Qualys Blog

www.qualys.com
wkandek

Patch Tuesday Bottomline – December 2010

Microsoft delivered the largest number of updates ever in its December 2010 Patch Tuesday. How many of the 17 bulletins apply in your organization depends on the exact software that you have installed, but collectively the updates apply to all versions of Windows, Microsoft Office and server software Microsoft Exchange 2007 and Microsoft Sharepoint 2007.

Only two of the bulletins are critical and both should be high on your priority lists for immediate roll-out. MS10-090 is an update for all versions of Internet Explorer and includes a fix for the 0-day vulnerability KB2458511. The underlying vulnerability is neutralized by DEP, which is standard on IE8, a good example of why keeping up with the latest software versions is beneficial to the overall robustness of the system. Microsoft has attack tracking statistics for KB2458511 on their MMPC blog, and while it seems that attacks are not very widely spread, we have heard that they have picked up recently.

The second critical bulletin is MS10-091 and it is located in the OpenType Font driver. The vulnerability can be triggered by simply browsing to a directory that contains the malicious file – no further interaction is required. Users of Windows XP and 2003 are not affected, because the "shell preview" functionality was added in the next generation of the Windows OS family. Users of Vista, Windows 7 and Windows 2008 need to apply this update and should do so immediately as this is an easily exploitable flaw.

MS10-105 fixes a flaw in the graphics filters of Microsoft Office, which can be used to take control of the targeted machine, when its users open a specifically crafted input file. Attackers have specialized in the delivery of malicious files through e-mail and web downloads, and MS10-105 should be high on the priority list as well.

Other interesting vulnerabilities addressed include MS10-092 and MS10-102:

  • MS10-092 is the last fix for the Stuxnet family of vulnerabilities; others were MS10-046, MS10-061 and MS10-073 . MS10-092 addresses a flaw in the Task Scheduler that can be used by a local user to gain system privileges and applies only to Windows Vista, Windows 7 and Windows 2008. BTW, ESET has an excellent analysis of all the Stuxnet vulnerabilities in their whitepaper "Stuxnet under the Microsope"
  • MS10-102 is an attack on Microsoft Hyper-V and while it is "only" a denial of service attack, it illustrates a coming class of vulnerabilities where a user on a guest operating system can shutdown the host operating system on a virtual machine and multiply the impact on the attacked infrastructure.

MS10-093, 94, 95, 96 and 97 all address DLL preloading vulnerabilities in Microsoft software. DLL preloading problems came to light in August of this year and Microsoft published advisory KB2269637 to deal with this issue from an operating system perspective. While MS10-093 to 097 fix specific Microsoft products (similar to MS10-083), we recommend applying the patch and work-arounds described in this Knowledgebase article. Secunia maintains a list of 3rd party applications that have been shown vulnerable to the DLL preloading attacks. The list has over 200 vulnerable applications at http://secunia.com/advisories/windows_insecure_library_loading/ and includes two of the five applications (Media Encoder, Addressbook) that are being fixed this month.

Leave a Reply