Tuesday, February 9, 2010

Mega-patch Tuesday has 13 patches, many critical

At least SANS doesn't give any its worst "PATCH NOW" rating.  But many are rated "Critical".  I have patched all my systems and am waiting for a day or so of feedback on the blogs before patching business client systems. Home users should patch today or tomorrow, don't wait!

ZDNet has a good, user-friendly write-up on three or four it considers the most critical:
Patch Tuesday: Microsoft plugs critical Windows worm holes | Zero Day | ZDNet.com
Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.

The company urged customers to prioritize and deploy four updates because of the “critical” severity rating and the fact that “consistent exploit code” is likely within the next 30 days.

Here’s the skinny on the three updates that should be applied immediately:

* MS10-013: Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

* MS10-006: This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

* MS10-007: Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

A fourth bulletin — MS10-008 — includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.

Eleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.

Microsoft's Official Bulletin: Microsoft Security Bulletin Summary for February 2010

SANS summary: February 2010 Black Tuesday Overview

Update: Brian Krebs also has a good user-friendly write-up on today's patches: 13 Ways to Protect Your Windows PC — Krebs on Security
Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.

Update 2 Thu 11 Feb 2010 11:51 AM MST: I'm seeing multiple reports of BSODs installing some of these patches on Windows XP systems. Reports are here:
Update 3Thu 11 Feb 2010 20:25: Microsoft has withdrawn MS10-015 pending further testing. See here:
The Microsoft Security Response Center (MSRC) : Restart issues after installing MS10-015

No comments: