Security

It's Microsoft Patch Tuesday: December 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's December 2010 patches in your organization.

Are seventeen security bulletins for forty vulnerabilities Microsoft's way of saying "Happy Holidays"? I think it just might be, because that's what we got this month! There is even a rare bug that affects Vista, 7, 2008, and 2008 R2 but not XP or 2003. This month's patches include four patches for the exact same issue in four different products. By way of comparison, 2009 had 74 total security bulletins and 2008 had 76, so this year's final number of 106 is awful.

This blog post is also available in PDF format in a TechRepublic download.

Security Patches

MS10-090/KB2416400 - Critical (IE6, IE7, IE8): The patch closes seven vulnerabilities that can allow remote-code-execution attacks to be performed via malformed Web pages. Three of these vulnerabilities are publicly disclosed. You should apply this patch as soon as you can. Microsoft reports that you will need to install KB2467659 after you apply this patch. 3.9MB - 48.4MB MS10-091/KB2296199 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): Issues with the way Windows handles fonts can cause remote-code-execution attacks on Vista, 7, 2008, and 2008 R2, and escalation-of-privileges attacks on XP and 2003. It looks like the attacks can be triggered by just opening a folder or network share that contains a malformed font file; I am not sure if browsing an FTP site in Explorer would do the trick. Better safe than sorry, install this patch quickly. 247KB - 1.3MB MS10-092/KB2305420 - Important (Vista, 7, 2008, 2008 R2): A user who is already logged on and runs an attack file can exploit a hole in Task Scheduler to execute escalation-of-privileges attacks. The conditions greatly mitigate the risks, and this patch can wait until your scheduled patch time. 725KB - 1.7MB MS10-093/KB2424434 - Important (Vista): The Movie Maker application can be used for remote-code-execution attacks if the user opens a file in the same location as a malformed library file. Don't bother with this patch unless you have Movie Maker installed. 1.7MB MS10-094/KB2447961 - Important (XP, Vista, 2008): This patch is similar to the Movie Maker issue, but with Windows Media Encoder instead. Again, this patch is really needed only if you use Windows Media Encoder. 1.4MB - 3.4MB MS10-095/KB2385678 - Important (7, 2008 R2): This is a repetition of the previous problem but with Windows Live Mail and Windows Live Writer files. Apply the patch if you use these products. 158KB - 415KB MS10-096/KB2423089 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Again, same issue but with Windows Address Book. This is a low-priority patch as well. 307KB - 1.0MB MS10-097/KB2443105 - Important (XP, 2003): Same problem, different app. This time, it is the Internet Connection Signup Wizard. No need to hurry on this one either. 521KB - 1.0KB MS10-098/KB2436673 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Users running a specially made attack file are vulnerable to an escalation-of-privileges attack, due to a hole in the kernel-mode drivers. You should patch this at your next scheduled patch time. 1.1MB - 5.6MB MS10-099/KB2440591 - Important (XP, 2003): A user who is logged on locally can run special attack code to perform an escalation-of-privileges attack against the Routing and Remote Access portion of XP and 2003. This patch can wait until your usual patch cycle. 512KB - 1.0MB MS10-100/KB2442962 - Important (Vista, 7, 2008, 2008 R2): A hole in the Consent User Interface (used to isolate code from doing things without the user's permission) has a flaw that can allow escalation-of-privileges attacks. Patch this one on your usual schedule. 79KB - 123KB MS10-101/KB2207559 - Important (2003, 2008, 2008 R2): Attackers inside your network can perform denial-of-service attacks on your domain controllers; this patch eliminates the issue. Patch when it is convenient to you. 289KB - 1.6MB MS10-102/KB2345316 - Important (2008, 2008 R2): A user within a Hyper-V can send a bad packet to the host machine, causing a denial-of-service attack on the host. This is a very specific set of circumstances, and you don't need to patch unless you are using Hyper-V. 468KB - 49.0MB MS10-103/KB2292970 - Important (Publisher 2002, Publisher 2003, Publisher 2007, Publisher 2010): A remote-code-execution exploit in Publisher can be triggered by opening a malformed file. Install this patch if you have Publisher installed. 2.9MB - 11.9MB MS10-104/KB2455005 - Important (SharePoint Server 2007): A user can use a bad SOAP request to SharePoint and get it to perform remote code execution. This works only if the Document Conversions Load Balancer Service is on, and by default it isn't. Install this patch if you use SharePoint. 1.5MB MS10-105/KB968095 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office Converter Pack, Microsoft Works 9): This patch knocks out a whopping seven patches, some of which allow remote-code-execution attacks when opening malformed files. Due to the widespread install base of Office and the commonality of opening Office files, install this patch immediately. 840KB - 2.1MB MS10-106/KB2407132 - Moderate (Exchange 2007): Exchange servers have a vulnerability that allows denial-of-service attacks to be performed if traffic with malformed RPC traffic reaches them. Of course, RPC traffic should not be allowed from the outside network. Install the patch on your normal schedule. 45.5MB - 49.7MB

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

Other Updates

KB2443685 - This is one of Microsoft's regular updates to handle changes in daylight saving time and time zones. 150KB - 1.0MB KB2467659 - A nonsecurity patch to fix a variety of Internet Explorer issues. 28KB - 1.0MB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (11.8MB - 12.2MB) and the Junk E-mail Filter (2.2MB).

Changed, but not significantly:

W7 update (KB982110)

.NET Framework 4 Client Profile (KB982670 and KB982671)

Updates since the last Patch Tuesday

No security updates were released out-of-band.

Minor items

There have been a number of minor items added and updated since the last Patch Tuesday:

Best Practices Analyzer update for Application Server on Windows 2008 R2 x64 (KB2386667) - 107KB

IE8 Compatibility View list update (KB2447568) - 26KB - 499KB

System Update Readiness Tool for Vista, W7, 2008, and 2008 R2 (KB947821) - 20.3MB - 134.1MB

Changed, but not significantly:

.NET 4 patch update for vulnerability MS10-077 (KB2160841)

Security update for Windows for MS10-072 (KB2345304)

About

Justin James is the Lead Architect for Conigent.

49 comments
qaisar2020
qaisar2020

User profile on Windows 7 computer got corrupted

Spitfire_Sysop
Spitfire_Sysop

After the patch I can no longer run WindowsLive mail. It crashes on the splash screen. I didn't have time to look in to it but I would like a fix if anyone else has heard of it.

bigpygme
bigpygme

had to do a system restore after installing all the recommended "important" patches because IE 8 wasn't functioning. after roll-back, possibly unrelated, i lost my internet connection and needed tech support to restore it. they said they'd had several similar calls after these patches, and that usually re-setting IE settings to Default fixed the problem, but it didn't work for me. now i'm doing a system image back up before i try these patches again - that was my worst patch experience ever.

Gis Bun
Gis Bun

Well, at least Microsoft generally doesn't wait around and let critical bugs in its software stick around for months or longer. Yes. 106 bulletins has been the nastiest we've seen in a few years or so. And the last few months have beren really dreadful. What Mr. James should remember that it is not the amount of bulletins in a year but how many vulnerabilities were fixed in them. I'm sure a good chunk of the bulletins had only one vulnerability to fix. You also have Ie which is a cumulative fix.

pjboyles
pjboyles

The patch for MS10-105 also implements filtering of graphic filters in addition to fixing issues. KB2479871 allows us to manage the list. I don't see the ability to disable the filtering which is going to make this very unattractive to install. Now we need to make a decision on how to implement MS10-105. *Sigh* Why does MS think that disabling functionality is a security fix? Oh, and make it a completely separate patch. The tail chase: MS10-105 - Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095) ? 2289078 http://support.microsoft.com/kb/2289078/MS10-105: Description of the security update for Microsoft Office 2010: December 14, 2010 ? 2288931 http://support.microsoft.com/kb/2288931/MS10-105: Description of the security update for the 2007 Microsoft Office system: December 14, 2010 ? 2289163 http://support.microsoft.com/kb/2289163/MS10-105: Description of the security update for Microsoft Office 2003: December 14, 2010 ? 2423930 (http://support.microsoft.com/kb/2423930) For Office XP SP3 install the Microsoft Office update provided in MS10-087 (http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx) KB968095 - MS10-105: Vulnerability in Microsoft Office Graphics Filters could allow remote code execution Actually a discussion on issues from the patch for MS10-105 (see section: Known issues and additional information about this security update) http://support.microsoft.com/kb/968095 KB2479871 - Security settings for graphic filters for Microsoft Office 2010, the 2007 Microsoft Office system, Microsoft Office 2003, and Microsoft Office XP http://support.microsoft.com/kb/2479871/ This looks like a major mess about to happen.

jwalsh
jwalsh

Having same issue with KB2207559 where did this install from? It is not on the above list.

pamacher
pamacher

There was another patch, not mentioned in article, KB2412171 for Outlook that removed the archive function.

toker
toker

When kb2207559 is installed on a Server 2003 R2 SP2 x86 PDC running RRAS, workstations are unable to connect to the internet. (Tried disabling RRAS and resetting it) If I uninstall kb2207559, everything works again. reinstall it and same issue. Nothing in Event Viewer, Netdiag etc.

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe the TechRepublic Community can help?

kpdriver
kpdriver

I've been having problems logging into my banking site after these updates. Both IE8 and Firefox would not load cibibanking.com, even after I did a restore. I finally got firefox fixed somehow, but the banking site is the only I'm having troubles with.

Gis Bun
Gis Bun

I think Microsoft also disabled various graphic filters that they deemed to be vulnerable. Example CorelDraw 5 [!!!] filter was one I can remember. This was when [I think] Office 2003 SP3 came out. If you look at http://support.microsoft.com/kb/2479871/, the "popular" filters are ***still*** enabled but can be disabled via reg file or group policy.

Justin James
Justin James

It's the patch for MS10-101, it fixes an issue in NetLogon, which could definitely affect certain services. J.Ja

Justin James
Justin James

The patch is for NetLogon, which will definitely affect RRAS. I'd look into NetLogon possible issues. J.Ja

jwalsh
jwalsh

I am having the same issue. Did you just uninstall it or is there a work around?

yagar
yagar

It appears MS has boned this one up pretty bad. Now that 10 days have passed the problems have grown even worse. If you check on the web the list is long for problems they have caused. Frankly for all the problems they have caused they should be made to pay the repair costs for every one that has had a problem. I now have two machines in my shop that will not boot. Both of them are running VISTA. They will not go to safe mode. They will not go to anything, even the dell recovery partition. I can boot to a XP recovery CD. They hang on the crcdisk.sys. Before you jump in and say you have a hard disk problem answer why before these updates they did not have a problem. I'm not biting on the hard disk problem. I'm biting on MS screwed up. I've run hard disk diagnostics from a boot cd with no errors. I've seen these MS screw ups before and they don't even give you the courtesy of a reach around. There is not even an admittance to the problems they have caused people because of their mistakes. While I'm on this rant. I happen to have a large number of older folks that I service. This transition from XP to Win7 is not going well for them. In later years of life changes don't come easy. I don't say MS should not have Win7, personally I think it's near the top for crap as far as what I'm looking for in an operating system. Why take XP away, are you afraid it would still show Win7 up. Deal with the egg on your face. Make life in the computing world a bit simpler for our older folks. I long for the day that some company puts out an alternative to Windows. Something in the line of W2K where you get a streamlined operating system with out a ton of whistles and bells, it's secure and you load what you want on it. I don't happen to believe Linux is the answer.

njfreelancer
njfreelancer

My laptop loaded six updates and then Windows would not run. The updates were: KB2409055 Two for IE 8 for Vista (I have Vista) KB890830 KB2431831 KB968930 Any ideas?

mchoffy
mchoffy

We use vWorkspace and KB2443685 broke the timezone redirection.

swyche
swyche

Apparent success, but certainly the slowest system since my 8086. Nothing wrong, just the constant hard file activity light trying to log onto gmail. I have Firefox 3.6+ as the only browser, but WTF, IE8 is running instead and soooooo slow that I had to sys restore after waiting about 15 minutes. XP PRO SP3, 2 gb ram, AMD SEMPRON circa 2005, Phoenix Bios.

readerlis
readerlis

I am uncertain if this is connected to the patch. When I connect to my email exchange hosted server I get a popup window which asks if it is ok to connect. It pops up every hour or so and I have had it happen about 5 times since 7 AM NY time today. It is happening to 2 other employees who are also running 07 Outlook Part of this patch caused this to happen. MS pulled this patch in the Dec update KB 2412171... Here are answers from our hosted exhange engineers Update: We researched the update from Microsoft and it is currently unavailable. We are currently recommending that you un-install this Office Outlook 2007 update as a permanent solution. If you un-install the patch and still have issue please contact Support to troubleshoot. Thank you. Entered on 12/17/2010 at 11:09:37 by Craig C.: Update: Currently our System Administrators have determined that un-installing the Office Update seems to permanently resolve the issue of Autodiscover Pop- ups. We are currently investigating if a Microsoft revision allows you to install the updatet without the Autodiscover Pop-up issue. We will report our findings shortly.

PatSitel
PatSitel

When we pushed the patches out to our test systems on Tuesday, we have had almost all of the ones with IE7 installed fail on one patch with the error below - Cumulative Security Update for Internet Explorer 7 for Windows XP (KB950759) Event reported at 12/14/2010 7:22 PM: Installation Failure: Windows failed to install the following update with error 0x8007f0f1: Cumulative Security Update for Internet Explorer 7 for Windows XP (KB950759). These machines continue to try to install this patch, reboot and continue to fail. The patch itself is something that was pushed out back in 2008. At this point, we haven't figured out which of the December patches is causing this problem to occur. Anyone else having similar issues?

qhp310
qhp310

Since the 3 Outlook 2007 corrections, changing panel in Outlook is very slow. So much that I did a Restore to before the corrections and changed my options for applying patches....until the time that Microsoft solves this bothersome slowliness.... Regatds

ITOdeed
ITOdeed

Yahoo mail would not load after updates. I got busy and didn't check back until later that afternoon, and then it was back to normal. Otherwise everything normal after updates on my machines, some running Vista, some Win 7.

bobdavis321
bobdavis321

Windows server 2008 and 2003 went down at 3:30 AM this morning, I think it was a Microsoft update? To get them working again you have to log in and then identify the type of network? That is usually something an anti-virus asks? Maybe it was a combination of MS updates and a anti-virus change?

isa
isa

0I am using Windows 7 Ultimate and IE8 after updating with the latest updates (december 15 2010) favorites (bookmarks) in IE8 doesn't work. The list is there but there are no URL so I can't open any link; also I can't add any new bookmark the message I get is: Unable to create "the name of the site I want to add": Class not registered I also cannot import Bookmark.htm from another browser. I would appreciate any help. Update: Restoring the system to an earlier date corrected the problem. something must be wrong with the updates of December 15 (a total of 15 updates)

bernardmorey
bernardmorey

I believe so. After installing the patch Outlook 2010 failed to run. It started then stopped with a generic error message. It would run only in safe mode. I rolled back Win to the state prior to the patch - Outlook then ran OK. I have since installed only the Win 7 parts of the patch, leaving the Office parts for the time being. Outlook is OK although some add-ons have been disabled (not be me).

yagar
yagar

I've had several people call that IE would not open. I had to disable Yahoo Toolbar to get it to open. Not sure its from MS update or if Yahoo updated.

Justin James
Justin James

I got most of mine done and tested last night, looks good at this point. J.Ja

njfreelancer
njfreelancer

I had to run a system restore to get my laptop working again, but the updates are still there waiting to be installed.

jcbronson
jcbronson

I spotted the cycle of repeated attempts to install KB2416400 on my servers and found the following entry on the WSUS team blog: http://blogs.technet.com/b/sus/archive/2010/12/16/update-on-a-couple-issues-we-are-seeing-related-to-detection-and-installation-of-ms10-090-kb2416400.aspx There are clear instructions provided. Basically, I had to decline EVERY Cumulative Security Update for IE and re-approve only the two that are needed. After this, a quick stop/restart WAU and re-detect and the issue was resolved for me. I hope this helps you.

ITOdeed
ITOdeed

Update for Microsoft Silverlight (KB2477244) Installation date: ‎12/‎16/‎2010 12:48 PM Installation status: Failed Error details: Code 80244019 Update type: Important This update to Silverlight improves security, reliability, accessibility support, startup performance, enhances line-of-business support and includes several fixes to better support rich internet applications. This update is backward compatible with web applications built using previous versions of Silverlight. IE8 reports problems after computer reboots.

jhawklyn
jhawklyn

Yes. We have a number of systems reporting problem behaviours: 1. Reporting that the Patch installed correctly, and the system needs to be rebooted. - Then getting into re-runs, requiring additional reboots, (Google Recursion to get an idea) Cumulative Security Update for Internet Explorer 7 for Windows XP (KB2416400) This is the most common problem we're having. 2. Reporting that the patch failed, and the system needs to be rebooted. - Then getting into re-runs, requiring additional reboots, (Google Recursion to get an idea) Automatic Updates Some updates could not be installed The following updates were not installed: Security Update for Microsoft Office Publisher 2003 (KB2284695) Update for Microsoft Office Outlook 2003 Junk Email Filter (KB2466074) Security Update for Microsoft Office 2003 (KB2289163) Update for Microsoft Office Outlook 2003 (KB2449798)

Justin James
Justin James

That message usually means that something about the NIC or the network connection changed just enough where Windows thought it was connected to the network for the first time. When it is in that state, the firewall is VERY conservative, just in case you plugged the device into a public network. J.Ja

bobdavis321
bobdavis321

There is an MS update that has failed to install. That is according to the error log files. The other problem is that something changed on the network that caused the server to think it was on a new 'unsafe' network. I posted pictures of the error logs on my blog bobdavis321.blogspot.com

bobdavis321
bobdavis321

Failed extract of third party root list from auto update.....A required certificate is not within its validity period when verifying....

mike.motes
mike.motes

After applying the patches, it is now taking my Win 7 machine about 15 seconds to switch between the various locations (inbox, sent items, etc.). Rolled back to before the patches and everything was snappy once again.

hvermain
hvermain

Try the following trick to get it working again: If you are on Windows XP, remove all the contents of C:\Documents and Settings\All Users\Application Data\Yahoo! Companion\Data folder and restart IE If you are on Windows Vista or Windows 7, remove all contents from %APPDATA%\\?Yahoo! Companion\Data? folder and restart IE

jwalsh
jwalsh

Removing the Yahoo Toolbar worked like a charm. IE8 is now up and running as usual.

rshmerl
rshmerl

I have had MSIE 6.0 and 8.0 fail on unpatched Win 98SE, W2K and XP pcs, and on patched Win XP pcs. Coincidently, Yahoo reduced their workforce by 600 people the previous day. No reply as yet from Yahoo Customer Service about this problem. Either disable the add-on in XP or remove the toolbar in other op systems.

BobBurke
BobBurke

My helpdesk tech said associates had IE fail after Windows Updates on Windows XP worksations. Uninstalling the toolbar or running without add-ins fixed it.

Justin James
Justin James

I've seen the "New Network" thing happen, even when something on the system itself doesn't change. DHCP settings in particular can do it. :( So can an updated NIC driver from time to time. J.Ja

bobdavis321
bobdavis321

No new NIC card was installed or connected, the IPCop firewall might have been reloaded like 2 months ago? I just remembered that I changed the IP of the main switch a week ago because we installed a second switch and they had to have different IP's.

hvermain
hvermain

You can do the following to fix this issue: On Windows XP, remove all the contents of C:\Documents and Settings\All Users\Application Data\Yahoo! Companion\Data folder and restart IE On Windows Vista and Windows 7, remove all contents from %APPDATA%\\?Yahoo! Companion\Data? folder and restart IE Above will resolve this issue for you.

Editor's Picks