June 2010 Patch Tuesday Overview
Microsoft has released 10 new security bulletins for the June 2010 edition of patch Tuesday. These 10 bulletins address 34 vulnerabilities.
A large release by Microsoft this month was expected by us here at Shavlik. Microsoft has shown a pattern lately of a smaller month followed by a larger release month.
*Note: -OOB represents an out-of-band release by Microsoft.
Two security advisories have been closed by Microsoft as the vulnerabilities have been addressed in two new bulletins:
There are two bulletins that administrators should address first. MS10-033 addresses two vulnerabilities in Windows that could lead to remote code execution. This bulletin affects Windows media which is very common in the new age of social networking. Opening a specially crafted media file or connecting to a malicious server streaming media content can lead to remote code execution. The days of solely focusing on Internet Browsers for patching have changed. In the past year, Microsoft has focused on fixing vulnerabilities in their media formats and players. As we move to a media centric audience, attackers will focus more and more on media players to go along with browser attacks. I can guarantee that someone on your network, right now, is browsing the Internet looking for a video with Tom Cruise's Tropic Thunder character Less Grossman dance routine from the MTV Movie Awards.
MS10-035 is the bi-monthly release of the Cumulative Security Update for Internet Explorer. This bulletin fixes 6 vulnerabilities where a successful attack can lead to remote code execution. Internet Explorer is one of the most targeted applications for attackers, so this bulletin should be addressed immediately on your network.
There are a couple of bulletins that require special attention from administrators this month. Patching software has made patch management easy, but administrators need to research the bulletins each month for little pieces of information that could adversely affect your network security.
First, MS10-036 has a product that is vulnerable but does not have a patch supplied from Microsoft. Microsoft Office XP SP3 is vulnerable but there are actions you can take to mitigate this vulnerability. If possible, you can upgrade your Office installations to Office 2003 or 2007 as Microsoft is supplying patches for those products. If this is not possible, Microsoft is providing a workaround FixIt tool that will protect against the vulnerability (KB983235). In addition, Microsoft Office 2003 and 2007 must be upgraded to the latest service pack level as well as having the bulletin applied to fix the vulnerability. you must install the patch for the full Office installation for Office 2003 or 2007 if you are installing the patch for the stand alone product. For example, patching Visio 2003 will require you to patch Office 2003 as well.
Lastly, MS10-040 has a special case for Windows 2003, Vista and 2008 installations. These systems will only be vulnerable if Extended Protection For Authentication has been previously installed.
On the non-Microsoft patching front, Apple has released two new versions of their Safari browser. Safari 5.0 and 4.1 fix 47 vulnerabilities. Safari 4.1 is Mac OS only where Safari 5.0 with Mac and Windows OS. More information can be found here.
Adobe announced today they are planning on releasing new updates for Adobe Flash, Reader and Acrobat soon. Adobe Flash 10 is planned on being released June 10. For Adobe Reader and Acrobat, Adobe is planning on a June 29. More information can be found here.
- Jason Miller
**Updated: Sometimes the bulletin detail pages can be a bit confusing. Updated the post to reflect a chage for MS10-036 when patching a standalone product.