Patch Tuesday Analysis for December 2010
17 patches in all, 12 primarily affecting workstations and the remaining 5 affecting RRAS, domain controllers, SharePoint, Exchange and Hyper-V. After some analysis you will find the Fast Facts chart to help you triage your patching efforts. Remember focus on the vulnerabilities currently being exploited or whose exploit details are public.
We busted straight through the 100th security bulletin this month. That’s over a 100 for Microsoft this year. But that number pales in comparison to the number of vulnerabilities that we had to patch in other popular applications this year like Acrobat, Flash, Java, QuickTime and FireFox.
Workstation/Terminal Server Vulnerabilities
MS10-090 is a cumulative update for IE addressing multiple vulnerabilities. If you previously applied the “Web site CSS workaround” from Microsoft, it should be undone before applying the patch. We recommend an accelerated roll out for workstations and Terminal Servers since at least one of the vulnerabilities is presently being exploited and two others are publicly disclosed. A restart is required to make the update effective. The update introduces another issue and update so after you install this security update, you must also install update 2467659.
MS10-091 - An OTF (Open Type Font) driver is the cause of the vulnerability that gets triggered when IE navigates to a network share that has the malicious code.
MS10-092 - Task Scheduler is vulnerable. As a workaround it can be disabled. Since a user must be logged on locally it is only rated “important”. This is being exploited in attacks.
MS10-093 is for Windows Vista with Movie Maker 2.6. Windows 7 could have Movie Maker installed but it is not supported by Microsoft. Therefore admins would be wise to check for installations of Movie Maker on these machines and remove it if found.
MS10-094 fixes Windows Media encoder. MS10-096 fixes Address Book. Both arbitrary code vulnerabilities.
More and more vulnerabilities are being found in the loading of DLLs. This is the case with MS10-097, this time with library used for Internet Connection Signup Wizard in XP and Server 2003. The most likely vector is workstations.
The vulnerability addressed with MS10-095 uses the new BranchCache technology found in Windows 7 and Server 2008 R2. If the BranchCache DLL does not exist in the default location the system is vulnerable. The versions that do NOT support BranchCache would be the most vulnerable. (Windows 7 Home edition for example)
There are multiple vulnerabilities in kernel mode drivers. (MS10-098) Only some of these have a workaround associated with them. Several years ago Microsoft was on a campaign to eliminate unsafe drivers but these are the ones that come with Windows itself.
The Consent User Interface was designed to allow administrators to run with the least privilege principle, only elevating their own privilege when needed. Ironically it has a vulnerability that can allow elevation of privilege to those who are not admins. MS10-100 indicates that to exploit the vulnerability a user must have the “Impersonate a client after authentication” which end users should never have in the first place.
MS10-103 addresses 5 vulnerabilities in Office Publisher. There are workarounds but we don’t consider them comprehensive. For example, experience has shown that simply telling users not to open files from un-trusted sources is just not effective.
MS10-105 reports 7 vulnerabilities in Office various image convertors. In some cases image convertors and filters are blocked by Office. In addition the possibility of allowing converters and filters that were blocked to be overridden is introduced with some of the products.
Server Vulnerabilities
RRAS is also at the core of the OS and allows Remote Access and can even let your computer act a router. Thankfully the vulnerability addressed in MS10-099 cannot be exploited remotely.
The exploit in MS10-101 could cause denial of service by causing a domain controller to restart. At least one restart will be required to apply the patch.
As indicated in MS10-102 a Hyper-V host can be attacked by its guest virtual machine causing a denial of service.
Converting documents within a SharePoint Server can also be a problem as indicated in MS10-104. However the vulnerable services are not enabled by default. In this case the workaround would be effective.
Finally there is a vulnerability in Exchange Server 2007 that can cause a denial of service. According to MS10-106 only Exchange Server 2007 SP 2 for x64 Itanium systems are affected. This particular vulnerability is in the Exchange Mailbox role. If that role is not enabled the patch will still be offered however.
Fast Facts on This Month’s Microsoft Security Bulletins
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS10-101
2207559 | Denial of service
/ NetLogon | Domain Controllers
| No/No | No | Important | Server 2003
Server 2008
Server 2008 R2
| Restart Req'd | Patch after testing | MS10-103
2292970 | Arbitrary code
/ Publisher | Workstations
Terminal Servers
| No/No | No | Important | Office XP
Office 2003
Office 2007
Office 2010
| Restart may be req'd | Patch after testing | MS10-091
2296199 | Arbitrary code
/ OTF Driver | Workstations
Terminal Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS10-092
2305420 | Privilege elevation
/ Task Scheduler | Workstations
Terminal Servers
| Yes/Yes | Yes | Important | Vista
Server 2003
Server 2008
Windows 7
| Restart Req'd | Patch after testing | MS10-102
2345316 | Denial of service
/ Hyper-V | Virtual Servers
| No/No | No | Important | Win2008
Win2008 R2
| Restart Req'd | Patch after testing | MS10-095
2385678 | Arbitrary code
/ Windows | Workstations
| No/No | Yes | Important | Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS10-106
2407132 | Denial of service
/ Exchange | Exchange Servers
| No/No | No | Moderate | Exchange 2007
| Restart may be req'd | Patch after testing | MS10-090
2416400 | Arbitrary code
/ Internet Explorer | Workstations
Terminal Servers
| Yes/Yes | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Cumulative Update; Restart Req'd | Patch after minimal testing | MS10-096
2423089 | Arbitrary code
/ Address Book | Workstations
| Yes/No | Yes | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart may be req'd | Patch after testing | MS10-093
2424434 | Arbitrary code
/ Movie Maker | Workstations
| Yes/No | Yes | Important | Vista
| Restart may be req'd | Patch after testing | MS10-098
2436673 | Privilege elevation
/ Windows kernel mode drivers | Workstations
Terminal Servers
| Yes/No | No | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart may be req'd | Patch after testing | MS10-099
2440591 | Privilege elevation
/ RRAS | Workstations
Terminal Servers
| No/No | No | Important | XP
Server 2003
| Restart Req'd | Patch after testing | MS10-100
2442962 | Privilege elevation
/ Windows | Workstations
Terminal Servers
| No/No | No | Important | Vista
Server 2008
Server 2008 R2
Windows 7
| Restart may be req'd | Patch after testing | MS10-097
2443105 | Arbitrary code
/ Internet Connection Signup Wizard | Workstations
| Yes/No | Yes | Important | XP
Server 2003
| Restart may be req'd | Patch after testing | MS10-094
2447961 | Arbitrary code
/ Media encoder | Workstations
Terminal Servers
| Yes/No | Yes | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart may be req'd | Patch after testing | MS10-104
2455005 | Arbitrary code
/ Sharepoint | Sharepoint Servers
| No/No | Yes | Important | SharePoint Server 2007
| Restart may be req'd | Patch after testing | MS10-105
968095 | Arbitrary code
/ Office | Workstations
Terminal Servers
| No/No | No | Important | Office XP
Office 2003
Office 2007
Office Converter Pack
Office 2010
| Restart may be req'd | Patch after testing |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|