August 2010 Patch Tuesday Overview
Microsoft has released their planned 14 bulletins fixing 34 vulnerabilities today. There are 4 bulletins that administrators should look at patching as soon as possible.
MS10-052 and MS10-055 both affect media files and are rated as Critical. Opening a malicious media file can lead to remote code execution. Downloading and playing media files is becoming more prevalent today as social interaction is moving to video. This makes these vulnerabilities prime targets for attacks.
MS10-056 affects Microsoft Word and is rated as Critical. Opening a malicious document can lead to remote code execution. In addition to Microsoft Word, Microsoft Outlook 2007 can also play a part in exploitation. In Outlook 2007, simply opening an email with a malicious attachment can lead to remote code execution. This version of Outlook can be affected by viewing the document in the reading pane as Outlook 2007 uses Microsoft Word as the default email reader. RTF documents are extremely common and are typically not blocked by companies as attachments. We can expect malicious RTF documents in users email boxes in the coming weeks.
MS10-060 affects Silverlight. This patch fixes a vulnerability that can lead to remote code execution. Microsoft has patched Silverlight in the past, but this patch is more critical than past patches. An attacker only needs to entice a user to visit a malicious website in order to deliver a payload. The Silverlight install is amazingly easy, so you can assume that a lot of your computers currently have this program installed. I have not heard of any Silverlight exploits, but I expect to see more with the release of this patch.
There are a couple of other bulletins this month that also require extra attention.
MS10-054 affects the SMB service on Microsoft Windows. Normally, alarms would be going off for security researchers as typical SMB vulnerabilities can lead to worm based attacks. With this vulnerability though, there are some factors that will make it a lower risk. In newer versions of the Microsoft operating system (Windows 2003 and newer) require the attacker to be authenticated. This instantly lowers the risk of a worm as most attacks need to be unauthenticated. In older operating systems (Windows XP), the attack can be unauthenticated. The vulnerability itself would be very difficult to exploit as the attacker cannot control the outcome of the exploit on the machine. The most likely result will be a denial of service attack as the system will become unresponsive and reboot.
MS10-047 affects the Windows Kernel. Although this bulletin has a lower severity rating, it is imperative to test this patch before deploying to your computers. Patching the Windows Kernel can at times leave the system completely unusable. We’ve seen this with machines infected by rootkits in the past. Microsoft has taken steps since that time to ensure the Kernel will not be adversely affected by the patch, but you should still apply this patch to a set of test systems before deploying.
MS10-046 was released out-of-band on August 2nd. Some organizations were waiting to deploy this patch until the regularly scheduled patch day. This bulletin should be addressed right away as well as there are currently exploits for the vulnerability. If you have applied the workaround for the vulnerability, it is important to remember to unapply the workaround. Users will be happy to see their icons on their desktops and start menus return to normal.
This large patch month will affect all of your systems, workstations or desktops. This many patches can increase network bandwidth, increase the time for the system to run each patch and require reboots. Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack.
- Jason Miller