Microsoft releases security patch covering 26 vulnerabilities
February 10, 2010
As it does every second Tuesday of the month, at around 1.30 PM EST yesterday, Microsoft released 13 security patches, covering no less than 26 OS vulnerabilities. Yesterday's security patch is considered by many in the industry as a large one, and with more than just a few minor implications.
So far, three of the security patches are particularly critical and require immediate attention. One of these critical updates (bulletin MS10-006) addresses two security vulnerabilities in the SMB networking service protocol that might easily lend itself to drive-by attacks on unpatched servers or computers.
All supported versions of Windows will need patching, though Vista and Windows 7 (three critical updates) are less exposed than XP and Windows 2000 (five critical security patches).
A separate vulnerability (bulletin MS10-007) in Windows Shell handler poses a similar code injection risk, but this problem is restricted to older versions of Windows (XP, Windows 2000 and Windows 2003 Server).
Finally, there's also a patch (bulletin MS10-013) for Microsoft Direct Show which, left unpatched, creates a handy mechanism for potential hackers to take over computers, provided they succeed in tricking the OS into opening maliciously constructed AVI video files.
"The size of this security patch is pretty big! Historically, Microsoft has had a light January followed by a large February, and this year is sure no exception. Yesterday’s patches addressed no less than 26 vulnerabilities and that's quite a bit by any standard. So far, there have been no reports of active attacks against these vulnerabilities, however. But one of these security vulnerabilities has been publicly disclosed," said Jason Miller, data and security team leader at Internet security firm Shavlik & Associates.
"Highest on our list for the security fix are bulletin MS10-006 SMB client and bulletin MS10-013 Direct Show, which affect all versions of Windows and have a low exploit ability index", Miller said.
"Next are security bulletins MS10-007 Shell URI handling, which is critical for Windows 2000, XP and Server 2003 and bulletin MS10-008, an update to the ActiveX Killbit settings, applicable to all OS platforms."
"Windows 7 and Windows Server 2008 Release 2 are less affected by the security vulnerabilities simply because of "rewrites of the TCP/IP stack and the URI handling in Windows 7 and 2008/R2", which improved the implementation of these core OS technologies," said Wolfgang Kandek, CTO of security scanning firm Qualys.
No less than eleven of the thirteen bulletins released yesterday cover security flaws in windows while the remaining two cover "critical" security fixes affecting older (pre 2007) versions of Office, as explained in Microsoft's summary.
An overview from the SANS Institute's Internet Storm Centre (ISC) disagrees with Redmond's security Gnomes on the severity of the Office bugs, categorizing both as critical, however.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing