Halloween came early for Microsoft users: The company released 16 security bulletins this week -- its largest release ever. Four security bulletins are rated "critical," 10 "important," and two "moderate." Five of the most interesting desktop-related bulletins are discussed in more detail below.
MS10-071 is a critical security bulletin that discusses a set of vulnerabilities in all versions of Internet Explorer (IE). The security patch addresses many problems, including potential information disclosure and remote code execution. If a user visits a malicious URL, the website can access information on the user's computer or in other IE windows. It can also execute code on the user's computer. All of the evil actions are limited to the access permissions of the user viewing the website. Several of the flaws addressed by this bulletin were publicly known before the patch was released.
One of the more noteworthy flaws addressed by this bulletin is the ability for a malicious website to obtain data that users have stored in their browsers for "autocomplete," such as their addresses, phone numbers and credit card numbers. If autocomplete has been turned on, the evil website can automatically request and send the autocomplete data without the user's knowledge. Roll out this patch to all your end-user systems right away.
MS10-076 is another critical security bulletin affecting all Microsoft operating systems. This is the second security patch released in 2010 (and the third in the past 13 months) regarding flaws in Embedded OpenType Font. Visiting an evil website or opening a malformed Office document containing Embedded OpenType fonts could allow the attacker to execute code on the local computer. Similar to the IE flaw, the attacker's code would run under the same security context as the locally logged-on user. This is a good reason not to log on to your computer and browse the Web using an administrator account.
MS10-073 is related to a privilege-escalation vulnerability and is rated "important." This flaw is on all versions of Windows and is especially important to correct on Windows XP systems. The Stuxnet malware, which has gone viral on the Internet, is currently being used to exploit this vulnerability. By running special code on a local computer, a user or piece of malware can change privileges from user to administrator. Combine this privilege-escalation flaw with any of the malicious website-viewing flaws described above, and attackers can gain admin permissions to your system even if you're only logged in with a user account.
MS10-079 and MS10-080 discuss flaws in Microsoft Word and Microsoft Excel, respectively. Opening a malicious Word or Excel file could allow attackers to execute code of their choice on local desktops. If a user is running as an administrator, he can take any action on the computer. Or, if running as a user account, the evil code could download and execute the privilege-escalation code discussed above. This flaw affects all versions of Word and Excel except for Excel 2010.
The other 11 security bulletins released this month are also important to review and apply to all of your systems. They include fixes for vulnerabilities in .NET Framework, Windows Media Player, third-party image viewers, OpenType fonts, WordPad, shortcut files, disk clusters and the operating system itself.
ABOUT THE AUTHOR
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.