To determine which patches may be most important to your desktops, consider the following scenarios.
- If you think you might visit unknown or malicious websites and then press the F1 key ...
Attackers may be able to execute code on your system. Security Bulletin MS10-022 addresses a flaw in VBScript that could launch evil Help files that execute code on your computer. This flaw affects Windows 2000, XP and 2003 systems only. However, Microsoft has released patches for all operating systems to keep their code base in sync across all machines.
- If you tend to open unknown or evil Visio or Publisher files ...
You'll want to install MS10-023 (for Publisher) and MS10-028 (for Visio) as soon as possible. This patch corrects a flaw in the way that Visio and Publisher open malformed files, preventing evil code from being executed if it exists in these files.
- If you connect to your corporate network from home via an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) network connection ...
You should consider MS10-029, which corrects a flaw in Windows XP, Server 2003, Vista and Server 2008 that might let an attacker impersonate your computer, allowing him to bypass your company's security devices and access systems on your internal network.
- If you visit unknown or malicious websites and view or listen to audio or video clips (intentionally or not) …
Then you should install MS10-026 and MS10-027. These two patches correct flaws that might let an attacker run code on your computer. MS10-026 applies to all Microsoft operating systems except Windows 7 and Windows Server 2008 and corrects a flaw in MPEG processing. MS10-027 applies to Windows 2000 and Windows XP systems running Windows Media Player 9 and corrects a flaw in the media player's ActiveX control.
- If you are running applications that rely on digital signature verification ...
Then install MS10-019 immediately. A flaw has been identified in the digital signature verification process that could allow an attacker to modify signed files without breaking the digital signature. By carefully modifying the signed file, an attacker could cause code of his choice to execute on your system. This flaw also impacts signed cabinet (CAB) files. (Note: Many security applications and patch management applications download signed CAB files and rely on digital signature verification to validate the authenticity of files that they are executing. This flaw enables hackers to modify legitimate files and execute other code on your systems. Install this patch right away on all systems in your enterprise.)
- If you are concerned about insider threats to your corporate network ...
Install MS10-020 right away. This patch corrects a flaw that could let disgruntled employees execute code on an organization's internal machines. In this scenario, if a Windows user visits a malicious website, the site could force the remote computer to imitate an SMB connection (over TCP Ports 139 or 445) to the malicious server, which could then respond with instructions to execute code on Windows system. In other words, visit an evil website, and that website could execute code on your computer. This attack requires that both machines can communicate over NetBIOS and SMB ports, limiting the likelihood of attack to machines on the inside of a corporate firewall.
- If you are worried about any of the above attacks being successful on even one of your computers ...
You should install MS10-021. This patch corrects an elevation-of-privilege flaw. Let's assume that any one of the above flaws is exploited on one of your computers. In most instances, the exploit will launch code in the context of the currently logged-on user. If people are logged on with user-level rights, then the damage is somewhat contained. If users are logged on with administrative rights, then the exploit code can do far more damage. This elevation-of-privilege flaw can allow any of the above exploits to immediately obtain administrative privileges, regardless of the context of the currently logged-on user.
Recommendations for order of installation this month:Right away:
And then consider:
MS10-024 and MS10-025 relate to servers and/or server applications and therefore aren't included in the above discussion.
About the author:
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.