilities that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application.

Ormandy drew the ire of Microsoft recently over his decision to publicly disclose a code execution flaw before Microsoft could get a fix out the door.