It's Microsoft Patch Tuesday: December 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's December 2010 patches in your organization.

Are seventeen security bulletins for forty vulnerabilities Microsoft's way of saying "Happy Holidays"? I think it just might be, because that's what we got this month! There is even a rare bug that affects Vista, 7, 2008, and 2008 R2 but not XP or 2003. This month's patches include four patches for the exact same issue in four different products. By way of comparison, 2009 had 74 total security bulletins and 2008 had 76, so this year's final number of 106 is awful.

This blog post is also available in PDF format in a TechRepublic download.

Security Patches

MS10-090/KB2416400 - Critical (IE6, IE7, IE8): The patch closes seven vulnerabilities that can allow remote-code-execution attacks to be performed via malformed Web pages. Three of these vulnerabilities are publicly disclosed. You should apply this patch as soon as you can. Microsoft reports that you will need to install KB2467659 after you apply this patch. 3.9MB - 48.4MB MS10-091/KB2296199 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): Issues with the way Windows handles fonts can cause remote-code-execution attacks on Vista, 7, 2008, and 2008 R2, and escalation-of-privileges attacks on XP and 2003. It looks like the attacks can be triggered by just opening a folder or network share that contains a malformed font file; I am not sure if browsing an FTP site in Explorer would do the trick. Better safe than sorry, install this patch quickly. 247KB - 1.3MB MS10-092/KB2305420 - Important (Vista, 7, 2008, 2008 R2): A user who is already logged on and runs an attack file can exploit a hole in Task Scheduler to execute escalation-of-privileges attacks. The conditions greatly mitigate the risks, and this patch can wait until your scheduled patch time. 725KB - 1.7MB MS10-093/KB2424434 - Important (Vista): The Movie Maker application can be used for remote-code-execution attacks if the user opens a file in the same location as a malformed library file. Don't bother with this patch unless you have Movie Maker installed. 1.7MB MS10-094/KB2447961 - Important (XP, Vista, 2008): This patch is similar to the Movie Maker issue, but with Windows Media Encoder instead. Again, this patch is really needed only if you use Windows Media Encoder. 1.4MB - 3.4MB MS10-095/KB2385678 - Important (7, 2008 R2): This is a repetition of the previous problem but with Windows Live Mail and Windows Live Writer files. Apply the patch if you use these products. 158KB - 415KB MS10-096/KB2423089 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Again, same issue but with Windows Address Book. This is a low-priority patch as well. 307KB - 1.0MB MS10-097/KB2443105 - Important (XP, 2003): Same problem, different app. This time, it is the Internet Connection Signup Wizard. No need to hurry on this one either. 521KB - 1.0KB MS10-098/KB2436673 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Users running a specially made attack file are vulnerable to an escalation-of-privileges attack, due to a hole in the kernel-mode drivers. You should patch this at your next scheduled patch time. 1.1MB - 5.6MB MS10-099/KB2440591 - Important (XP, 2003): A user who is logged on locally can run special attack code to perform an escalation-of-privileges attack against the Routing and Remote Access portion of XP and 2003. This patch can wait until your usual patch cycle. 512KB - 1.0MB MS10-100/KB2442962 - Important (Vista, 7, 2008, 2008 R2): A hole in the Consent User Interface (used to isolate code from doing things without the user's permission) has a flaw that can allow escalation-of-privileges attacks. Patch this one on your usual schedule. 79KB - 123KB MS10-101/KB2207559 - Important (2003, 2008, 2008 R2): Attackers inside your network can perform denial-of-service attacks on your domain controllers; this patch eliminates the issue. Patch when it is convenient to you. 289KB - 1.6MB MS10-102/KB2345316 - Important (2008, 2008 R2): A user within a Hyper-V can send a bad packet to the host machine, causing a denial-of-service attack on the host. This is a very specific set of circumstances, and you don't need to patch unless you are using Hyper-V. 468KB - 49.0MB MS10-103/KB2292970 - Important (Publisher 2002, Publisher 2003, Publisher 2007, Publisher 2010): A remote-code-execution exploit in Publisher can be triggered by opening a malformed file. Install this patch if you have Publisher installed. 2.9MB - 11.9MB MS10-104/KB2455005 - Important (SharePoint Server 2007): A user can use a bad SOAP request to SharePoint and get it to perform remote code execution. This works only if the Document Conversions Load Balancer Service is on, and by default it isn't. Install this patch if you use SharePoint. 1.5MB MS10-105/KB968095 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office Converter Pack, Microsoft Works 9): This patch knocks out a whopping seven patches, some of which allow remote-code-execution attacks when opening malformed files. Due to the widespread install base of Office and the commonality of opening Office files, install this patch immediately. 840KB - 2.1MB MS10-106/KB2407132 - Moderate (Exchange 2007): Exchange servers have a vulnerability that allows denial-of-service attacks to be performed if traffic with malformed RPC traffic reaches them. Of course, RPC traffic should not be allowed from the outside network. Install the patch on your normal schedule. 45.5MB - 49.7MB

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

Other Updates

KB2443685 - This is one of Microsoft's regular updates to handle changes in daylight saving time and time zones. 150KB - 1.0MB KB2467659 - A nonsecurity patch to fix a variety of Internet Explorer issues. 28KB - 1.0MB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (11.8MB - 12.2MB) and the Junk E-mail Filter (2.2MB).

Changed, but not significantly:

W7 update (KB982110)

.NET Framework 4 Client Profile (KB982670 and KB982671)

Updates since the last Patch Tuesday

No security updates were released out-of-band.

Minor items

There have been a number of minor items added and updated since the last Patch Tuesday:

Best Practices Analyzer update for Application Server on Windows 2008 R2 x64 (KB2386667) - 107KB

IE8 Compatibility View list update (KB2447568) - 26KB - 499KB

System Update Readiness Tool for Vista, W7, 2008, and 2008 R2 (KB947821) - 20.3MB - 134.1MB

Changed, but not significantly:

.NET 4 patch update for vulnerability MS10-077 (KB2160841)

Security update for Windows for MS10-072 (KB2345304)