'Tis the season for giving, and this Patch Tuesday, Microsoft was especially generous to administrators, with 17 security bulletins. This is the largest number of patches in one month during the 12-year history of the Security Response Center. With 106 bulletins total in 2010, the company also surpassed its record for the highest number of bulletins in one year. The prior record was 100 in 2000.
So where do you start?
MS10-090 is a cumulative update for all versions of Internet Explorer. The bulletin addresses seven security vulnerabilities, including three that were publicly reported and one that is being exploited on the Internet. Visiting a malicious website can enable attackers to run code of their choice on a user's computer. An attacker will gain the same rights as the logged-on user, and if the user is logged on with full administrator rights, his computer won't be his own for long.
MS10-091 deals with a flaw in the OpenType font driver. The attacker must entice the user to visit a specially crafted network share using Windows Explorer. Viewing the share exploits the vulnerable OpenType driver and lets the attacker execute code at the system level. Unlike the Internet Explorer problem, this attack can take complete control of the user's system regardless of the permissions of the currently logged-on user. This is the third OpenType font vulnerability this year.
After patching these two critical vulnerabilities, consider installing MS10-092 and MS10-101 next, which address flaws in the task scheduler and domain controller, respectively. They are frequent targets of hackers and employees with too much time on their hands.
MS10-092 addresses an elevation-of-privilege attack, in which a flaw allows lesser-privileged users to run code on local computers and access high-level information. This patch affects the task scheduler on Vista, Windows 7 and Windows Server 2008 systems that can allow a user to launch tasks as an administrator by scheduling jobs using triggers. Microsoft said the vulnerability is publicly known and that it has received reports of known attacks.
The domain controller bulletin, MS10-101, warns of a denial-of-service attack on Windows Server 2003 and 2008 systems. Disgruntled employees with administrative access can send malicious packets to the domain controllers on their networks and cause the domain controller to reboot. Rebooting domain controllers affects user logins and access to domain resources. Given the number of users who may have administrative access to their own domain-joined workstations -- or those who gain such access through privilege-escalation attacks -- this patch should be applied as soon as possible.
Of the remaining security bulletins, the following additional major patches may affect desktops in your enterprise:
- MS10-098 is another elevation-of-privilege flaw and affects the kernel in all Windows operating systems.
- MS10-099 is a privilege-escalation vulnerability in Windows XP and Windows Server 2003 systems running Routing and Remote Access Services (RRAS).
- MS10-100 addresses a privilege-escalation vulnerability in Windows Vista, Windows 7 and Windows Server 2008. Users who have been granted special (nondefault) permissions on the OS can execute malicious code that exploits a flaw in the User Account Control process to execute code as LocalSystem.
- MS10-002 addresses a flaw that allows users running Hyper-V guest systems to send evil packets to their Windows Server 2003/2008 Hyper-V servers and cause them to become unresponsive until they've been restarted.
- MS10-106 tackles a denial-of-service attack in which domain users can send malicious packets to all versions of Exchange Server and cause the servers to become unresponsive.
Review the remaining security bulletins and prioritize according to the resources on your network and their relative priority.
ABOUT THE AUTHOR
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.