Microsoft released 14 security bulletins this Patch Tuesday -- eight "critical" and six "important" -- making it the largest release of the year so far. The patches address four elevation-of-privilege attacks -- in which users can become administrators on their local systems -- and 10 remote code executions -- when a user visits an evil website or launches a malicious document that allows an attacker's code to run on the victim's computer.
The following seven "critical" remote code execution flaws can affect a typical user's desktop, and they should be dealt with immediately.
- MS10-055 A flaw in the Cinepak coder/decoder (codec) that ships in Windows Media Player can affect all Windows XP, Windows Vista and Windows 7 systems. Viewing a malicious media file, webpage or media stream could allow an attacker to run code on your systems. To keep your computers safe, don't visit potentially malicious websites.
- MS10-052 This is another codec flaw in Windows Media Player -- this time, in the MPEG codec. Windows XP and Windows Server 2003 systems are affected, and it's the same deal as above: View media, get hacked. Again, avoid malicious websites.
- MS10-056 This flaw was found in Microsoft Word 2002, XP and 2007. If you read an evil Rich Text Format (RTF) document, the attacker can launch code on your system. This exploit can also be launched if you view a RTF-formatted email in Outlook 2007. Do not open the RTF document on the company shared drive titled "Bonuses.RTF."
- MS10-060 A flaw in the .NET platform is also present in Silverlight. Silverlight Versions 2 and 3 for both Windows and Mac systems are vulnerable to code-execution attacks when a user visits an evil website. Silverlight has its own update mechanism to patch itself. The patch can also be approved for distribution via a Windows Server Update Services server. Until then, don't visit malicious websites.
- MS10-053 You were probably wondering where this month's Internet Explorer patch was. Well, here it is -- and it's a big one. Internet Explorer Versions 6, 7 and 8 are all at risk, with IE6 is the most likely to be targeted. How do you prevent the attack? Don't visit malicious websites.
- MS10-051 A flaw in the Microsoft XML code can let arbitrary code run on your system. This can happen if you visit an evil website, and it affects Windows XP, Vista, and Windows 7 operating systems. Stay safe by not visiting malicious websites.
- MS10-049 A flaw in Secure Channel can let attackers run code on your desktop when you visit a malicious website via HTTPS. Windows XP systems are at the most risk. Vista and Windows 7 desktops are safer because of mechanisms built into those OSes. Don't visit evil Secure Sockets Layer websites.
The number of patches may be overwhelming, but remember this month's theme: To stay safe, don't visit evil websites.
ABOUT THE AUTHOR
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.