Microsoft issues massive patch push for February

by Steve Ragan - Feb 11 2010, 17:14

[Note: If you are having BSoD issued because of MS10-015, this fourm post offers some tips. You can open a support ticket here as well. Lastly, "oopsie" has a unique solution for those without a XP installation CD, you can see it here in the comment section towards the bottom.]

On Tuesday, Microsoft released 13 patches to address 26 vulnerabilities discovered in Windows and the Microsoft Office suite. Of the patches released, the majority of them are listed as critical, and twelve of them earn Microsoft’s highest exploitability rating.

“While everyone has been focused on the volume of updates today, it should be noted that there are 12 vulnerabilities with Microsoft's highest exploitability rating. This certainly raises the bar for customers to plan, test, and rollout these updates more quickly than usual,” said Sheldon Malm, Rapid7’s senior director of security.

In a statement, Microsoft suggested that MS10-006, MS10-007, MS10-008, and MS10-013 should be prioritized and pushed out as soon as possible, given that four of them earned an Exploitability Index rating of 1, meaning you can expect to see exploits targeting them soon. MS10-008 is a rollup of ActiveX Kill Bits, and as such they should be added to the patch first list too.

"This month's sleeper update may very well be MS10-009. While it has an exploitability rating of 2 based on the requirement for an attacker to be on-link to the target host, Wi-Fi access points provide link level connectivity to target systems. Customers should not confuse the exploitability index with exposure severity - the priority of this patch should be raised where mobile users are prevalent," commented HD Moore, Rapid7’s chief security officer and Metasploit chief architect.

Moore also noted that Travis Ormandy's KiTrap0D exploit, which is now integrated into Metasploit, has been resolved in bulletin MS10-011. It too should gain some attention if administrators are still using NT 4.0. “Keep in mind that this bug still affects NT 4.0, which is no longer supported by Microsoft, but still used in a variety of legacy and retail functions,” he said.

In addition, Moore singled out MS10-012 and the NTLM Entropy issue it addressed, by calling it the most interesting vulnerability patched on Tuesday.

“The underlying flaw, a weakness in how NTLMv1 challenge keys are generated, has far-reaching implications to the SMB protocol stack and NTLM authentication. The core tenet of the NTLM challenge-response protocol is that the challenge key is unpredictable; when this is not the case, everything from relay attacks to hash reuse become possible,” Moore explained.

Along with the patches, Microsoft issued Security Advisory 977377 to provide a workaround for a publicly-known vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Microsoft also addressed the Windows kernel vulnerability announced in Security Advisory 979682 with MS10-015.

MS10-006 and MS10-012 addressed vulnerabilities in Server Message Block (SMB), but Microsoft said they are still working on an update to address the vulnerability announced in Security Advisory 977544.

"This issue cannot be used to allow an attacker to take control of a system remotely, but instead can result in a system becoming unresponsive due to resource consumption. At this time, Microsoft is not aware of any attacks using this vulnerability," a statement from the software giant said.

Finally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Pushbot.

More details on this month’s patches can be found here.

Around the Web