A new year, a new decade, and time once again for this month's summary of the latest Microsoft Security updates … actually, that's *update*.
1 update, with 1 vulnerability covered. Here's the breakdown:
MS10-001: Rated Critical. Potential Remote Code Execution via integer overflow in LZCOMP Decompressor of the Embedded OpenType (EOT) Font Engine, covering 1 vulnerability: CVE-2010-0018. Important to note that Windows 2000 is rated critical; all others are rated low. This update replaces MS09-029 from July of last year, which was critical across the board.
Also interesting to note: Microsoft has specifically called out that the SMB DoS exposure is not being addressed today as they are still conducting research. No indication if this will be released as a subsequent out-of-band issue or whether we'll see it in a future Patch Tuesday, although Microsoft does not have a history of addressing DoS exposures out of band.
NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft's update release.
For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.
NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp
We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release.
As always, Happy patching!!