Microsoft released 14 new security bulletins in Aug. 10’s Patch Tuesday update to cover nearly three dozen vulnerabilities.
Fourteen is the largest number of security bulletins ever released by Microsoft on Patch Tuesday. Eight of the bulletins are rated critical. Of the eight, four are considered by Microsoft to be high priority: MS10-052, which resolves a vulnerability in Microsoft’s MPEG Layer-3 audio codecs; MS10-055, which addresses a vulnerability in the Cinepak Codec used by Windows Media Player to support the AVI audiovisual format; MS10-056, which deals with four vulnerabilities in Microsoft Office; and MS10-060, which resolves two vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight.
Another bulletin that may require particular attention is MS10-054.
“The SMB [protocol] pool overflow vulnerability [covered in MS10-054] should be a real concern for enterprises,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk.
“Best practices dictate that file or print sharing services, such as SMB servers, should not be open to the Internet,” Talbot added. “But such services are often unprotected from neighboring systems on local networks. So, a cyber-criminal could use a multistaged attack to exploit this vulnerability … [and] this issue affects more than just file servers using the SMB service. Workstations that have enabled file and print sharing are also at risk.”
The six noncritical bulletins are all rated important; all but one affects Microsoft Windows. The remaining bulletin, MS10-057, fixes a vulnerability in Microsoft Office.
Earlier in August, Microsoft issued MS10-046 out of band to plug a security hole in Windows that was being exploited by attackers, bringing the total number of bulletins issued to 15 for the month so far. Not included in the fixes is a patch for a Windows bug reported the week of Aug. 2 that remains under investigation.
Nearly all the vulnerabilities covered by today’s fixes will require a goodly amount of time and effort to turn into a reliable exploit, or will require user interaction, noted Rapid7 security researcher Josh Abraham.
“This is consistent with what we have seen in recent months, with the attack using drive-by-based malware to exploit the target,” Abraham said. “No need to panic right now, but be sure to start watching the mailing lists regarding exploits for MS10-054.”