Patch Tuesday Analysis for February 2010

Microsoft reports that they are not aware of any exploits as of the patch release date - at least the ones they have a patch for.  We cannot rest though since the exploitability index states that 12 of the vulnerabilities have a rating of 1 (consistent code likely). The 13 bulletins released still don’t address everything such as the security advisory 980088 about a publicly disclosed vulnerability we got last week. So we may get another out-of-band patch for Windows Explorer.

MS10-003 offers a workaround that simply says “do not open files from an un-trusted source”. It’s just common sense but it cannot be relied upon in practice especially if someone you trust get’s infected with malware that sends you a file…

MS10-004 digging around a little indicates PowerPoint Viewer may also be affected. However, Microsoft indicates the patch is not being offered for a standalone installation of PowerPoint Viewer 2003, for example, since they no longer support it.

MS10-005 addresses a vulnerability in the way jpeg files are rendered by Microsoft Paint. Guidance is offered on how to disable or remove Paint. Doing so would reduce the attack surface if the program is not needed or wanted.

MS10-006 indicates multiple vulnerabilities with attack vectors from an SMB server or a man-in-the-middle attack on an internal network. An attack could cause remote code to run or cause a DNS. The workaround of using a firewall cannot address all vectors.

MS10-008 is a cumulative update for ActiveX controls.

MS10-010 is for those that use the Hyper-V on Server 2008; especially those that allow un-trusted users on guest machines. An exploit on the guest machine can bring the host system down.

One of the vulnerabilities on MS10-012 is publicly disclosed. Any machine that uses the SMB Server service is at risk. Risk is limited if network shares are not open.

MS10-013 illustrates how multimedia can make a server vulnerable, although best practice would preclude playing games or looking at videos on a server. I better stop playing pinball on that client’s huge DB server…

Domain Controllers that trust a non-Microsoft Windows domain are the ones vulnerable as mentioned in MS10-014.

In MS10-015 the workaround (prevent 16 bit applications) only addresses one of the two vulnerabilities.

Receive Randy's same-day, independent analysis each Patch Tuesday

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.