Microsoft outlined in a statement that it is"providing active security protections to help customers manage and prevent threats to their computing experience through the release of 14 security bulletins. This month's bulletin package includes eight "Critical" and six "Important" updates to address 34 vulnerabilities in Microsoft Office, Microsoft Windows, Internet Explorer, Microsoft Silverlight, Microsoft XML Core Services and Server Message Block."
In perspective, 14 of the 15 bulletins released this month address bugs in media applications. It is important to note that Microsoft has already fixed bugs in media applications and media file formats through the months of February, March, April and June. This month's major release stands to continue an ever-growing security concern. "So much of what people do on the Internet these days includes videos or music," said Andrew Storms, director of security operations for nCircle. "Malware writers continue to take advantage of the fact that people are less aware of malware embedded in these files."
Microsoft Patch Tuesday on August 10, 2010 brings record number of security fixes
The first critical bulletin listed for August is a Windows Shell vulnerability that could allow remote code execution if the icon of a specially crafted shortcut is displayed. In other words, a harmless looking desktop shortcut could allow an attacker to gain access to critical Windows system files and potentially raise a hell storm on the exploited system. The issue affects Windows 7, Windows Vista, Windows Server 2008/R2, Windows Server 2003/x64 and Windows XP.
Joshua Talbot, security intelligence manager for Symantec Security Response, warned that IT administrators should be particularly concerned about bulletin MS10-054, the critical SMS pool overflow vulnerability. The identified exploit allows an attacker to remotely execute code if a specially crafted SMB packet were created and sent to an affected system. "Best practices dictate that file or print sharing services, such as SMB servers, should not be open to the Internet," says Talbot. "But such services are often unprotected from neighboring systems on local networks. So, a cybercriminal could use a multi-staged attack to exploit this vulnerability. Such an attack would likely start by compromising an employee's machine via a drive-by download or socially engineered email, and would end by using that compromised computer to attack neighboring machines on the same local network that have the SMB service running."
All of the important fixes, except for one, are patches for Windows OS-level vulnerabilities. According to RedmondMag, the exploits addressed represent a mixed bag. The August 2010 patches contain two fixes for RCE exploit considerations and four fixes for elevation-of-privilege vulnerabilities.
IT professionals should "roll with the punches this time", says Paul Henry, security analyst at Lumension. "But the critical security bulletins take priority. This will be a disruptive Patch Tuesday, given the broad range of products impacted and the required restarts," Henry said. "Initial priorities should always be the nine critical vulnerabilities, followed by the remaining balance of important and moderate patches."
The full list of Windows Update bulletins released on Tuesday, August 10, 2010 can be found here. For Windows 7, Vista, XP, Server 2008 and Server 2003 users, we highly suggest installing this round of critical security fixes - and or those of you with subconscious guilt that your neighbor or family member won't put in the effort to install these fixes, we highly recommend lending them a helping hand.
