Security optimize

It's Microsoft Patch Tuesday: October 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's October 2010 patches in your organization.

This month's patches represent a new record. Microsoft kept the out-of-band patches to a minimum and did respond very, very quickly to a top-tier .NET vulnerability mid-month by issuing manual fix information within a day or two and a patch a few days later. I give kudos for the right response on that issue.

Some of these patches are absolutely depressing, patching more than ten vulnerabilities. I almost ran out of adjectives to describe them (mega, jumbo, and giant). In all fairness, though, many of the vulnerabilities look like the same problem replicated in different applications or Windows components. One oddity was a patch that fixed a vulnerability that is only in Windows 2008 R2.

This blog post is also available in PDF format in a TechRepublic download. The previous months' Microsoft Patch Tuesday blog entries are also available.

Security Patches

MS10-071/KB2360131 - Critical (XP, Vista, 7)/Important (2003, 2008, 2008 R2): A whopping ten vulnerabilities are fixed with this one mega-patch for IE 6, 7, and 8. Some of these are remote code execution attacks. You should get this patch installed immediately.  3.7MB - 48.4MB MS10-072/KB2412048 - Important (SharePoint Services 3, SharePoint Foundation 2010, Office Web Apps, Office SharePoint Server 2007, Groove Server 2010): Issues with "SafeHTML" can allow attackers to have access to information that they should not on a variety of Microsoft collaboration platforms. It's an important patch, but only if you use these tools. 12.0MB - 21.MB MS10-073/KB981957 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Vulnerabilities in the Windows kernel-mode drivers allow a variety of attacks to occur, including escalations of privileges. Luckily, the attacker must be logged on locally, which reduces the area of attack dramatically. Install this patch during your next scheduled patch window. 1.0MB - 5.6MB MS10-074/KB2387149 - Moderate (XP, Vista, 7, 2003, 2008, 2008 R2): Problems with the MFC library can allow remote code execution attacks if a user who is logged on as a local administrator runs an application that uses MFC. This patch can wait until your normal patch day. 560KB - 1.6MB MS10-075/KB2281679 - Critical (7)/Important (Vista): An issue with the Windows Media Player Network Sharing Service allows malformed packets to execute remote code execution attacks. This should be an issue only within your own network, unless you set up your network to allow access from the outside; this patch is not urgent. 342KB - 763KB MS10-076/KB982132 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): The font system can be exploited with a malformed font embedded in a file to execute a remote code execution attack. Since fonts can be embedded in all sorts of files, you should install this patch as quickly as possible. 81KB - 818KB MS10-077/KB2160841 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): This is the second patch in a few months to handle problems with the XAML Browser Applications (XBAPs) that were introduced in .NET 4. You will want to install this patch immediately. 159KB - 314KB MS10-078/KB2279986 - Important (XP, 2003): Another issue with font handling, this time it is an escalation of privileges attack that requires the attacker to be logged on locally. You can hold off until your normal patch time for this one. 642KB - 1.3MB MS-079/KB2293194 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Compatibility Pack for Office 2007, Microsoft Word Viewer, Office Web Apps): This jumbo-sized patch handles eleven Office security vulnerabilities that are exposed when opening malformed Word files. The attacks are remote code execution attacks that grant the attacker the user's rights. I recommend that you apply this patch as soon as you can, due to the use of Word files as the attack vector. 3.3MB - 333MB MS10-080/KB2293211 - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007): Thirteen Excel problems are fixed with this giant patch, which involve remote code execution attacks with malformed Excel and Lotus 1-2-3 files. Like the previous patch, you should install this one ASAP.  5.0MB - 333MB MS10-081/KB2296011 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): A problem with the Windows Common Control Library allows a third-party SVG viewer to execute remote code execution attacks with the logged-on user's rights. Microsoft thinks this is "important," but I think that you will want to consider it "critical." 1.0MB - 3.8MB MS10-082/KB2378111 - Important (XP, Vista, 7, 2003)/Moderate (2008, 2008 R2): Windows Media Player can allow remote code execution exploits if it opens malformed media files that grant the same rights as the logged-on user. Again, the common nature of these files warrants more urgency than the problem would normally justify. 2.4MB - 19.1MB MS10-083/KB979687 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This one fixes a remote code execution hole in WordPad and the Windows Shell of all things and can be triggered by opening a WordPad file or following (or even selecting!) a shortcut on a network or WebDAV share. Once again, this patch is much more critical than the technical details would indicate due to the attack vectors. 193KB - 5.2MB MS10-084/KB2360937 - Important (XP, 2003): A local procedure call issue allows execution of escalation of privileges attacks by a locally logged-on user. You can wait until your usual patch time for this one. 793KB - 3.3MB MS10-085/KB2207566 - Important (Vista, 7, 2008, 2008 R2): Issues with how IIS handles SSL traffic can allow denial-of-services attacks. Patch this during your usual time. 143KB - 488KB MS10-086/KB2294255 - Moderate (2008 R2): There is an odd issue in Windows Server 2008 R2 that allows users to modify the administrative shares on failover cluster disks. You need this patch only if you use failover cluster disks. 1.7MB - 2.3MB

Other Updates

KB2345886: This patch brings the Extended Protection for Authentication to the Server service. 431KB - 1.7MB "The Usual Suspects": Updates to the Malicious Software Removal Tool (12.0MB - 12.4MB).

Updates since the last Patch Tuesday

There has been one security update release out-of-band:

MS10-070/KB2418042 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): This is the patch for the super-critical .NET vulnerability that was announced in September. This vulnerability allows attackers to read data encrypted on the server, including view state, which can be used to exploit many .NET apps. If you have not installed this on your IIS servers, you need to do it immediately. 601KB - 14.3MB

There have been a number of minor items added and updated since the last Patch Tuesday:

Fix for crashes with external USB video devices (KB979538): 179KB - 264KB

IE Compatibility View update (KB2362765): 27KB

Daylight Savings Time update (KB2158563): 151KB - 1.0MB

Changed, but not significantly:

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

19 comments
gawebster2010
gawebster2010

Our Mac's on the network no longer can recognize nor find the network since patch was installed last Thursday. Mac's are running OX 10.5.8? Any suggestions

Who Am I Really
Who Am I Really

received notification of 10 updates: (XP-Pro SP3) - applied individually = 7 reboots - no problems noted (yet!)

ederkley
ederkley

Started to install the patches on a Windows 2008 R2 server and after the first 3 or so it stalled and I'm now getting TrustedInstaller application crashes regularly every 2 minutes and automatic updates no longer works. Still investigating... :(

info
info

10 patches? Well... on 2 computers I had to run 18(!) critical updates, and 1 computer needed 'just' 16 of them... Amazing numbers. Yet, I am happy with the updates since the .NET flaws were quickly taken care of, which now prevents my Secunia PSI from making "too much noise" about it :) So far no problems with Win after update.

Troy Ryder
Troy Ryder

After installing this update, one of our Windows XP notebooks will not boot anymore and comes up with an error: Windows could not start because the following file is missing or corrupt windows\system32\config\system

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe the TechRepublic Community can help?

ederkley
ederkley

Looks like the issue I reported happens to a few people each time there are some updates. Proposed solution is to run the Software Update Readiness (SUR) tool for your OS and it may find missing package files which you can then obtain from another server or install media. Unfortunately I wasn't even able to run SUR so was in a pickle. Eventually decided to copy the C:\Windows\Servicing folder from the array server (don't know how well this would go with a more different hardware/patch level etc but I figured it was pretty safe bet with an array server, not clustered or mirrored, but same hardware, software and patch level until this last batch). This got almost everything up and working again but will proceed with more caution in installing remaining updates...and crossing fingers...

Justin James
Justin James

Some of the patches fix multiple *vulnerabilities*, and three fix over ten *vulnerabilities*. Hope that clears things up! J.Ja

fubus
fubus

I know your pain Troy, You will need to boot from a CD into a command prompt / recovery mode to run "chkdsk /f" if this doesn't fix the problem then boot to a command prompt again and go into the folder in question, here you can rename system. to system.old and then system.bak to system. Reboot and all should be fine ! I hope this helps !

rpbert4
rpbert4

I have Win7 pro and installed all the Oct updates. Firat thing I noticed was when I opened IE it was not my normal page. Some of the various bars were checked but not there. Next, while investigating I saw a lot of MSN items, favorites, etc. had been added and MSN had been made my home page. I have deleted all of the unwanted items and got my home page (about blank) restored. So now all is well, I think.

Zenith545
Zenith545

What again is neglected is that many of these patches are also applicable to the new, still expensive, more secure (?), Windows 7 platform.

Iroc_n_roll
Iroc_n_roll

My laptop on my desk at work had no issues, my desktop at home had no issues, both running XP Pro SP3. My wife's desktop at home running XP Home SP3 had no issues. Am going to wait until the weekend to do the servers at work.

Justin James
Justin James

Most of my servers installed 15 patches. A few were 13, 16, or 17. A couple of them needed a second round (with no reboot requirement) after the first round. My only hitch was that my MS CRM server needed an iisreset to be done to get it working, before that CRM requests kept timing out. Over all, quite pleased that with this many patches, nothing bad went wrong. I have a few more systems to do tomorrow and the physical systems to do on Thursday (we are taking everything down for UPS maintenance anyways), but all is well. J.Ja

Randy.Wilkins
Randy.Wilkins

I tried to install these updates three times (twice from a shutdown-restart clean boot) invariably all three times the system hung up for more than an hour. I had to start-up in safe mode and do a system restore from the previous day. At this point despite the little "nag" I am not installing these updates.

Troy Ryder
Troy Ryder

Thanks for the reply fubus! I didn't see your message until after we had found a solution. The directions on this page (which are similar but longer that your suggestion) ended up fixing our system: http://support.microsoft.com/kb/307545

Who Am I Really
Who Am I Really

the [b]/f[/b] switch is missing here's the MS page: http://support.microsoft.com/kb/314058 the only switches available from the recovery console are as follows: /p Does an exhaustive check of the drive and corrects any errors. /r Locates bad sectors and recovers readable information.

Justin James
Justin James

On occasion, IE updates will make those changes and bring it back to the "just installed state" in an "add, don't delete" fashion. Like if you removed all of the favorites that come with IE, they'll reappear. It is truly obnoxious behavior. J.Ja

kpdriver
kpdriver

Every one of these updates installed on my computer without asking permission, even though I've got it set to "download but let me choose when to install updates".

Justin James
Justin James

I'm not sure why you say it's neglected... every time a patch applies to Windows 7, it says so in the article in the list of Windows versions it applies to. It's listed as "7" to save space. J.Ja