Security

It's Microsoft Patch Tuesday: February 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's February 2010 patches in your organization.

As expected, the slow January Patch Tuesday has been made up for by an intense February, with a whopping thirteen security patches! For one thing, we saw a big release of out-of-band items near the end of January, including a critical security patch for Internet Explorer, and a pile of other things that could have and should have waited until the proper Patch Tuesday to be released.

This blog post is also available in PDF format in a free TechRepublic download.

Security Patches

  • MS10-003/KB978214 - Important (Office XP, Office 2004 for Mac): Specially crafted Office files can be used to perform remote code execution exploits in Office XP and Office 2004 for Mac; this patch fixes the issue. The attacker is limited to the current user's rights. I think that this patch is more critical than Microsoft's rating, and you should install it on any affected copies of Office quickly. 4.6MB - 9.4MB
  • MS10-004/KB975416 - Important (Office XP, Office 2003, Office 2004 for Mac): This is another remote code execution targeting Office; this time PowerPoint is the victim. Again, the attacker gets the current user's right. This patch should be installed immediately. 3.4MB - 9.4MB
  • MS10-005/KB978706 - Moderate (2000, XP, 2003): This is a new one. A bug in MS Paint allows remote code execution exploits to be delivered via specially crafted JPEG files. I don't think many people have MS Paint as their default image viewer, so this is not too much of an issue. Install the patch during your next patch cycle. 610KB - 1.4MB
  • MS10-006/KB978251 - Critical (2000, XP, W7, 2003, 2008 R2)/Important (Vista, 2008): This is another in the recent problems for Windows' SMB handling; this one is a remote code execution exploit. The only nice thing about this one is that it requires the attacker to get you to try to connect to their rigged SMB server, and that's pretty unlikely to go through many corporate firewalls. All the same, get this patch installed as soon as you can. 191KB - 1.2MB
  • MS10-007/KB975713 - Critical (2000, XP, 2003): There is a bug in the ShellExecute API call (which allows programs to ask the OS to perform commands) that allows a remote code execution attack to occur. This patch should be installed immediately. 606KB - 1.4MB
  • MS10-008/KB978262 - Critical (2000, XP)/Important(Vista, W7)/Moderate(2003)/Low (2008, 2008 R2): This is an important update to the ActiveX Kill Bits system that fixes a bug that could allow remote code execution exploits, and it adds some additional controls to the kill bits system. Install this as soon as you can. 27KB - 1.0MB
  • MS10-009/KB974145 - Critical (Vista, 2008): A problem in the TCP/IP stack of Vista and 2008 allows an attacker to perform a remote code execution exploit if IPv6 is turned on. You should install this patch immediately. 1.4MB - 2.7MB
  • MS10-010/KB977894 - Important (2008, 2008 R2): An attacker who is logged in to a guest machine running under Hyper-V could execute a denial-of-service attack on the host. This is a fairly low-level problem, and you shouldn't bother with the patch unless you are using Hyper-V. 117KB - 189KB
  • MS10-011/KB978037 - Important (2000, XP, 2003): An issue in the Client/Server Runtime Subsystem allows authenticated attackers to escalate their privileges, which makes this a fairly low importance patch. Install it during your next scheduled patch cycle. 506KB - 1.0MB
  • MS10-012/KB971468 - Important (2000, XP, Vista, W7, 2003, 2008, 2008 R2): This patch solves another problem in Windows' SMB handling, this time on the server side, which allows a remote code execution attack to occur. Since you should never have SMB exposed past your firewall, this should not be an emergency patch. All the same, you will want to install it on your next scheduled patch day. 224KB - 1.5MB
  • MS10-013/KB977935 - Critical (2000, XP, Vista, W7, 2003, 2008, 2008 R2)/Important (2003 IA-64, 2008 IA-64, 2008 R2 IA-64): DirectShow's AVI handling routines are open to a remote code execution attack if passed a rigged AVI file; the attacker gains the current user's rights. Install the patch immediately. 564KB - 3.0MB
  • MS10-014/KB977290 - Important (2000, 2003, 2008): The Kerberos system has a flaw that allows a denial-of-service attack on a domain controller with a specially crafted Kerberos ticket renewal request. You should install this patch during your next scheduled patch time. 189KB - 1.2MB
  • MS10-015/KB977165 - Important (2000, XP, Vista, W7 32 Bit, 2003, 2008): A Windows bug allows a local user to escalate their privileges. Windows 7 64-bit users are spared, as are 2008 R2 servers. This isn't a critical item, and the patch can wait until your next scheduled patching. 1.6MB - 7.8MB

Other Updates

  • KB979099: This patch fixes issues with the Rights Management Services Client on 2003, 2008 R2, XP, and W7. 1MB - 9.2MB
  • KB973917: This patch is a reissue to correct some problems with the original version and will need to be reinstalled. The patch adds Extended Protection for Authentication to IIS on 2003, 2008, and Vista. 867KB - 4.0MB
  • "The Usual Suspects": Updates to the Malicious Software Removal Tool (9.7MB - 10MB) and Junk Email filters (2.2MB).
  • Changed, but not significantly: None.

Updates since the last Patch Tuesday

  • MS10-002/KB978207 - Critical (2000, XP, Vista, W7, 2003, 2008, 2008R2): This patch fixes a remote code execution exploit in Internet Explorer. You should get this patch installed immediately, if you have not already done so, because there are public exploits for it and have been for some time. 3.3MB - 48MB

There have been a number of minor items added and updated since the last Patch Tuesday:

Changed, but not significantly:

About

Justin James is the Lead Architect for Conigent.

24 comments
DHCDBD
DHCDBD

Took a look at a friends computer. Uninstalled all service patches due to laggy response. Then began eliminating hardware after reseating all cards and memory. One at a time and USB - external mouse, Verizon wireless, Magic Jack card, then plugged in a USB extender to plug in a USB powered cooler. As soon as the extender was plugged in, the problems began. Used my externally powered extender. Same problem. Reported it to MS, however it may be a machine specific problem. I installed this box two weeks ago, so I was familiar with its performance.

rod6047
rod6047

i think a patch should be added to windows that allows more than one external hard drive to be reconized. i tried to add a second usb drive and got this problem coming up. i spoke with dell's teck support and was told that all windows version will not allow the second drive. also got no help from western digital the maker of the two drives.

Ocie3
Ocie3

When, if ever, might Microsoft get a clue that one reason for running Firefox is that it does [b]not[/b] have their "ClickOnce technology"? The following "patch" installs a Firefox extension that introduces ClickOnce and adds a string to the User Agent, sent in HTTP headers, that discloses all of the .NET versions (and their associated Service Packs) that are installed on the Firefox user's computer: [i]Update to .NET Framework 3.5 Service Pack 1 for the .NET Framework Assistant 1.0 x86 (KB963707)[/i] In my experience, Microsoft literally insists upon installing that "update" and complains every time that IE fetches the Microsoft Update page if I have "hidden" it. Whatever its merits, I don't plan to re-install .NET the next time that I restore Windows XP afresh. No doubt that .NET and all of its "features" are included in all Windows 7 installs, but what gives Microsoft any right to compromise Firefox by installing their extension without the user's prior knowledge and explicit consent?

farooqui66
farooqui66

There are some rumors floating around about a virus associated with one of patches released this Tuesday. Any truth to this? Has anyone seen any blue screen occurances after installing these patches? Not sure which OS these blue screens were supposedly seen on but I figure you might have heard something if this sort of thing was going on.

Justin James
Justin James

Thanks to the blizzard in the DC area, I was able to patch all of my VMs mid-day today (no one is in the office). No problems at all. J.Ja

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe we can help?

Justin James
Justin James

I haven't heard that rumor at all. I patched 13 VMs and 2 physical servers today with zero problems, though. J.Ja

RShady
RShady

After restoring Win XP and Win7 from previous backups, I re-applied the updates with the exception of KB977165. Re-booted and applied KB077165 standalone. Rebooted-No problems arose. I seem to think that certain updates involving critical system components re: kernel should be updated seperately. should not be included

RShady
RShady

I have a multi-boot; win xp, vista & win7. XP & Win7 got bit-BSODs. Vista made it through ok. Fortunately, I do daily backups.

plandok
plandok

After installing the Feb updates, my pc took inordinately long to shut down and to relaunch. Funny little window appeared saying custom security settings were being made. In any event, all windows, network, e-mails, add-ons and program customisations were wiped out including backup schedules. Some autostart programs disappeared. My screen looked just like a new Windows installation. My mouse worked erratically. This included Firefox and Thunderbird (which was reverted to a previous version. Must be a plot against competition to IE. Luckily Acronis Home Image could be coaxed into reinstalling Partition C: and I only lost a few days work. This is the first time updates have done this for me. And now I am leery. I've turned off auto updates on all the machines here. What Gives?

plandok
plandok

Sounds like MS. Its not us, its your computer. Hah! Just like the old days. I scan my machine regularly with a variety of malware detectors and use physical and software firewalls, anti-virus, hosts protector, etc. so I doubt a piece of malware was the cause of the updates wiping my settings and programs clean rather than the BSOD thing. After the update, my machine resembled a new install of Windows with no settings at all. Even hardware was "lost". It also reverted Thunderbird to an earlier version and deleted all my add-ons. So...who to believe? Its sort of like your mechanic telling you there is no recall for your problem when it is supposed to be hidden. Or blaming you for the failure. Hah again.

trlumsden
trlumsden

Actually, the patch kb977165 does cause the computer to freeze-up upon restart. Several comments on cnet have pointed out this as being the faulty patch and once unchecked, the boot up continues with no problems. Awaiting an answer to know when the patch can be completed safely/successfully.

plandok
plandok

Thanks for the further explanation. Yes, it does sound rather severe especially without the BSOD. Perhaps being a Dell refurb made it that way, at least inferring from other messages above. I agree that the fact the OS actually runs on a majority of open-architecture machines is nothing short of a miracle. Apple has to severely control its hardware environment just so they can claim they are better than a PC. Agree about TB3. Prefer TB2.x but am trying to get used to it since I prefer to play it safe re security. Am hoping add-ons can restore my preferred "functionality". Still using Office XP 'cause I detest the Office 2003 look (even classic). Luckily I was able to restore the C: partition (thanks Acronis) and will go from there. Will install the "updates" minus the possible "faulty" one but after making sure I have an up-to-date, system image available. I'm a PC and proud of it.

Ocie3
Ocie3

are continuing to investigate the matter, just that malware has been discovered on at least some of the machines that had the BSOD. Maybe your computer is host to an undetectable rootkit. (Oh, they do exist, since they do things, usually bad things, but no anti-malware ever "finds" them -- not even GMER. But maybe a BSOD core memory dump could.) The outcome that you describe seems rather severe just from installing patches to the OS (especially reverting Thunderbird to an earlier version!). Are you sure that you installed exactly the same set of patches as "everyone else"? I put that in quotation marks because just about the only time and place that a significant number of computers [i]might[/i] be said to be "identical" is in a large, usually corporate, LAN. So, ordinarily there is some variety among the patches and updates that are downloaded and installed by Microsoft Update (or Windows Update) among the various systems that are updated. Given the enormous variety of WinTel computer systems with regard to both hardware and software, it is a bit of a wonder that they run "the same operating system" at all. My own computer has an AMD Athlon XP 2400+ CPU (2.0 GHz), which was explicitly designed for use with Windows XP. So far, I have never had any problems with updating the OS. Many systems that have AMD CPUs had problems with Windows XP SP3, but mine did not. Quote: [i]"It also reverted Thunderbird to an earlier version and deleted all my add-ons."[/i] Given my experience with Thunderbird 3.x, you are better off! ;-)

AstroCreep
AstroCreep

Sorry, but we reached the thread-limit on replies otherwise I would have posted this in the logical reply spot. ;) In regards to you getting the "Couldn't find a hard disk" message, most of the newer Intel-based Dell systems are installed with the Intel Storage Matrix driver instead of a "standard" ATA controller, so you'll want to try the old "Press F2 to load a storage driver" method the next time you boot it from the CD. Before that you'll need to download the text-mode driver, of course, but you can get that from Intel or extract the appropriate files from the driver download on Dell.com. Good luck!

IT IN SUNNY FLA
IT IN SUNNY FLA

no hard drive found. Setup must exit. Will try the next suggestion. Thanks for trying. I ran Dell diags and everything hardware wise checked out ok. The computer may just be screwed.

ITvet
ITvet

Attempting to clarify what you mean by "once unchecked"? I am guessing you are suggesting unchecking this patch install before allowing it to install, correct? If you have installed it how otherwise would there be an option to uncheck it while seeing a BSOD?

KiloWatt1975
KiloWatt1975

Remove all but 1 stick of ram and try to go to BIOS, then SafeMode, then uninstall the patch from Add/Remove Programs. GoToH.... DELL for M$ updates and patches. HTHelps.

CG IT
CG IT

have to boot using the XP install disc and use the recovery console to delete the patches.

IT IN SUNNY FLA
IT IN SUNNY FLA

Just picked up a Dell Vostro 1400. The owner last night clicked yes install those up dates. Computer now boots to BSOD. Safe Mode hangs just after mup.sys tries to load. I would say MS has done it again

steven.taylor
steven.taylor

I just applied KB977165 to a Windows 2003 server and had no problems on restart.