Patch Tuesday Analysis for February 2010

Microsoft reports that they are not aware of any exploits as of the patch release date - at least the ones they have a patch for.  We cannot rest though since the exploitability index states that 12 of the vulnerabilities have a rating of 1 (consistent code likely). The 13 bulletins released still don’t address everything such as the security advisory 980088 about a publicly disclosed vulnerability we got last week. So we may get another out-of-band patch for Windows Explorer.

MS10-003 offers a workaround that simply says “do not open files from an un-trusted source”. It’s just common sense but it cannot be relied upon in practice especially if someone you trust get’s infected with malware that sends you a file…

MS10-004 digging around a little indicates PowerPoint Viewer may also be affected. However, Microsoft indicates the patch is not being offered for a standalone installation of PowerPoint Viewer 2003, for example, since they no longer support it.

MS10-005 addresses a vulnerability in the way jpeg files are rendered by Microsoft Paint. Guidance is offered on how to disable or remove Paint. Doing so would reduce the attack surface if the program is not needed or wanted.

MS10-006 indicates multiple vulnerabilities with attack vectors from an SMB server or a man-in-the-middle attack on an internal network. An attack could cause remote code to run or cause a DNS. The workaround of using a firewall cannot address all vectors.

MS10-008 is a cumulative update for ActiveX controls.

MS10-010 is for those that use the Hyper-V on Server 2008; especially those that allow un-trusted users on guest machines. An exploit on the guest machine can bring the host system down.

One of the vulnerabilities on MS10-012 is publicly disclosed. Any machine that uses the SMB Server service is at risk. Risk is limited if network shares are not open.

MS10-013 illustrates how multimedia can make a server vulnerable, although best practice would preclude playing games or looking at videos on a server. I better stop playing pinball on that client’s huge DB server…

Domain Controllers that trust a non-Microsoft Windows domain are the ones vulnerable as mentioned in MS10-014.

In MS10-015 the workaround (prevent 16 bit applications) only addresses one of the two vulnerabilities.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS10-012

971468
Arbitrary code

/ SMB Server
Servers
Yes/NoNoImportant Win2000
XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS10-009

974145
Arbitrary code
Denial of service

/ Windows
Workstations
Servers
No/NoNoCritical Vista
Server 2008
Restart Req'dPatch after testing
MS10-004

975416
Arbitrary code

/ Office Powerpoint
Workstations
Terminal Servers
No/NoNoImportant Office XP
Office 2003
Office 2004 for Mac
Multiple vulnerabilitiesPatch after testing; Update Powerpoint viewer
MS10-007

975713
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Server 2003
Restart Req'dPatch after testing
MS10-015

977165
Privilege elevation

/ Windows
Workstations
Terminal Servers
Yes/NoNoImportant Win2000
XP
Vista
Server 2003
Server 2008
Windows 7
Restart Req'dPatch after testing
MS10-014

977290
Denial of service

/ Kerberos
Domain Controllers
No/NoNoImportant Server 2003
Server 2000
Server 2008
Restart Req'dPatch after testing
MS10-010

977894
Denial of service

/ Hyper-V
Servers
No/NoNoImportant Server 2008
Server 2008 R2
Restart Req'dPatch after testing
MS10-013

977935
Arbitrary code

/ DirectShow
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS10-011

978037
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant Win2000
XP
Server 2003
Restart may be req'dPatch after testing
MS10-003

978214
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoImportant Office XP
Office 2004 for Mac
 Patch after testing
MS10-006

978251
Arbitrary code
Privilege elevation
Denial of service

/ SMB Client
Workstations
Servers
No/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Windows 7
Win2008 R2
Restart Req'dPatch after testing
MS10-008

978262
Arbitrary code

/ ActiveX
Workstations
Terminal Servers
No/NoYesCritical Win2000
XP
Win2003
Vista
Win2008
Windows 7
Win2008 R2
Cumulative UpdateSet kill bits; patch after testing
MS10-005

978706
Arbitrary code

/ Microsoft Paint
Workstations
Terminal Servers
No/NoYesModerate Win2000
XP
Server 2003
Restart Req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.