Jerry Bryant, group manager of response communications at Microsoft and Adrian Stone, senior security program manager, urged the quick installation of MS10-033, which addresses media decompression vulnerabilities -- flaws that could allow remote code execution and could result in a drive-by download if a user, for example, receives corrupted media via email or a specially crafted website that streams a media file. The remote-code execution vulnerability can be found in both Quartz.dll and Asycfilt.dll.
The days of solely focusing on Internet browser patches have changed, according to Jason Miller, data and security team manager at Minneapolis-based Shavlik Technologies LLC. Microsoft, he said, has been very focused over the past six to eight months on fixing vulnerabilities in their media formats and players.
"Attackers are focusing more and more on media players to go along with browser attacks. I can guarantee that someone on your network, right now, is browsing the Internet looking for a video with Tom Cruise's Tropic Thunder character Les Grossman dance routine," a popular video from this week's MTV Movie Awards, "and there's a good chance one of those video files has been compromised," Miller said, adding that the specific bulletin should be a high priority.
MS10-034, another critical bulletin this month, is a cumulative security update for Active Kill Bits, which ensure that flawed ActiveX controls can no longer be exploited through Internet Explorer. "We strongly recommend our customers, even if updates have been made available for those controls, to set the Kill Bits as well," said Microsoft's Stone in an overview video posted on the MSRC website.
Microsoft controls will apply Kill Bits for two controls: the Internet Explorer 8 Developer Tools control and the Data Analyzer ActiveX control. The Data Analyzer ActiveX control is not installed by default, but a user could have possibly installed it through third-party applications. The bulletin also includes Kill Bits for four third-party controls.
Another critical priority, according to Microsoft, is MS10-035, a cumulative update for Internet Explorer. The update, deemed critical for users of Windows 2000 Professional, Windows XP, Windows Vista and Windows 7, addresses a total of 6 vulnerabilities, including the previously disclosed Security Advisory 980088, an Internet Explorer flaw that could allow information disclosure. Microsoft said it is unaware of any active attacks against this vulnerability.
This month's bulletins also put Security Advisory 983438 to rest, which addressed an elevation-of-privilege vulnerability in Microsoft SharePoint.
Seven of the bulletins affect Windows, including one specific to IIS, another focused on Internet Explorer, two concerning Office-related products and one addressing the SharePoint server.
Other 'important' clarifications
On its blog, the Microsoft Security Response Center team noted a few clarifications to specific bulletins:
Aside from MS 10-033, MS10-034 and MS10-035, the rest of this month's updates were rated important, including MS10-032, which affects an elevation-of-privilege issue in Windows kernel-mode drivers. The bulletin addresses a potential remote vector that exists if non-Microsoft applications fail to properly request the length of the buffer when calling an affected API.
Another bulletin rated as important, MS10-036, addresses a possible attack through ActiveX in Office applications. For customers running Office XP on Windows XP or a newer operating system, a shim can be installed via a Microsoft FixIt workaround tool, which will protect against the COM validation vulnerability.
Miller, however, warned that Office XP is still vulnerable and still could be attacked, adding that the workaround does not remove the vulnerability but keeps the application from being affected by it. "A FixIt tool is technically not a patch. It's a mitigation method like hardening an OS…You're not going to push this down through Windows Update. It will require manual intervention on your network."
Although it may not be feasible due to upgrade licenses, Miller urged customers to upgrade to Office 2003 or 2007 if possible.
Users may have been able to avoid deploying updates during previous months with less bulletins and patches, but today's multiple patches will likely affect more of an organization's workstations and servers, Miller said, and will make the patch cycle longer as administrators deploy, run a patch and reboot machines.
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., will begin pushing out patches next week. Bradley has her sights on all of the vulnerabilities, including those related to Internet Explorer and SharePoint, but she noted particular challenges with bulletins like MS10-041, which address the .NET framework. Employees may have multiple versions of the framework on one machine, and the .NET patch installation process can be a long one.
"Sometimes [.NET] patches get stuck and give you an error message. Then you'll have to tear them all out, reapply them and put them back on the box," requiring another tool to uninstall and reinstall the framework, Bradley said.
"[The updates] will all get installed on my system…It's about timing."