February Patch Tuesday Overview
Microsoft has released 13 new security bulletins for February’s patch Tuesday. The size of this release is not uncommon. Historically, Microsoft has had a light January followed by a large February. This month’s patches address 23 vulnerabilities. There have been no reports of active attacks against these vulnerabilities. One of these vulnerabilities has been publically disclosed.
The first three bulletins administrators should address right away:
MS10-006 affects the SMB client on all supported operating systems. This security bulletin addresses two vulnerabilities. Both of these vulnerabilities are not known at this time and not being exploited. Visiting a malicious site that makes a file sharing connection can result in remote code execution. In addition, a man-in-the-middle attack can happen with this vulnerability as they would be able to respond to legitimate SMB server/client requests with malformed packets. It is important to note that MS10-006 is not related to MS10-012. Both of these bulletins address issues for SMB but are not related.
MS10-007 affects the Windows Shell Handler in Windows 2000, XP and 2003 operating systems. This bulletin fixes one vulnerability that is not publically known or exploited at this time. Visiting a malicious website that contains a specially crafted webpage could lead to remote code execution. This vulnerability exists in both the operating system and Internet Explorer. For Internet Explorer, this vulnerability was addressed with the out of band security bulletin release in January (MS10-002). In some cases, you will need to apply:
- or -
Both MS10-002 and MS10-007
- or -
Either MS10-002 and MS10-007
MS10-007 has a table under the “Frequently Asked Questions (FAQ) Related to This Security Update” that will help guide you through what updates will apply to your systems.
MS10-013 affects Microsoft DirectShow on all supported operating systems. A vulnerability exists in DirectShow when opening AVI files. This bulletin fixes one vulnerability that is not publically known at this time. In an attack scenario, a user needs to be enticed into opening a malicious AVI file. This can lead to remote code execution. It is important to note that some operating systems may require multiple patches from this bulletin to fix the vulnerability. Media files are commonly sent and downloaded, so this vulnerability could affect many users.
MS10-003 affects Office XP. This bulletin addresses one vulnerability that is not publically known and not being exploited at this time. Opening a specially crafted Excel file on an unpatched system can lead to remote code execution.
MS10-004 affects PowerPoint in Office XP and Office 2003. This bulletin fixes six vulnerabilities. The vulnerabilities are not publically known at this time and not being exploited. Opening a specially crafted PowerPoint document can lead to remote code execution on an unpatched machine. With MS10-004, it is important to note that PowerPoint Viewer 2003 is affected by this vulnerability, but Microsoft is not releasing a patch for this version of the viewer. Microsoft is stating the product has reached the end of its lifecycle and will not supply any future security patches. You should identify all PowerPoint 2003 Viewers on your network and upgrade them to PowerPoint 2007. The newer version of the viewer is not affected by this vulnerability.
MS10-005 affects Microsoft Paint on Windows 2000, XP and 2003. This bulletin fixes one vulnerability that is not publically known at this time and not being exploited. In order to exploit this vulnerability, an attacker would have to convince a user to open a specially crafted JPEG file in Microsoft paint. If done on an unpatched system, this would lead to remote code execution.
MS10-008 is the cumulative update for ActiveX Kill Bits. This bulletin is commonly released every few months for additions to the Kill Bit list for ActiveX controls. This patch will prevent the following ActiveX controls from running on a system: Symantec WinFax Pro 10.3, Google Desktop Gadget v5.8, Facebook Photo Update 5.5.8 and PandaActiveScan Installer 2.0.
MS10-009 affects TCP/IP on Windows Vista and 2008. This bulletin addresses 4 vulnerabilities that are not publically known at this time or being exploited. The vulnerability specifically affects TCP/IPv6. If an attacker sends a specially crafted ICMPv6 packet to an unpatched system, an attacker would have remote code execution abilities. TCP/IPv6 is enabled by default on Windows Vista and Windows 2008 machines. Your computer can mitigate some of the vulnerability risk by turning on your firewall and blocking ICMPv6.
MS10-010 affects Hyper-V on Windows 2008. A vulnerability exists that is not publically known or being exploited at this time. In order to exploit this vulnerability, an attacker must have valid logon credentials to the target machine. A successful attack would cause a denial of service on the Windows 2008 system forcing a system restart.
MS10-011 affects the Windows Client/Server Run-time Subsystem on Windows 2000, XP and 2003. The one vulnerability addressed by this bulletin is not publically known or currently being exploited at this time. Like MS10-010, an attacker must have valid logon credentials to exploit this vulnerability. If successfully exploited, an attacker could gain elevated privileges on the target system.
MS10-012 affects SMB on all supported operating systems. This bulletin addresses four more vulnerabilities in SMB, one of which is publically known. Although, all four vulnerabilities are not being exploited at this time. The publically known vulnerability could result in a denial of service attack. In this scenario, an attacker could send a specially crafted SMB packet to a target system. Domain controllers are the most at risk for this type of an attack.
MS10-014 affects Kerberos on Windows 2000, 2003 and 2008. This bulletin addresses one vulnerability that is not publically known at this time. An attacker could send a specially crafted ticket request to a domain controller. In this scenario, the domain controller would not be able to assign out new tickets. This would create a denial of service attack. Clients who already have tickets would continue to operate normally.
MS10-015 affects the Windows Kernel on all operating systems except Windows 7 x64 and Windows 2008 R2. This bulletin addresses 2 vulnerabilities. One of these vulnerabilities is publically known, but not being exploited at this time. In order to carry out an attack using this vulnerability, an attacker must logon as an authenticated user. The attacker could run a specially crafted program that can result in elevation of privilege and install programs or take complete control of the system. This bulletin contains the fixes for Security Advisory 979682.
Microsoft has also released a new Security Advisory in 979682 977377. In the last couple of months, Microsoft has been releasing new security advisories on Patch Tuesday. With new Security Advisories, each should be reviews and workarounds should be applied if necessary.
It is important to watch for items other than security bulletins. We all can get in a cadence of immediately working on the known security bulletins starting at noon CST on patch Tuesday, but there may be other items that come up on patch Tuesday.
- Jason Miller