Microsoft Monthly Patch Sets Record

“The SMB pool overflow vulnerability should be a real concern for enterprises,” notes Joshua Talbot, security intelligence manager at Symantec Security Response, in a release. “Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk.

“Best practices dictate that file or print sharing services, such as SMB servers, should not be open to the Internet,” according to Talbot, “but such services are often unprotected from neighboring systems on local networks." He notes that a multi-staged attack could be launched that would "likely start by compromising an employee’s machine via a drive-by download or socially engineered e-mail, and would end by using that compromised computer to attack neighboring machines on the same local network that have the SMB service running.

“This issue affects more than just file servers using the SMB service.” Talbot warns that “Workstations that have enabled file and print sharing are also at risk. Laptops with this configuration that connect to untrusted networks, such as public Wi-Fi, or that allow ad hoc connections could be attacked by neighboring computers. The user could then unwittingly carry their infected system back to the enterprise, opening the door to an organization’s entire network.”

According to Jason Miller, data and security team manager at Minneapolis, MN-based Shavlik Technologies, four of the bulletins should grab an administrator's attention right away.

Two bulletins (MS10-052 and MS10-055) target media files and are rated as Critical. Miller points out that "Opening a malicious media file can lead to remote code execution. Downloading and playing media files is becoming more prevalent today as social interaction is moving to video. This makes these vulnerabilities prime targets for attacks."

Bulletin MS10-056 corrects a remote execution problem in Microsoft Word. According to Miller, "Microsoft Outlook 2007 can also play a part in exploitation. In Outlook 2007, simply opening an e-mail with a malicious attachment can lead to remote code execution. This version of Outlook can be affected by viewing the document in the reading pane as Outlook 2007 uses Microsoft Word as the default email reader. RTF documents are extremely common and are typically not blocked by companies as attachments. We can expect malicious RTF documents in users e-mail boxes in the coming weeks."

Another remote code execution vulnerability -- this time in Silverlight -- is part of the most important fixes, Miller says. "Microsoft has patched Silverlight in the past, but this patch is more critical than past patches. An attacker only needs to entice a user to visit a malicious [Web site] in order to deliver a payload. The Silverlight install is amazingly easy, so you can assume that a lot of your computers currently have this program installed. I have not heard of any Silverlight exploits, but I expect to see more with the release of this patch."

Miller advises that, due to the size and scope of the fixes, "This large patch month will affect all of your systems, workstations, or desktops. This many patches can increase network bandwidth, increase the time for the system to run each patch, and require reboots. Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack."

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 08/10/2010