It's Microsoft Patch Tuesday: October 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's October 2010 patches in your organization.

This month's patches represent a new record. Microsoft kept the out-of-band patches to a minimum and did respond very, very quickly to a top-tier .NET vulnerability mid-month by issuing manual fix information within a day or two and a patch a few days later. I give kudos for the right response on that issue.

Some of these patches are absolutely depressing, patching more than ten vulnerabilities. I almost ran out of adjectives to describe them (mega, jumbo, and giant). In all fairness, though, many of the vulnerabilities look like the same problem replicated in different applications or Windows components. One oddity was a patch that fixed a vulnerability that is only in Windows 2008 R2.

This blog post is also available in PDF format in a TechRepublic download. The previous months' Microsoft Patch Tuesday blog entries are also available.

Security Patches

MS10-071/KB2360131 - Critical (XP, Vista, 7)/Important (2003, 2008, 2008 R2): A whopping ten vulnerabilities are fixed with this one mega-patch for IE 6, 7, and 8. Some of these are remote code execution attacks. You should get this patch installed immediately.  3.7MB - 48.4MB MS10-072/KB2412048 - Important (SharePoint Services 3, SharePoint Foundation 2010, Office Web Apps, Office SharePoint Server 2007, Groove Server 2010): Issues with "SafeHTML" can allow attackers to have access to information that they should not on a variety of Microsoft collaboration platforms. It's an important patch, but only if you use these tools. 12.0MB - 21.MB MS10-073/KB981957 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): Vulnerabilities in the Windows kernel-mode drivers allow a variety of attacks to occur, including escalations of privileges. Luckily, the attacker must be logged on locally, which reduces the area of attack dramatically. Install this patch during your next scheduled patch window. 1.0MB - 5.6MB MS10-074/KB2387149 - Moderate (XP, Vista, 7, 2003, 2008, 2008 R2): Problems with the MFC library can allow remote code execution attacks if a user who is logged on as a local administrator runs an application that uses MFC. This patch can wait until your normal patch day. 560KB - 1.6MB MS10-075/KB2281679 - Critical (7)/Important (Vista): An issue with the Windows Media Player Network Sharing Service allows malformed packets to execute remote code execution attacks. This should be an issue only within your own network, unless you set up your network to allow access from the outside; this patch is not urgent. 342KB - 763KB MS10-076/KB982132 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): The font system can be exploited with a malformed font embedded in a file to execute a remote code execution attack. Since fonts can be embedded in all sorts of files, you should install this patch as quickly as possible. 81KB - 818KB MS10-077/KB2160841 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): This is the second patch in a few months to handle problems with the XAML Browser Applications (XBAPs) that were introduced in .NET 4. You will want to install this patch immediately. 159KB - 314KB MS10-078/KB2279986 - Important (XP, 2003): Another issue with font handling, this time it is an escalation of privileges attack that requires the attacker to be logged on locally. You can hold off until your normal patch time for this one. 642KB - 1.3MB MS-079/KB2293194 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Compatibility Pack for Office 2007, Microsoft Word Viewer, Office Web Apps): This jumbo-sized patch handles eleven Office security vulnerabilities that are exposed when opening malformed Word files. The attacks are remote code execution attacks that grant the attacker the user's rights. I recommend that you apply this patch as soon as you can, due to the use of Word files as the attack vector. 3.3MB - 333MB MS10-080/KB2293211 - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007): Thirteen Excel problems are fixed with this giant patch, which involve remote code execution attacks with malformed Excel and Lotus 1-2-3 files. Like the previous patch, you should install this one ASAP.  5.0MB - 333MB MS10-081/KB2296011 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): A problem with the Windows Common Control Library allows a third-party SVG viewer to execute remote code execution attacks with the logged-on user's rights. Microsoft thinks this is "important," but I think that you will want to consider it "critical." 1.0MB - 3.8MB MS10-082/KB2378111 - Important (XP, Vista, 7, 2003)/Moderate (2008, 2008 R2): Windows Media Player can allow remote code execution exploits if it opens malformed media files that grant the same rights as the logged-on user. Again, the common nature of these files warrants more urgency than the problem would normally justify. 2.4MB - 19.1MB MS10-083/KB979687 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This one fixes a remote code execution hole in WordPad and the Windows Shell of all things and can be triggered by opening a WordPad file or following (or even selecting!) a shortcut on a network or WebDAV share. Once again, this patch is much more critical than the technical details would indicate due to the attack vectors. 193KB - 5.2MB MS10-084/KB2360937 - Important (XP, 2003): A local procedure call issue allows execution of escalation of privileges attacks by a locally logged-on user. You can wait until your usual patch time for this one. 793KB - 3.3MB MS10-085/KB2207566 - Important (Vista, 7, 2008, 2008 R2): Issues with how IIS handles SSL traffic can allow denial-of-services attacks. Patch this during your usual time. 143KB - 488KB MS10-086/KB2294255 - Moderate (2008 R2): There is an odd issue in Windows Server 2008 R2 that allows users to modify the administrative shares on failover cluster disks. You need this patch only if you use failover cluster disks. 1.7MB - 2.3MB

Other Updates

KB2345886: This patch brings the Extended Protection for Authentication to the Server service. 431KB - 1.7MB "The Usual Suspects": Updates to the Malicious Software Removal Tool (12.0MB - 12.4MB).

Updates since the last Patch Tuesday

There has been one security update release out-of-band:

MS10-070/KB2418042 - Critical (XP, Vista, 7, 2003, 2008, 2008 R2): This is the patch for the super-critical .NET vulnerability that was announced in September. This vulnerability allows attackers to read data encrypted on the server, including view state, which can be used to exploit many .NET apps. If you have not installed this on your IIS servers, you need to do it immediately. 601KB - 14.3MB

There have been a number of minor items added and updated since the last Patch Tuesday:

Fix for crashes with external USB video devices (KB979538): 179KB - 264KB

IE Compatibility View update (KB2362765): 27KB

Daylight Savings Time update (KB2158563): 151KB - 1.0MB

Changed, but not significantly:

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!