Yesterday Microsoft released ten security bulletins to cover a total of 34 vulnerabilities on its monthly Patch Tuesday.
This month's Patch Tuesday was the most active so far this year and matched the busiest Patch Tuesday release ever in terms of vulnerabilities addressed since October 2009. Of the 34 flaws fixed, 14 are in Microsoft Excel and eight relate to Windows and Internet Explorer. The majority of the vulnerabilities put Windows and Office users at risk of full system compromise.
Alan Bentley, VP international for Lumension, said: “The impact of this week's update will be felt enterprise-wide, as the bulletins cover a large portion of Microsoft's range of operating systems, infrastructure products and Office products – so it is strongly recommended that IT administrators investigate and prioritise this patch load as soon as possible.”
Tyler Reguly, senior security engineer at nCircle, said: “Another Microsoft Patch Tuesday, another list of the usual suspects: Internet Explorer, Media Player, Office. Sadly, you no longer have to be psychic to figure out what's coming. If I wasn't in security, I'd be starting to wonder if it was time to go back to pen, paper and encyclopaedias.
“It's great to see SharePoint patched this month, and I have to give Microsoft credit for getting the patch out as quickly as they did. While I didn't expect to see it last month, I would have been surprised to not see it this month.
“As a researcher, I find MS10-041 and MS10-040 very interesting, although they are probably the least dangerous for the end-user. Patches for MS10-035, which includes public vulnerabilities, and MS10-033 should probably be highest on most people's priority lists because they include at least one public vulnerability and are likely to see published exploits in the next couple of weeks.”
Looking specifically at MS10-035, Jason Miller, data and security team manager at Shavlik Technologies, said: “MS10-035 is the bi-monthly release of the cumulative security update for Internet Explorer. This bulletin fixes six vulnerabilities where a successful attack can lead to remote code execution. Internet Explorer is one of the most targeted applications for attackers, so Shavlik recommends that administrations address this bulletin immediately.”
Wolfgang Kandek, CTO at Qualys, commented that MS10-033 is a vulnerability in the M-JPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the internet to Windows Media Player or IE.
MS10-033, according to Miller, is the other of the two most urgent bulletins that administrators should address first, as it addresses two vulnerabilities in Windows that could lead to remote code execution.
He said: “This bulletin affects Windows media which is very common with popular social media networking applications. Opening a specially crafted media file or connecting to a malicious server streaming media content can lead to remote code execution.
“The days of solely focusing on internet browsers for patching have changed and Microsoft is very focused on fixing vulnerabilities in their media formats and players. As we move towards a media centric audience, attackers are focusing more and more on media players to go along with browser attacks.”
Kandek commented that Excel has 14 vulnerabilities covered by MS10-038, with 11 in Office XP and only three in more recent versions (2003 and 2007). He said: “These vulnerabilities can be used to trigger code execution when a malicious file is opened by the user. The new Office 2010, which is scheduled to be released later this month, is not affected by any of the vulnerabilities.”
Joshua Talbot, security intelligence manager at Symantec Security Response, commented that the most serious issue is the Windows kernel TrueType font parsing vulnerability.
“Exploiting this - likely through a drive-by download attack - would give an attacker near system-level privileges. It's doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar web pages, which could contain a malicious font,” he said.
Dave Marcus, director of security research and communications at McAfee Labs, said: “Today's Microsoft patches again underline the risk of using the internet unprotected. These vulnerabilities could be exploited to booby trap websites, Office and Windows Media files to gain control over vulnerable computers simply by tricking victims into opening a malicious file or clicking a malicious link.”