Time flies. Another month has gone by and Patch Tuesday is upon us again. Microsoft is delivering a record-tying 13 security bulletins for February, a virtual avalanche of updates after a relatively quiet January that saw only one security bulletin on Patch Tuesday, and one released out-of-band mid-month to address a zero-day vulnerability in Internet Explorer that was used to launch attacks against Google and other companies in China.
According to Qualys CTO Wolfgang Kandek, that out-of-band security bulletin saved February from breaking the record for most security bulletins in a month. “Microsoft’s February 2010 was slated to be the biggest release for Microsoft patches in the last two years–14 bulletins addressing 34 vulnerabilities. But the Google/CN Internet Explorer 0-day forced Microsoft to accelerate the testing of the planned IE bulletin and release it early, still in January. That leaves 13 bulletins covering 26 vulnerabilities for the February release, which constitutes one of the bigger patch Tuesdays.”
Kandek explains “There are 5 critical vulnerabilities for the Windows Operating System family–the newer versions, Windows 7 and Windows 2008 R2, are only affected by three of them. Rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008 R2 improved on the implementation of these core OS capabilities. Highest on our list for patching are MS10-006 SMB client and MS10-013 DirectShow, which affect all versions of Windows and have a low exploitability index. Next are MS10-007 Shell URI handling, which is critical for Windows 2000, XP and 2003 and MS10-008, an update to the ActiveX Killbit settings, applicable to all platforms.”
“The SMB Server pathname overflow vulnerability tops my list this month,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Server-side vulnerabilities aren’t too common anymore, but they’re a golden goose for attackers when they are discovered. With this one, if an attacker can find a vulnerable remote server that has a guest account set up, just like that, they’ve got access to the machine and possibly the entire local network–all without any user involvement required.”
Golden geese aside, Tyler Reguly, lead research engineer for nCircle, commented via e-mail with a different perspective. “For the end user, the concerns definitely lie with client-side software. From today’s advisories, Microsoft Office, Windows Media Player and even Microsoft Paint are the types of tools that most of those users will have. I’m willing to risk sounding like a broken record: patching is a must. Every user should be running automatic updates on their PC and ensuring that their software stays as up to date as possible.
nCircle director of security Andrew Storms echoed Reguly’s concern with MS10-0013. “The most important bug by far for all IT security teams is the MS10-0013, a bug in Microsoft media player. The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected. Since media is what excites people most on the Internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware.”
Jerry Bryant, senior security communications manager lead at Microsoft, says “As always, it’s recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, and MS10-013, given Critical severity ratings and Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).”
Bryant also added some guidance for IT administrators. “The Microsoft Security Response Center (MSRC) blog contains additional deployment guidance and the Microsoft Exploitability Index includes exploitability ratings for all vulnerabilities addressed in this release.”
Tyler Reguly offered up some additional guidance for IT administrators to educate end-users. “User awareness is vital. Don’t open attachments from people you don’t know. Better yet, even if you know the person, but weren’t expecting the attachment, don’t open it. Call them up and ask them if they meant to send it to you. That 30 second phone call could save you a lot of pain and grief. This is important at every level of computer usage, from small and medium businesses right up to the largest fortune 500 enterprises. It’s equally important at home. Know what you’re clicking on!”
No matter how you look at it, February is a busy month for security bulletins and now the race is on for organizations of all sizes to apply all necessary patches and updates before the bad guys figure out how to exploit the new array of flaws and vulnerabilities.
Tony Bradley tweets as @Tony_BradleyPCW, and can be contacted at his Facebook page.