The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities.
Three of the bulletins are rated “critical” because of the risk of remote code execution attacks. Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).
This month’s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.
Microsoft is urging its users to pay special attention to MS10-033 (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.
Here’s the skinny on these three bulletins:
- MS10-033 — This security update resolves two privately reported vulnerabilities
in Microsoft Windows. These vulnerabilities could allow remote code
execution if a user opens a specially crafted media file or receives
specially crafted streaming content from a Web site or any application
that delivers Web content. This is rated Critical for Quartz.dll
(DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008; Critical for Windows Media
Format Runtime on Microsoft Windows 2000, Windows XP, and Windows Server
2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows
2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008 R2; and Important for Windows
Media Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP,
Windows Server 2003, Windows Vista, and Windows Server 2008. - MS10-034 — This security update addresses two privately reported vulnerabilities
for Microsoft software. This security update is rated Critical for all
supported editions of Microsoft Windows 2000, Windows XP, Windows Vista,
and Windows 7, and Moderate for all supported editions of Windows
Server 2003, Windows Server2008, and Windows Server 2008 R2. The vulnerabilities could allow remote code
execution if a user views a specially crafted Web page that instantiates
a specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls. - MS10-035 — Fixes five privately reported vulnerabilities and one publicly
disclosed vulnerability in Internet Explorer. The most severe
vulnerabilities could allow remote code execution if a user views a
specially crafted Web page using Internet Explorer. Users whose accounts
are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.This
security update is rated Critical for Internet Explorer 6 Service Pack 1
on Microsoft Windows 2000 Service Pack 4; Critical for Internet
Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows
clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and
Internet Explorer 8 on Windows servers.
Qualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI’S competition at CANSECWEST. During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods.
The MS10-040 bulletin is also interesting. It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset. Microsoft rates this an “important” update.