Microsoft released nine security bulletins this month, and at least one is being actively exploited on the Internet. Four of these flaws are rated "critical" -- more, depending on whom you trust to set the severity scores. Eight of the bulletins are discussed below; the ninth only affects computers with Korean, Chinese or Japanese localization and isn't listed below.
Print your way to Admin
Security Bulletin MS10-061 addresses a flaw in the ever-present print spooler service that could allow a co-worker or anonymous user to take control of your Windows XP system if you're sharing a printer connection from your computer. Alternatively, this flaw can be used to gain administrative access on your own computer if you're running Windows Server 2003, Windows Vista, Windows 7 or Windows Server 2007. The print-spooler vulnerability was publicly announced prior to the release of the patch, and Microsoft has seen instances of malware that exploit this flaw to run code on victims' machines.
Bring back my green screen
A flaw in the MPEG-4 video codec can allow attackers to execute code on your computer, according to MS10-062. Similar in nature to August's patches MS10-052 and 10-055 that involved Cinepak and MPEG-layer 3 coder/decoders (codecs), this flaw can be exploited when a user visits a website containing malicious videos or advertisements. This bulletin affects more operating systems than last month's flaw, including Windows XP, Windows Server 2003, Vista and Windows Server 2008.
Evil OpenType fonts
MS10-063 discusses a security flaw in the newly released Uniscribe feature. Uniscribe and its related scripting functions allow for enhanced display of certain fonts (for languages, left-to-right display, carets, etc.). They also allow attackers to run code on unprotected systems. UniScript can be used in fonts and Microsoft Office applications as well as websites. Viewing one of these documents in Office XP, 2003 or 2007, or viewing a webpage with the malicious font may allow an attacker to consider your computer theirs. (Windows 7 and Server 2008 R2 are not at risk from the webpage-viewing attack)
Read email, get hacked
Viewing a specially crafted email message in Outlook XP, 2003 or 2007 might lead to system compromise, as per bulletin MS10-064. This flaw is only present if Outlook is obtaining mail from your Exchange Server in "online" mode. (Cached-mode users are safe.) Reading the malformed email could allow an attacker's code to run on your system. If you're reading email while logged on as an administrator, it's game over.
IIS Web servers may get jammed up
Bulletin MS10-065 says all versions of Microsoft IIS Web server hosting .asp pages are vulnerable to denial-of-service attacks. Furthermore, Internet Information Services (IIS) servers running the FastCGI feature on Windows 7 and Windows Server 2008 R2 are vulnerable to remote code execution if an attacker sends a specially formatted URL to the Web service. Fortunately, FastCGI is not enabled by default on IIS servers.
Your internal network (RPC) belong to us
MS10-066 says that Windows XP and Windows Server 2003 systems suffer from a flaw in the remote procedure call (RPC) client. (Tell me something we don't already know.) An evil RPC service, most likely on your internal network, can provide responses to RPC requests that in turn can take over the computer that initiated the RPC request. The malware can operate under the guise of the RPC application -- which may run as an admin. If that's the case, turn off the network, and go home.
Evil Word documents ... again
Do not open Word 97 documents. A vulnerability discussed in MS10-067 could allow an attacker to (run code on your computer when it tries to parse and open an evil Word 97 document.
Your domain controller is up for grabs
Microsoft calls the vulnerability discussed in MS10-068 "important." I'd call it "critical." Any disgruntled user on your network can send packets to an Active Directory server and execute commands of their choice on that server. That could include creating user accounts, changing passwords or formatting the hard drive. The flaw resides in the parsing of certain Lightweight Directory Access Protocol (LDAP) requests by the Local Security Authority Subsystem Service. To exploit the flaw, the attacker must be able to authenticate to the AD server (as can all domain users) and must be able to send LDAP packets to the AD server (as can all member workstations). Microsoft downgraded the severity of this issue because it can presumably be executed only by trusted users in your domain. Question is, do you trust all your users?
What to do now?
It's pretty nasty this month. Install MA10-061 and MS10-068 immediately. Install the others right after that.
ABOUT THE AUTHOR
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.