The October 2010 version of Microsoft Patch Tuesday is a large one with Microsoft releasing 16 bulletins that address 49 vulnerabilities.   Both of these numbers are new all time highs for Microsoft.  The most alarming number for most administrators will be the 49 vulnerabilities being addressed.  But, 26 of these vulnerabilities are addressed in 2 Microsoft Office updates and 12 vulnerabilities are addressed in the Internet Explorer cumulative update.

With today’s Patch Tuesday Microsoft has released 86 new security bulletins year-to-date.  Compared to previous years, you can see this number has far exceeded any previous total:

  • 2009 - Total 74 security bulletins
  • 2008 - Total 78 security bulletins
  • 2007 - Total 69 security bulletins

A common question asked is 'Why are there so many bulletins and vulnerabilities being released/updated by Microsoft?’

There are a couple of factors that are coming into play for this.  First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see today.  Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure (CVD) program.  By working with researchers, Microsoft is closing the gap on the time to release fixes for vulnerabilities found.  This is a key factor that a lot of people have been asking for, so we shouldn't be too surprised that we are seeing an uptick in security bulletins.

For the October 2010 Patch Tuesday, there are two bulletins that administrators should be looking to patch immediately.  MS10-071 is the bi-monthly cumulative update for Internet Explorer.  This bulletin

fixes 12 vulnerabilities. With the critical vulnerabilities in this bulletin, navigating to a malicious website can lead to remote code execution.  With any web browser vulnerability, it is critical to patch them as soon as possible.  One of the most common attack vectors for attackers is malicious websites that exploit unpatched browsers.

MS10-076 affects Embedded OpenType Font and can lead to remote code execution.  Like MS10-071, navigating to a malicious website with an unpatched system can result in remote code execution.  The result of exploiting the vulnerability with this bulletin can vary depending on what operating system you are running.  Newer versions of the Microsoft Windows operating system, Windows Vista and higher, have ASLR (address space layout randomization) built in which makes this vulnerability more difficult to attack.

Two bulletins rated important may be a higher priority depending on a corporation’s network composition.  MS10-077 affects the .NET Framework and can lead to remote code execution by navigating to a malicious website on an unpatched system.  It is important to note that this vulnerability only affects 64-bit operating systems.  If your network contains mostly 64-bit operating systems, you will want to raise the criticality of this bulletin.  MS10-075 affects Windows Media Player and should be considered critical for home users.  A vulnerability exists in the Media Network Sharing service.  By sending a malicious real time streaming protocol network packet to an unpatched machine, an attacker can take control of the machine.  There are some key factors for this vulnerability that lowers the risk for corporate machines. The attack must be carried out on a local network.  Also, machines joined to a domain, such as most corporate networks, are not vulnerable.

A common theme this month with Microsoft's bulletin release is targeted at older software.  Older versions of Microsoft software have a number of vulnerabilities that do not affect newer software.  When looking at patch management, administrators should consider upgrading software whenever possible.  This can reduce attack vectors as most recent versions of software have additional lines of defense.

  • MS10-071 - Internet Explorer 7 and 8 are not affected by some of the vulnerabilities.
  • MS10-076 - Windows Vista and higher have ASLR built in making the vulnerability harder to exploit. 
  • MS10-079 - Office XP is affected by a majority of the vulnerabilities where newer versions are not affected.
  • MS10-080 - Office 2010 not affected by the vulnerabilities and most vulnerabilities only affect Office XP

There are three bulletins this month that affect 3rd party (non-Microsoft) software.  With these bulletins, vulnerabilities exist in the Microsoft operating system.  However, Microsoft software is not affected and cannot be exploited.  An attacker must try to exploit the third party product on unpatched systems. MS10-081 and MS10-082 affect non-Microsoft web browsers.  MS10-074 affects third party zip programs. Patching the operating system will close these vulnerabilities.

- Jason Miller