I loved the out-of-band story this month. There were a few packages with updated information (in this case, localized text) instead of the usual flurry of pointless items. When a huge security problem was publicly disclosed and exploited, Microsoft responded quickly with a patch. Even the nonsecurity items released on Patch Tuesday were mild, just "the usual suspects."
Of course, there is a massive drop of security patches too, but as they say, "you win some, you lose some." Reading between the lines, my belief is that there is a code library for XML handling that is used by a large number of applications (Office, Silverlight, .NET, etc.), which is at the root of about half of these patches.
Security PatchesMS10-046/KB2286198 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): In July, an exploit for Windows shortcut handling in Internet Explorer was found and was being exploited quickly to perform remote code execution attacks. This is a critical patch to fix these issues, and you should install it immediately if you have not done so already (this patch was released out-of-band on August 2). 3.0MB - 17.8MB MS10-047/KB981852 - Important (XP, Vista, 2008)/Important (7, 2008 R2): This patch resolves a number of issues; the worst allows escalation of privileges (on XP, Vista, and 2008). For some odd reason, 2003 and XP 64-bit are unaffected. These issues require the attacker to be logged on locally with proper credentials, which mitigates most of the risk with these vulnerabilities. You should install this patch on your next scheduled patch cycle. 14KB - 6.6MB MS10-048/KB2160329 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This patch is for another set of escalation of privileges attack issues, which also requires the attacker to be locally logged on. Like MS10-047, it can wait until your usual patch time. 1.0MB - 5.6MB MS10-049/KB980436 - Critical (XP, 2003)/Important (Vista, 7, 2008, 2008 R2): Malicious Web sites can take advantage of vulnerabilities in the Secure Channel portion of Windows (ironic, right?). On older versions of Windows, this can result in remote code execution exploits while in more recent versions it is "merely" a spoofing vulnerability. I recommend that you install this patch immediately, even on more modern systems. 144KB - 1.1MB MS10-050/KB981997 - Important (XP, Vista): Attackers can use malformed Movie Maker project files to perform remote code execution attacks. Because the attacks grant only the local user privileges and because Movie Maker is a less widely used application, this can wait until a normal patch cycle for installation. 1.7MB - 3.6MB MS10-051/KB2079403 - Critical (XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): Issues with Windows' built-in XML handling can allow an attacker to use a specially crafted Web site to execute a remote code execution exploit. Microsoft downgrades the issue level on server OS's because the assumption is that no one does much browsing on a server OS, I suppose. I would still patch all systems with this one as soon as you can, because many servers process XML and I would not be surprised if someone could exploit this outside a browser environment. 511KB - 2.7MB MS10-052/KB2115168 - Critical (XP, 2003): Attackers can exploit a problem in MPEG codecs on XP and 2003 to perform remote code execution attacks; this patch fixes the problem. You will want to install it quickly. 550KB - 728KB MS10-053/KB2183461 - Critical (IE6, IE7, IE8): This patch addresses a whopping six bugs in all versions of Internet Explorer. The worst one allows remote code execution attacks to happen, potentially limited to local user privileges. You will want to get this installed immediately. 3.3MB - 48.4MB MS10-054/KB982214 - Critical (XP)/Important (Vista, 7, 2003, 2008, 2008 R2): Issues with the Windows SMB handling can allow a variety of attacks, which are fixed with this patch. On some systems it is a remote code execution attack at worst; on others the worst is escalation of privileges. Your network should not allow external SMB traffic, so this one can wait until your usual patch time. 328KB - 1.0MB MS10-055/KB982665 - Critical (XP, Vista, 7): Another codec problem (this time for Cinepak) is allowing remote code execution exploits to give the attacker the same rights as the local user. Like MS10-052, get this installed as soon as you can. 121KB - 701KB MS10-056/KB2269638 - Critical (Office 2007)/Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Word Viewer, Office Compatibility Pack, Microsoft Works 9): Four security problems in Office are fixed with this patch. The worst will allow remote code execution by opening an RTF e-mail. I suggest you put this patch on as quickly as possible, even for systems where the threat is lowered, due to the prevalence of Office documents. 2.1MB - 45.1MB MS10-057/KB2269707 - Important (Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac): This is another patch for Office to shut down remote code execution exploits, this time in Excel. Again, Microsoft rates this as a mere "important," but since Excel documents are so common, you will want to install it fast. 4.9MB - 45.1MB MS10-058/KB978886 - Important (Vista, 7, 2008, 2008 R2): A locally logged-on user can abuse the TCP/IP stack for handling IPv6 to escalate privileges. This patch should be fine to wait until your usual patch time. 638KB - 2.7MB MS10-059/KB982799 - Important (Vista, 7, 2008, 2008 R2): Locally logged-on attackers can take advantage of a pair of vulnerabilities in the Tracing for Services system to escalate privileges. Because it relies on the attacker having a local log on, this patch is not an emergency item. 45KB - 102KB MS10-060/KB2265906 - Critical (.NET 2.0, .NET 3.5, Silverlight 2, Silverlight 3 for XP, Vista, 7, 2008, 2008 R2): Problems in how .NET processes XBAP files has led to a pair of vulnerabilities that can allow remote code execution attacks when viewing XBAPs or Silverlight applications and can attack a server if the attacker gets a malicious ASP.NET file uploaded to it. Needless to say, you will want to install this patch as soon as possible. A couple of the individual patches have some known issues, which you will want to look at here and here. 117KB - 16.9MB
Changed, but not significantly:
Updates since the last Patch Tuesday
- There have been no minor items added or updated since the last Patch Tuesday.
Changed, but not significantly:
Justin James is the Lead Architect for Conigent.