Windows

It's Microsoft Patch Tuesday: August 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's August 2010 patches in your organization.

I loved the out-of-band story this month. There were a few packages with updated information (in this case, localized text) instead of the usual flurry of pointless items. When a huge security problem was publicly disclosed and exploited, Microsoft responded quickly with a patch. Even the nonsecurity items released on Patch Tuesday were mild, just "the usual suspects."

Of course, there is a massive drop of security patches too, but as they say, "you win some, you lose some." Reading between the lines, my belief is that there is a code library for XML handling that is used by a large number of applications (Office, Silverlight, .NET, etc.), which is at the root of about half of these patches.

This blog post is also available in PDF format in a TechRepublic download. The previous month's Microsoft Patch Tuesday blog entries are also available.

Security Patches

MS10-046/KB2286198 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): In July, an exploit for Windows shortcut handling in Internet Explorer was found and was being exploited quickly to perform remote code execution attacks. This is a critical patch to fix these issues, and you should install it immediately if you have not done so already (this patch was released out-of-band on August 2). 3.0MB - 17.8MB MS10-047/KB981852 - Important (XP, Vista, 2008)/Important (7, 2008 R2): This patch resolves a number of issues; the worst allows escalation of privileges (on XP, Vista, and 2008). For some odd reason, 2003 and XP 64-bit are unaffected. These issues require the attacker to be logged on locally with proper credentials, which mitigates most of the risk with these vulnerabilities. You should install this patch on your next scheduled patch cycle. 14KB - 6.6MB MS10-048/KB2160329 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This patch is for another set of escalation of privileges attack issues, which also requires the attacker to be locally logged on. Like MS10-047, it can wait until your usual patch time. 1.0MB - 5.6MB MS10-049/KB980436 - Critical (XP, 2003)/Important (Vista, 7, 2008, 2008 R2): Malicious Web sites can take advantage of vulnerabilities in the Secure Channel portion of Windows (ironic, right?). On older versions of Windows, this can result in remote code execution exploits while in more recent versions it is "merely" a spoofing vulnerability. I recommend that you install this patch immediately, even on more modern systems. 144KB - 1.1MB MS10-050/KB981997 - Important (XP, Vista): Attackers can use malformed Movie Maker project files to perform remote code execution attacks. Because the attacks grant only the local user privileges and because Movie Maker is a less widely used application, this can wait until a normal patch cycle for installation. 1.7MB - 3.6MB MS10-051/KB2079403 - Critical (XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): Issues with Windows' built-in XML handling can allow an attacker to use a specially crafted Web site to execute a remote code execution exploit. Microsoft downgrades the issue level on server OS's because the assumption is that no one does much browsing on a server OS, I suppose. I would still patch all systems with this one as soon as you can, because many servers process XML and I would not be surprised if someone could exploit this outside a browser environment. 511KB - 2.7MB MS10-052/KB2115168 - Critical (XP, 2003): Attackers can exploit a problem in MPEG codecs on XP and 2003 to perform remote code execution attacks; this patch fixes the problem. You will want to install it quickly. 550KB - 728KB MS10-053/KB2183461 - Critical (IE6, IE7, IE8): This patch addresses a whopping six bugs in all versions of Internet Explorer. The worst one allows remote code execution attacks to happen, potentially limited to local user privileges. You will want to get this installed immediately. 3.3MB - 48.4MB MS10-054/KB982214 - Critical (XP)/Important (Vista, 7, 2003, 2008, 2008 R2): Issues with the Windows SMB handling can allow a variety of attacks, which are fixed with this patch. On some systems it is a remote code execution attack at worst; on others the worst is escalation of privileges. Your network should not allow external SMB traffic, so this one can wait until your usual patch time. 328KB - 1.0MB MS10-055/KB982665 - Critical (XP, Vista, 7): Another codec problem (this time for Cinepak) is allowing remote code execution exploits to give the attacker the same rights as the local user. Like MS10-052, get this installed as soon as you can. 121KB - 701KB MS10-056/KB2269638 - Critical (Office 2007)/Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Word Viewer, Office Compatibility Pack, Microsoft Works 9): Four security problems in Office are fixed with this patch. The worst will allow remote code execution by opening an RTF e-mail. I suggest you put this patch on as quickly as possible, even for systems where the threat is lowered, due to the prevalence of Office documents. 2.1MB - 45.1MB MS10-057/KB2269707 - Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac): This is another patch for Office to shut down remote code execution exploits, this time in Excel. Again, Microsoft rates this as a mere "important," but since Excel documents are so common, you will want to install it fast. 4.9MB - 45.1MB MS10-058/KB978886 - Important (Vista, 7, 2008, 2008 R2): A locally logged-on user can abuse the TCP/IP stack for handling IPv6 to escalate privileges. This patch should be fine to wait until your usual patch time. 638KB - 2.7MB MS10-059/KB982799 - Important (Vista, 7, 2008, 2008 R2): Locally logged-on attackers can take advantage of a pair of vulnerabilities in the Tracing for Services system to escalate privileges. Because it relies on the attacker having a local log on, this patch is not an emergency item. 45KB - 102KB MS10-060/KB2265906 - Critical (.NET 2.0, .NET 3.5, Silverlight 2, Silverlight 3 for XP, Vista, 7, 2008, 2008 R2): Problems in how .NET processes XBAP files has led to a pair of vulnerabilities that can allow remote code execution attacks when viewing XBAPs or Silverlight applications and can attack a server if the attacker gets a malicious ASP.NET file uploaded to it. Needless to say, you will want to install this patch as soon as possible. A couple of the individual patches have some known issues, which you will want to look at here and here. 117KB - 16.9MB

Other updates

None.

"The Usual Suspects": Updates to the Malicious Software Removal Tool (11.4MB - 12.0MB), IE Compatibility View List (27KB - 500KB) and Junk Email filters (2.2MB).

Changed, but not significantly:

Updates since the last Patch Tuesday

  • There have been no minor items added or updated since the last Patch Tuesday.

Changed, but not significantly:

About

Justin James is the Lead Architect for Conigent.

22 comments
portable
portable

This came out with the title: [TechRepublic] More patches then you'd like to see and Adobe Air apps to ponder PLEASE kill the proof-reader! It is THAN you would like to see! Then - adverb at that time, immediately or soon afterward, next in order of time, etc. TIME!!! Than - conjunction (used, as after comparative adjectives and adverbs, to introduce the second member of an unequal comparison): She's taller than I am. Or (used after some adverbs and adjectives expressing choice or diversity, such as other, otherwise, else, anywhere, or different, to introduce an alternative or denote a difference in kind, place, style, identity, etc.): I had no choice other than that. You won't find such freedom anywhere else than in this country. Or (used to introduce the rejected choice in expressions of preference): I'd rather walk than drive there. I'm a freakin' Engineer and I know the difference, you would think a writer would too. Please.

Mark W. Kaelin
Mark W. Kaelin

I haven't had one of those or a copyeditor in about 5 years - and I really miss them. We do have someone check the blog posts after fact, but by then the cat's out of the bag. Please understand that the Patch Tuesday pieces are published on a very quick deadline and typos do happen. No one hates making them more than I do.

dderitter
dderitter

I am getting more lessons in English Composition and Grammar than I am in the actual content of the article. Fascinating stuff; I should join an English Composition newsboard to try to get the technical insight I came here for.

santeewelding
santeewelding

You should also know that it's, "copyreader", not, "proofreader", freakin' engineer.

steven.taylor
steven.taylor

This update is showing in my systems as KB983583. Don't know why, but checking the MS technet site, it seems to be the same.

Justin James
Justin James

Many patches, particularly those for Office, have a "master" KB for the problem itself (which is the one I will list), and then will often have a KB for each individual patch that affects a particular product. It makes it "interesting" and "fun" to look for things like known issues because you have to go wading through a pile of other KBs to get that data... J.Ja

olddognewtricks
olddognewtricks

How do TechRepublic editors get updates on their job performance? Could you send this on? The subject line in the email for this issue was "More patches then you'd like to see and Adobe Air apps to ponder". "Then" instead of "than"? You guys write for a living! Do Microsoft coders make these kinds of errors? Maybe that's why so many patches are needed.

Mark W. Kaelin
Mark W. Kaelin

I take the blame for that - working with deadlines will sometimes lead to typos and small grammatical errors. However, that being said, I don't think such a thing really contributes to the downfall of civilization.

wflickinger
wflickinger

Reading between the lines, my believe is that there is a code library for XML handling that is used by a large number of applications..... Shoud that be "my belief" instead of "my believe". A fellow Kentuckian

Justin James
Justin James

That particular typo came from myself. In Mark's defense, he turned this article around (and nearly every other "Patch Tuesday" piece) in UNDER AN HOUR. That's not just taking the document I sent him and editing it for grammar, that's getting it from Word and into WordPress, formatting it to fit the TR standards, doing things like replacing the "**" and "***" indicators in my document with the easy-to-see flags, putting notices on the site (like the "rotators"), getting the information about the article into the newsletter and sending that our so folks get it ASAP, and more. That is phenomenal turnaround time for a piece that he does not know exactly when it will arrive. You see, Microsoft does not give us any kind of special treatment on this information. I prepare as much of the article in advance that I can, but the final details are the security patches. If the details come out at 1 PM EST, that leaves *very* little time to research each one in-depth, do the write-up, and get it out the door. If our East Coast friends want to get this early enough to read it before the day wraps up, that means we have about three hours from the time the security patches have public details to get it on the site in time for some folks (4 PM EST). Given the circumstances, I think typos are not only understandable, but forgivable, and it is quite reasonable that not only will I make a mistake or two, but that Mark might miss some of those mistakes or perhaps make one of his own. J.Ja

misgateway
misgateway

I hope you realize my comment was a little "tongue in cheek" - I was trying to make a sentence that incorporated both "then" and "than", as well as "affect" and "effect" - another common error that is a bit irksome

misgateway
misgateway

That error jumped right out at me also. The incorrect use of "then" and "than" affect me in a negative way. If the writers can't do better than this, then there will continue to be a negative effect on the readers.

barrycs
barrycs

ESET's NOD32 seems to have a major issue with the KB2286198 update. Client to server copies from VB6 code are slowing down to 1 second per file. ESET says that their latest virus signature would resolve, but I think they over compensated.

levilan
levilan

None of these security holes, most are 20 years old, have been discovered by the "experts" in Microsoft. All of these were found by external private security teams.

bboyd
bboyd

"requires the attacker to be locally logged on." "it can wait until your usual patch time" or executed by a ignorant user with bad computer habits who just happens to be logged on locally... These flaws are not used in a vacuum, they are usually part of a multi-spectral attack. fixing these "Lesser" flaws may terminate an attack that otherwise would have full penetration using another unknown or unfixed flaw. Not to be rude but suggesting waiting seems like asking people to remain unprotected at the same time the attacker is told that they have a window open.

billa
billa

When Justin recommends you apply these patches in your "next scheduled patch cycle" he's not telling you to wait, he's advising you that these patches are "business as usual". Test and apply using YOUR best practices. For some that means as soon as they get the patches, for others it means the next day after they have tested them, some won't install for a week. There are even some, gasp, who will NEVER install the non-critical patches.

Justin James
Justin James

Thanks, that's a perfect summary of it. I agree with the original poster that just because it requires local execution does not mean that it is trivial. But it does require a lot of extra work on the user's behalf, like downloading an executable file AND actually executing it. I know, we try to tell users not to do that, and a certain percentage don't listen... But yeah, when I say "in your usual patch cycle" that means just that... whatever your organization feels is "best practice" for getting non-emergency patches to systems is how you should handle this. If you schedule patches for the evening of Patch Tuesday, cool. If you like to wait a few days to see if anyone has problems with the patches, that makes sense too. But... you should install the patch, and sooner will always be better than later. The "one flag" patches mean "totally optional" or only apply to a feature or package that is fairly uncommon for a business environment, like Media Center. Three flag items signal "it doesn't matter what your cycle is, you really want this installed tonight or tomorrow night, because exploits are available or will be soon, and it can be easily exploited despite firewalls, virus scanners, etc." J.Ja

rwparks.it
rwparks.it

Don't always jump and install a patch because it's out there. Sometimes the patch can be more detrimental to the system than the attack. That's why I appreciate Justin's attention and expertise. Rather than Thrashing my systems with every little patch, it's often good to wait and see how things play out from those who have the time and abilities to consider the results. Of course, there are certainly times that call for immediately action. Check trusted sources for smart determination. We all have different management styles and policies. Apply what's best for your domain. (Manage your systems; don't let them control you.)

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe the TechRepublic Community can help?

Madsmaddad
Madsmaddad

It's an XP machine with SP3, office 2000, and Viper antivirus. After installing the patches it wanted a reboot, and it seemed to hang before getting all teh Desktop icons back up. A couple of reboots later and it has been about 3 hours and it has brought up a few of the status bar icons, but is unresponsive. This comes from the linux box. Next Morning: By about 11 PM, 8 hours of rebooting, waiting, killing, booting into safe mode, It came up properly and is not giving any more grief. Lesson:- Set a restore point before installing patches, only do two or three at a time so that you can uninstall if there are problems.

Timbo Zimbabwe
Timbo Zimbabwe

From the email about this article: "More patches then you'd like to see" C'mon, TR, don't be like AP....

Justin James
Justin James

Most of my servers and desktops were done last night with no issues. One patch (I forget which one) failed on the first attempt but succeeded on the second attempt. J.Ja

Editor's Picks