Microsoft plugs 34 security holes in a Patch Tuesday update with 14 security bulletins. Of the eight critical bulletins, Microsoft rates four as the highest priority for enterprises.
Microsoft released 14 new security bulletins in Aug. 10's
Patch Tuesday update to cover nearly three dozen vulnerabilities.
Fourteen is the largest number of security bulletins ever
released by Microsoft on Patch Tuesday. Eight of the bulletins are rated
critical. Of the eight, four are considered by Microsoft to be high priority:
MS10-052, which resolves a vulnerability in Microsoft's MPEG Layer-3 audio
which addresses a vulnerability in the Cinepak Codec used by Windows Media
Player to support the AVI audiovisual format; MS10-056,
which deals with four vulnerabilities in Microsoft Office; and MS10-060, which
resolves two vulnerabilities in Microsoft .NET
Framework and Microsoft Silverlight.
Another bulletin that may require particular attention is
"The SMB [protocol] pool overflow vulnerability
[covered in MS10-054] should be a real concern for enterprises," said
Joshua Talbot, security intelligence manager of Symantec Security Response. "Not
only does it give an attacker system-level access to a compromised SMB server,
but the vulnerability occurs before authentication is required from computers
contacting the server. This means any system allowing remote access and not protected
by a firewall is at risk.
"Best practices dictate that file or print sharing
services, such as SMB servers, should not be open to the Internet," Talbot
added. "But such services are often unprotected from neighboring systems
on local networks. So, a cyber-criminal could use a multistaged attack to
exploit this vulnerability ... [and] this issue affects more than just file
servers using the SMB service. Workstations that have enabled file and print
sharing are also at risk."
The six noncritical bulletins are all rated important; all
but one affects Microsoft Windows. The remaining bulletin, MS10-057, fixes a
vulnerability in Microsoft Office.
Earlier in August, Microsoft issued MS10-046 out of band to
plug a security hole in Windows that was being exploited by attackers, bringing
the total number of bulletins issued to 15 for the month so far. Not included
in the fixes is a patch for a Windows
bug reported the week of Aug. 2 that remains under investigation.
Nearly all the vulnerabilities covered by today's fixes will
require a goodly amount of time and effort to turn into a reliable exploit, or
will require user interaction, noted Rapid7 security researcher Josh Abraham.
"This is consistent with what we have seen in recent
months, with the attack using drive-by-based malware to exploit the target,"
Abraham said. "No need to panic right now, but be sure to start watching
the mailing lists regarding exploits for MS10-054."