Microsoft now has a three-month streak of having the out of band patches not being overwhelming. It's nice to see them getting things together on that front! The bad news? Ten security patches covering a massive number of vulnerabilities, including a single Office patch that takes out fourteen bugs. Ouch! Luckily, a much lower ratio of them are "must patch" items than we usually see.
For those who are fascinated with minutia, it looks like Microsoft is changing the numbering for theirKB articles as well, and adding a seventh digit. At the same time, some of the KB article links might not work; Microsoft has not posted all of the yet (as I wrote this, more of them became active). KB articles marked with a * were not active at publication.
Security PatchesMS10-032/KB979559 - Important (2000, XP, 2003, Vista, 7, 2008, 2008 R2): A trio of bugs in the Windows kernel can allow the use of malformed fonts to allow escalation of privileges attacks. It would be a bit hard to sneak a font onto the system without some sort of install privileges anyways, which is why this patch can wait until your next patch cycle. 1.0MB - 4.3MB MS10-033/KB979902 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch addresses a pair of vulnerabilities in Windows' media subsystem which allows specially crafted media files and streaming content to execute remote code execution exploits. One of the vulnerabilities is less serious that the other, but you should patch your systems immediately all the same. Depending on your system, you may need to install up to four separate patches to address of the issues. 105KB - 4.8MB MS10-034/KB980195 - Critical (2000, XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): This patch updates the ActiveX kill bits and fixes two bugs in ActiveX that could allow remote code execution attacks. If you allow ActiveX on your desktops (which you shouldn't, other than for internal sites), install this immediately, otherwise, wait until your next patch cycle. 26KB - 1.0MB MS10-035/KB982381* - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Five security holes in Internet Explorer 5, 6, 7, and 8 which can allow remote code execution attacks are fixed with this cumulative update. Some of them are rating as "Moderate" but I don't see any specific combination of IE version and OS that does not make it "critical." I would install this patch immediately. 3.3MB - 48.4MB MS10-036/KB983235 - Important (Office XP, Office 2003, Office 2007): COM validation in Office has a bug which can allow remote code execution attacks. Since you should not be allowing COM to be running in Office from outside sources, this is a less risky bug than it could be. Patch your systems on the next scheduled times. 2.9 - 15.5MB MS10-037/KB980218 - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Another font handling issue is allowing escalation of privileges attacks across all versions of Windows. Like MS10-032, this one can wait until your next regular patch period. 496KB - 1.3MB MS10-038/KB2027452* - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007 File Formats): A whopping fourteen security bugs in the way Microsoft Office opens files are fixed with this patch. The worst can result in remote code execution attacks. Microsoft says this one is "Important" but I call it "Critical" due to the widespread use of Office, and I suggest that you patch immediately. 9.7MB - 332.8MB MS10-039/KB980218 - Important (InfoPath 2003, InfoPath 2007, Office SharePoint Server 2007, Windows SharePoint Services 2.0): Three problems with SharePoint are fixed with this patch. The issues allow an attacker to perform a variety of attacks, including an escalation of privileges attack if a SharePoint user clicks on a malformed link in SharePoint. This is not a burning issue and the patch can wait until your usual patch time. 2.9MB - 109.3MB Desktop / Server MS10-040/KB982666 - Important (Vista, 7, 2003, 2008, 2008 R2): Computers running IIS 6, 7, and 7.5 are vulnerable to a remote code execution attack that will run with full privileges when an attacker sends a malformed HTTP request. Microsoft calls this patch "Important" but I think that understates the issue for servers. I would patch servers immediately, and leave desktops for the regular path cycle. 43KB - 4.0MB MS10-041/KB981343* - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): A problem affecting all versions of the .NET Framework's handling of signed XML content could allow the data to be altered without being detected. This is a fairly minor issue, so this patch can wait until you do your normal patching. 123KB - 2.2MB
- KB982167 for .NET Framework 2.0 SP2 for Windows Server 2003 and XP 116KB - 313KB
- KB982168 for .NET Framework 3.0 SP2 for Windows Server 2003 and XP 116KB - 159KB
- KB982532 for .NET Framework 2.0 SP2 for Windows Server 2008 and Vista 1.1MB
- KB982533 for .NET Framework 2.0 SP2 for Windows Server 2008 SP2 and Vista SP2 1.3MB - 2.0MB
- KB982535 for .NET Framework 3.0 SP2 for Windows Server 2008 and Vista 1.1MB
- KB982536 for .NET Framework 3.0 SP2 for Windows Server 2008 and Vista 1.1MB
Changed, but not significantly:
Updates since the last Patch Tuesday
There have been a number of minor items added and updated since the last Patch Tuesday:
- Root certificate updates (KB931125) 336KB
- Daylight Savings Time updates (KB981793) 150KB - 1.0MB
- IE 8 Compatibility View List (KB982632) 33KB - 681KB
Changed, but not significantly:
Justin James is the Lead Architect for Conigent.