So what can I say that hasn't already been said about this month's Patch Tuesday release…Microsoft never ceases to amaze, finishing the year with another 17 bulletins for 40 vulnerabilities this release. This month marks the end of a record-breaking year for bulletins and another month of what appears to be an upward trajectory of bugs. Let's take a moment to reflect

Microsoft has arguably one of the most advanced SDLC programs out there, however they still managed to double the amount of bulletins released compared to where they were in 2005. Let's dig into the numbers:

At first glance this number is a bit shocking, but in Microsoft's defense, they've made some herculean advances in the past 5 years. Even if we just look at the accomplishment of rolling out both Vista and Win7 within this period, that in itself is a crazy amount of code. Unfortunately with these advances they've brought the update count to an all time high. We also should consider the fact that bulletins are not reflective of the vulnerabilities that must be fixed.

Changes such as Microsoft's development resources increasing could also affect the amount of bulletins released.To take it a step further, we could also debate…How relevant is the security update count, if we now have controls such as ASLR and DEP to mitigate code execution?

We'll table that discussion for another time :)

Decembers Patch Tuesday definitely has a few doozies, but with a prioritized and targeted remediation strategy, you'll be good to go in no time. 

Out of 17 bulletins for 40 vulnerabilities, two of the issues are rated ‘Critical' and affect Internet Explorer and the OpenType Font (OTF) format driver. This month's highlights would have to be MS10-090 and MS10-091. The good the bad the ugly on these are as follows: 

The GOOD – Is that they both require client interaction and a lot of your users are away for the holidays. The other “positive” about MS10-090 is that it's been actively exploited for over a month now, so it just not as sexy to attackers as it once was. 

The BAD – Both flaws allow the “evil doers” to completely own your assets. 

The UGLY – Being that it's the holiday season, a savvy attacker could entice a user expecting Granny's "Season's Greetings", into clicking on something that they shouldn't. 

Below is the official breakdown of the December 2010 Patch Tuesday Release:

MS10-090/KB2416400 - Critical (IE6, IE7, IE8): This security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. **Patch ASAP**

MS10-091/KB2296199 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. **Patch ASAP**

MS10-092/KB2305420 - Important (Vista, 7, 2008, 2008 R2): This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-093/KB2424434 - Important (Vista): This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-094/KB2447961 - Important (XP, Vista, 2008): This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-095/KB2385678 - Important (7, 2008 R2): This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-096/KB2423089 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-097/KB2443105 - Important (XP, 2003): This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.  The vulnerability could allow remote code execution if a user opens an .ins or .isp file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS10-098/KB2436673 - Important (XP, Vista, 7, 2003, 2008, 2008 R2): This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

MS10-099/KB2440591 - Important (XP, 2003): This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-100/KB2442962 - Important (Vista, 7, 2008, 2008 R2):This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-101/KB2207559 - Important (2003, 2008, 2008 R2): This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability.

MS10-102/KB2345316 - Important (2008, 2008 R2):This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

MS10-103/KB2292970 - Important (Publisher 2002, Publisher 2003, Publisher 2007, Publisher 2010): This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-104/KB2455005 - Important (SharePoint Server 2007): This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007.

MS10-105/KB968095 - Important (Office XP, Office 2003, Office 2007, Office 2010, Office Converter Pack, Microsoft Works 9):This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-106/KB2407132 - Moderate (Exchange 2007): This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Until next time…Happy Patching!

Trevor