October '10 Patch Tuesday Detailed
This month’s Patch Tuesday has been a record breaking one. Microsoft rolled out a grand total of 16 security bulletins meant to fix a grand total of 49 vulnerabilities that affect the Windows operating system, the Internet Explorer web browser, the Microsoft Office productivity suite, and the .NET Framework. Until now all we knew about these bulletins was the rating Microsoft gave them; Microsoft rated 4 of the 16 bulletins as critical, 10 as important, and 2 as moderate.
The Redmond-based software giant has now released additional information on these security bulletins. Normally we present details on all the security bulletins that Microsoft releases as part of the Patch Tuesday. But this month there are just too many of them – so we will focus on the critical ones.
Here is the information Microsoft made public on the 4 critical security bulletins it released this month: Title: Cumulative Security Update for Internet Explorer
Rating: Critical
Description: Seven privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer
- Microsoft Internet Explorer 6 (Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 6 (Windows Server 2003 with SP2 for Itanium-based Systems)
- Microsoft Internet Explorer 6 (Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 6 (Windows XP Professional x64 Edition Service Pack 2)
- Microsoft Internet Explorer 6 (Windows XP Service Pack 3)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 with SP2 for Itanium-based Systems)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for 32-bit Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for 32-bit Systems)
- Microsoft Internet Explorer 7 (Windows Server 2008 for Itanium-based Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for Itanium-based Systems)
- Microsoft Internet Explorer 7 (Windows Server 2008 for x64-based Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Vista Service Pack 1)
- Microsoft Internet Explorer 7 (Windows Vista Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Vista x64 Edition Service Pack 1)
- Microsoft Internet Explorer 7 (Windows Vista x64 Edition Service Pack 2)
- Microsoft Internet Explorer 7 (Windows XP Service Pack 3)
- Microsoft Internet Explorer 8 (Windows 7 for 32-bit Systems)
- Microsoft Internet Explorer 8 (Windows 7 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Server 2008 for 32-bit Systems Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Server 2008 for 32-bit Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 R2 for Itanium-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 R2 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Vista Service Pack 1)
- Microsoft Internet Explorer 8 (Windows Vista Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Vista x64 Edition Service Pack 1)
- Microsoft Internet Explorer 8 (Windows Vista x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows XP Professional x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows XP Service Pack 3) Title: Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in the Microsoft Windows Media Player network sharing service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.
Most likely attack vector: Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default.
Affected software: Microsoft Windows
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Vista Service Pack 1
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2 Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2003 Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for 32-bit Systems Service Pack 2**
- Windows Server 2008 for Itanium-based Systems
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Vista Service Pack 1
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
- Windows XP Service Pack 3 Title: Vulnerability in .NET Framework Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.
Most likely attack vector: Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code.
Affected software: Microsoft Windows, Microsoft .NET Framework
- Windows 7 for x64-based Systems
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2008 for Itanium-based Systems
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for x64-based Systems Service Pack 2**
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
Details on the other bulletins released this October are available here. A risk assessment of all the bulletins is available here.
The Microsoft Security Response Center (MSRC) has provided these visual representations of the October 2010 Patch Tuesday update.
The Redmond-based software giant has now released additional information on these security bulletins. Normally we present details on all the security bulletins that Microsoft releases as part of the Patch Tuesday. But this month there are just too many of them – so we will focus on the critical ones.
Here is the information Microsoft made public on the 4 critical security bulletins it released this month: Title: Cumulative Security Update for Internet Explorer
Rating: Critical
Description: Seven privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows, Internet Explorer
- Microsoft Internet Explorer 6 (Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 6 (Windows Server 2003 with SP2 for Itanium-based Systems)
- Microsoft Internet Explorer 6 (Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 6 (Windows XP Professional x64 Edition Service Pack 2)
- Microsoft Internet Explorer 6 (Windows XP Service Pack 3)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 with SP2 for Itanium-based Systems)
- Microsoft Internet Explorer 7 (Microsoft Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2003 Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for 32-bit Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for 32-bit Systems)
- Microsoft Internet Explorer 7 (Windows Server 2008 for Itanium-based Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Server 2008 for Itanium-based Systems)
- Microsoft Internet Explorer 7 (Windows Server 2008 for x64-based Systems Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Vista Service Pack 1)
- Microsoft Internet Explorer 7 (Windows Vista Service Pack 2)
- Microsoft Internet Explorer 7 (Windows Vista x64 Edition Service Pack 1)
- Microsoft Internet Explorer 7 (Windows Vista x64 Edition Service Pack 2)
- Microsoft Internet Explorer 7 (Windows XP Service Pack 3)
- Microsoft Internet Explorer 8 (Windows 7 for 32-bit Systems)
- Microsoft Internet Explorer 8 (Windows 7 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2003 x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Server 2008 for 32-bit Systems Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Server 2008 for 32-bit Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 R2 for Itanium-based Systems)
- Microsoft Internet Explorer 8 (Windows Server 2008 R2 for x64-based Systems)
- Microsoft Internet Explorer 8 (Windows Vista Service Pack 1)
- Microsoft Internet Explorer 8 (Windows Vista Service Pack 2)
- Microsoft Internet Explorer 8 (Windows Vista x64 Edition Service Pack 1)
- Microsoft Internet Explorer 8 (Windows Vista x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows XP Professional x64 Edition Service Pack 2)
- Microsoft Internet Explorer 8 (Windows XP Service Pack 3) Title: Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in the Microsoft Windows Media Player network sharing service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.
Most likely attack vector: Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default.
Affected software: Microsoft Windows
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Vista Service Pack 1
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2 Title: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Most likely attack vector: Victim browses to a malicious webpage.
Affected software: Microsoft Windows
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2003 Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for 32-bit Systems Service Pack 2**
- Windows Server 2008 for Itanium-based Systems
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Vista Service Pack 1
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
- Windows XP Service Pack 3 Title: Vulnerability in .NET Framework Could Allow Remote Code Execution
Rating: Critical
Description: A privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.
Most likely attack vector: Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code.
Affected software: Microsoft Windows, Microsoft .NET Framework
- Windows 7 for x64-based Systems
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2008 for Itanium-based Systems
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for x64-based Systems Service Pack 2**
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Vista x64 Edition Service Pack 1
- Windows Vista x64 Edition Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
Details on the other bulletins released this October are available here. A risk assessment of all the bulletins is available here.
The Microsoft Security Response Center (MSRC) has provided these visual representations of the October 2010 Patch Tuesday update.
