I have applied the Windows Update patches and Flash updates to my systems and I haven't seen any issues, but I don't use Microsoft Office and there are critical patches to Office this month. According to Brian Krebs, the Office patch is very important: "... a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail. SANS rated many of the patches "Critical" but none are rated "PATCH NOW", so business users should probably hold off a day or two until the electronic dust settles. However, if you use a Microsoft email program (Outlook, Outlook Express, or Windows Mail), you should consider patching soon.
Note that if you use Firefox or Chrome or Safari on Windows, you need to patch Flash twice, once for Internet Explorer and once for your other browsers.
Critical Updates for Windows, Flash Player — Krebs on Security
SANS: August 2010 Microsoft Black Tuesday Summary
US-CERT Current Activity: Microsoft Releases August Security Bulletin
August 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Note that if you use Firefox or Chrome or Safari on Windows, you need to patch Flash twice, once for Internet Explorer and once for your other browsers.
Critical Updates for Windows, Flash Player — Krebs on Security
Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.
... The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.
More details on the rest of this month’s updates are available here. Just a quick note about this patch batch for consumers: It might not hurt to wait a day or two before applying the Microsoft updates. Given the sheer number of vulnerabilities addressed in this release, there is a good chance that one or more of them may turn out to cause problems for some customers. Also, there don’t appear to be any online threats actively exploiting any of these flaws at the moment.
In other news, Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.
SANS: August 2010 Microsoft Black Tuesday Summary
Overview of the Aug 2010 Microsoft Patches and their status.
Update: Microsoft also released an advisory for an unpatched privilege escalation vulnerability
Update 2: Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.
US-CERT Current Activity: Microsoft Releases August Security Bulletin
added August 10, 2010 at 01:25 pm
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, and Silverlight as part of the Microsoft Security Bulletin Summary for August 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.
August 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Hello all. As part of our usual cycle of monthly updates, today Microsoft is releasing 14 security bulletins, addressing 34 vulnerabilities. Eight of those bulletins have a Critical severity rating, and we consider four of those to be high-priority deployments:
- MS10-052
This bulletin resolves a privately reported vulnerability in
Microsoft's MPEG Layer-3 audio codecs. The vulnerability could allow
remote code execution if a user opens a specially crafted media file or
receives specially crafted streaming content from a Web site. An
attacker who successfully exploited this vulnerability could gain the
same user rights as the logged-on user.
- MS10-055
This bulletin resolves a privately reported vulnerability in Cinepak
Codec, which is used by Windows Media Player to support the .avi
audiovisual format. The vulnerability could allow remote code execution
if a user opens a specially crafted media file, or receives specially
crafted streaming content from a Web site. An attacker who successfully
exploited this vulnerability could gain the same user rights as the
logged-on user.
- MS10-056
This bulletin resolves four privately reported vulnerabilities in
Microsoft Office. The most severe vulnerabilities could allow remote
code execution if a user opens or previews a specially crafted RTF
e-mail message. An attacker who successfully exploited any of these
vulnerabilities could gain the same user rights as the local user.
Windows Vista and Windows 7 are less exploitable due to additional heap
mitigation mechanisms in those operating systems.
- MS10-060
This bulletin resolves two privately reported vulnerabilities, both of
which could allow remote code execution, in Microsoft .NET Framework and
Microsoft Silverlight.
Currently none of the vulnerabilities addressed has been observed under exploit in the wild.
Posts
No comments:
Post a Comment