This month, Microsoft have released what is believed to be the largest Patch Tuesday on record with fifteen new updates.

Nine of these bulletins are rated as Critical, with a further six rated as Important.

Although we normally concentrate on Microsoft updates, some other companies are releasing security updates shortly. Apple is preparing to roll out a patch for a serious issue that can affect an iPhone, iTouch or iPad device. The exploit can be triggered by a malware site or by tricking the user in to opening a specially crafted PDF. Adobe is also creating a patch for Adobe Reader 9.3.3 for Windows, Mac OS X, and UNIX, and Adobe Acrobat for Windows and Mac, as well as Reader and Acrobat version 8.2.3 for the same platforms to resolve a number of security issues.

The patches in the table below relate to Microsoft Operating Systems and Office software. All of the patches either need or may need a system reboot.

As usual, these patches address fundamental issues relating to vulnerabilities in the operating system or software which could be used by attackers to compromise your systems.

Microsoft Support Lifecycle News Reminder

As mentioned last month, an important consideration for Vista, Server and Workstation version 2000:

The original release of Vista (pre-service pack 1&2) is no longer supported by Microsoft and updates will no longer be offered. The same is true for all flavours of Windows Server 2000 and Windows 2000 for workstations. If you are not currently running SP1 or SP2 for Vista then we strongly advise you consider upgrading, with the usual precautions on updating operating systems. This will ensure Vista can receive updates and be supported. If you are running Windows 2000 server/workstation it may be time to do a bundled upgrade of your hardware and software as these operating systems are now obsolete.

There are a number of viruses and malware that could exploit these vulnerabilities making them a real threat if left open by giving attackers the ability to compromise your systems.

Our usual advice is…

• Ensure that the critical patches are deployed to all Windows desktop and server operating systems and Software, where appropriate, immediately.
   
• Ensure that all Anti-virus and Malware blocking software packages are fully up to date, and properly configured firewalls are in place within your environment.
   
• Update your Operating systems with the latest round of Critical patches as soon as possible (MS10-046, MS10-049, MS10-051, MS10-052, MS10-053, MS10-054, MS10-055, MS10-056)
   
• Contact us if you require any further advice or guidance on 01206 235000

As always, some consideration is needed in order to evaluate any risks depending on whether you have the relevant affected environment. More details on these patches is given in the table below with links to the relevant Microsoft Knowledge base articles.

Table 1: Details of MS Patches released Tuesday 10/08/2010

MS Link	ITSL Summary	Severity	Affected Software	Restart after patch
MS10-046 KB2286198	This patch fixes an exploit for Windows shortcut management in Internet Explorer that could allow a remote attacker to run code.  This is a critical patch to fix these issues and you should install it as soon as possible.	Critical	XP, Server 2003, Vista, Server 2008 & Windows 7	Yes
MS10-047 KB981852	This fixes a number of issues but primarily it could allow someone to increase their privileges on a local system. As this cannot be achieved remotely, Microsoft has set this to important and you should install this patch during your next round of updates.	Important	XP, Vista, Windows 7, Server 2008	Yes
MS10-048 KB2160329	This patch is for another set of escalation of privileges attack issues, which also requires the attacker to be locally logged on. Like MS10-047, it can wait until your usual patch time.	Important	XP, Server 2003, Vista, Server 2008 & Windows 7	Yes
MS10-049 KB980436	Malicious Web sites can take advantage of your systems with this vulnerability potentially running code remotely. Patch ASAP.	Critical (XP, 2003) Important	XP, Server 2003, Vista, Server 2008 & Windows 7	Yes
MS10-050 KB981997	Attackers can use modified versions of Microsoft Movie Maker project files to perform remote attacks. You should install this patch during your next round of updates.	Important	XP, Vista	May require restart
MS10-051 KB2079403	This could allow an attacker to use a cleverly coded Web site to run code to access/damage your systems. You should install this patch ASAP, especially on systems that see heavy internet access.	Critical	XP, Vista, Windows 7 (Moderate for 2003,2008)	Yes
MS10-052 KB2115168	Attackers can exploit a problem in MPEG codecs on XP and 2003 to perform remote attacks. You should install this patch ASAP.	Critical	XP, 2003	May require restart
MS10-053 KB2183461	This patch addresses six bugs in all versions of Internet Explorer. You should install this patch ASAP.	Critical	Internet Explorer 6, 7 & 8	Yes
MS10-054 KB982214	Issues with the Windows SMB handling (network protocol) can allow attacks which are fixed with this patch. You should install this patch ASAP.	Critical (XP) Important (Vista, Windows 7, 2003 & 2008)	XP, Vista, Windows 7, Server 2003 & 2008	Yes
MS10-055 KB982665	An additional codec problem that could allow an attacker local user rights. You should install this patch ASAP.	Critical	XP, Vista, Windows 7	May require restart
MS10-056 KB2269638	Several security problems in Office are fixed with this update. The most vulnerable will allow remote scripts to be run by opening an RTF email. You should install this patch as soon as you can.	Critical Important	Critical: Office 2007. Important: Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Word Viewer, Office Compatibility Pack, Microsoft Works 9	May require restart
MS10-057 KB2269707	This is another patch for Office to fix remote code issues in Excel. Although Microsoft rates this as “important” we consider it to be critical as Excel documents are widely used so install ASAP.	Important	Office XP, Office 2003, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac	May require restart
MS10-058 KB978886	A local user could make use of this vulnerability in the networking protocol. You should install this patch during your next round of updates.	Important	Vista, Windows 7, Server 2008	Yes
MS10-059 KB982799	Locally logged on attackers can take advantage of a pair of vulnerabilities in the operating system. You should install this patch during your next round of updates.	Important	Vista, Windows 7, Server 2008	May require restart
MS10-060 KB2265906	Problems in .NET and Silverlight with a flaw that could allow a clever code to be run and give access. Path this ASAP. Be aware that  a couple of the fixes have some known issues, which you will need to look at here and here before you apply the patches.	Important	.NET 2.0, .NET 3.5, Silverlight 2, Silverlight 3 for XP, Vista, 7, 2008	May require restart

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Rating	Definition
Critical	A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
Important	A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Moderate	Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low	A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.