Patch Tuesday packs in solutions to 34 serious Microsoft flaws

According to Microsoft, eight of the bulletins are rated critical owing to the risk of remote code execution.

Despite the complexity of the update, Infosecurity notes that security forum reports suggest that the vast majority of installs went smoothly.

Over on Computerworld, writer Greg Keizer said that this month's Patch Tuesday was the largest ever in terms of security bulletins, and was equal to the single month record in terms of individual patches,

According to Wolfgang Kandek, Qualys' chief technology officer, the Patch Tuesday update from Microsoft comes in a busy week on the update front, as Adobe has just released a Flash update and will be releasing a patch for An Adobe Reader zero-day vulnerability published a few weeks ago at Black Hat security conference.

IT admins, he says, should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of '1', indicating that working exploits are expected within 30 days.

"MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format", he said.

"MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site", he added.

According to Kandek, this and the previous MSXML ActiveX component are the bulletins in the group that are rated '2' on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.

The Qualys CTO notes that a second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer.

Users of Outlook 2007 installations need to pay special attention, he says, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the email.

According to Qualys, user should apply this update as quickly as possible. MS10-057 and MS10-050, meanwhile, provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.

"The remainder of the August updates all address local flaws of the Windows operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows", he said.

Kandek went on to say that, last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype.

"If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability", he said,

Qualys has posted a useful video about the updates on YouTube.



What’s hot on Infosecurity Magazine?