Patch Tuesday Analysis for December 2010

17 patches in all, 12 primarily affecting workstations and the remaining 5 affecting RRAS, domain controllers, SharePoint, Exchange and Hyper-V. After some analysis you will find the Fast Facts chart to help you triage your patching efforts. Remember focus on the vulnerabilities currently being exploited or whose exploit details are public.
 
We busted straight through the 100th security bulletin this month. That’s over a 100 for Microsoft this year. But that number pales in comparison to the number of vulnerabilities that we had to patch in other popular applications this year like Acrobat, Flash, Java, QuickTime and FireFox.  
 
And this isn’t a new trend – check out the little chart, “Most Exploited Vulnerabilities of 2009: It’s Not Just Microsoft Anymore”, at Lumension who makes my coverage of Patch Tuesday possible. With so many non Microsoft products needing to be patched, WSUS doesn’t cut it anymore and these other vendors aren’t providing business targeted patching tools for their products. Therefore I encourage you to learn about enterprise patch management solutions like Lumension’s which can deploy patches from multiple vendors - and in the case of Lumension -  to multiple platforms from one centralized console. Please click here to learn more about Lumension’s Automated Patch Management.
 
Workstation/Terminal Server Vulnerabilities
 
MS10-090 is a cumulative update for IE addressing multiple vulnerabilities. If you previously applied the “Web site CSS workaround” from Microsoft, it should be undone before applying the patch. We recommend an accelerated roll out for workstations and Terminal Servers since at least one of the vulnerabilities is presently being exploited and two others are publicly disclosed.  A restart is required to make the update effective. The update introduces another issue and update so after you install this security update, you must also install update 2467659.
 
MS10-091 - An OTF (Open Type Font) driver is the cause of the vulnerability that gets triggered when IE navigates to a network share that has the malicious code.
 
MS10-092 - Task Scheduler is vulnerable. As a workaround it can be disabled. Since a user must be logged on locally it is only rated “important”. This is being exploited in attacks.
 
MS10-093 is for Windows Vista with Movie Maker 2.6. Windows 7 could have Movie Maker installed but it is not supported by Microsoft. Therefore admins would be wise to check for installations of Movie Maker on these machines and remove it if found.
 
MS10-094 fixes Windows Media encoder. MS10-096 fixes Address Book. Both arbitrary code vulnerabilities.
 
More and more vulnerabilities are being found in the loading of DLLs. This is the case with MS10-097, this time with library used for Internet Connection Signup Wizard in XP and Server 2003. The most likely vector is workstations.
 
The vulnerability addressed with MS10-095 uses the new BranchCache technology found in Windows 7 and Server 2008 R2. If the BranchCache DLL does not exist in the default location the system is vulnerable. The versions that do NOT support BranchCache would be the most vulnerable. (Windows 7 Home edition for example)
 
There are multiple vulnerabilities in kernel mode drivers. (MS10-098) Only some of these have a workaround associated with them. Several years ago Microsoft was on a campaign to eliminate unsafe drivers but these are the ones that come with Windows itself.  
 
The Consent User Interface was designed to allow administrators to run with the least privilege principle, only elevating their own privilege when needed. Ironically it has a vulnerability that can allow elevation of privilege to those who are not admins. MS10-100 indicates that to exploit the vulnerability a user must have the “Impersonate a client after authentication” which end users should never have in the first place.
 
MS10-103 addresses 5 vulnerabilities in Office Publisher. There are workarounds but we don’t consider them comprehensive. For example, experience has shown that simply telling users not to open files from un-trusted sources is just not effective.
 
MS10-105 reports 7 vulnerabilities in Office various image convertors. In some cases image convertors and filters are blocked by Office. In addition the possibility of allowing converters and filters that were blocked to be overridden is introduced with some of the products.
 
Server Vulnerabilities
 
RRAS is also at the core of the OS and allows Remote Access and can even let your computer act a router.  Thankfully  the vulnerability addressed in MS10-099 cannot be exploited remotely.
 
The exploit in MS10-101 could cause denial of service by causing a domain controller to restart. At least one restart will be required to apply the patch.
 
As indicated in MS10-102 a Hyper-V host can be attacked by its guest virtual machine causing a denial of service.
 
Converting documents within a SharePoint Server can also be a problem as indicated in MS10-104. However the vulnerable services are not enabled by default. In this case the workaround would be effective.
 
Finally there is a vulnerability in Exchange Server 2007 that can cause a denial of service. According to MS10-106 only Exchange Server 2007 SP 2 for x64 Itanium systems are affected. This particular vulnerability is in the Exchange Mailbox role. If that role is not enabled the patch will still be offered however.
 
Fast Facts on This Month’s Microsoft Security Bulletins
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS10-101

2207559
Denial of service

/ NetLogon
Domain Controllers
No/NoNoImportant Server 2003
Server 2008
Server 2008 R2
Restart Req'dPatch after testing
MS10-103

2292970
Arbitrary code

/ Publisher
Workstations
Terminal Servers
No/NoNoImportant Office XP
Office 2003
Office 2007
Office 2010
Restart may be req'dPatch after testing
MS10-091

2296199
Arbitrary code

/ OTF Driver
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS10-092

2305420
Privilege elevation

/ Task Scheduler
Workstations
Terminal Servers
Yes/YesYesImportant Vista
Server 2003
Server 2008
Windows 7
Restart Req'dPatch after testing
MS10-102

2345316
Denial of service

/ Hyper-V
Virtual Servers
No/NoNoImportant Win2008
Win2008 R2
Restart Req'dPatch after testing
MS10-095

2385678
Arbitrary code

/ Windows
Workstations
No/NoYesImportant Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS10-106

2407132
Denial of service

/ Exchange
Exchange Servers
No/NoNoModerate Exchange 2007
Restart may be req'dPatch after testing
MS10-090

2416400
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/YesNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Cumulative Update; Restart Req'dPatch after minimal testing
MS10-096

2423089
Arbitrary code

/ Address Book
Workstations
Yes/NoYesImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart may be req'dPatch after testing
MS10-093

2424434
Arbitrary code

/ Movie Maker
Workstations
Yes/NoYesImportant Vista
Restart may be req'dPatch after testing
MS10-098

2436673
Privilege elevation

/ Windows kernel mode drivers
Workstations
Terminal Servers
Yes/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart may be req'dPatch after testing
MS10-099

2440591
Privilege elevation

/ RRAS
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Restart Req'dPatch after testing
MS10-100

2442962
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant Vista
Server 2008
Server 2008 R2
Windows 7
Restart may be req'dPatch after testing
MS10-097

2443105
Arbitrary code

/ Internet Connection Signup Wizard
Workstations
Yes/NoYesImportant XP
Server 2003
Restart may be req'dPatch after testing
MS10-094

2447961
Arbitrary code

/ Media encoder
Workstations
Terminal Servers
Yes/NoYesImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart may be req'dPatch after testing
MS10-104

2455005
Arbitrary code

/ Sharepoint
Sharepoint Servers
No/NoYesImportant SharePoint Server 2007
Restart may be req'dPatch after testing
MS10-105

968095
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoImportant Office XP
Office 2003
Office 2007
Office Converter Pack
Office 2010
Restart may be req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.