Microsoft Patch Tuesday halts two live attacks but offers no help for others

Two of the nine Patch Tuesday fixes need to be installed fast

Patch Tuesday has arrived and it is filled with bad news. Two of today's nine patches fix problems that are currently being exploited in the wild and most of them fix problems that have a high likelihood that exploit code will be available soon. But wait, there's more!

Microsoft admits that it's working on two more zero-day problems that affects all recent versions of Windows (even Windows 7 and Windows Server 2008 R2), hints that it's looking into another publicly disclosed problem for Office 2010 and has said nothing about either the major DLL hole nor the recent Internet Explorer 8 hole for which it has taken heat this month.

Also see: Microsoft patches Windows XP flaw that aided Stuxnet worm but two flaws remain unpatched

The two top-priority patches with exploits in the wild are ...

MS10-061 addresses a vulnerability in the Print Spooler Service. "If you are running Windows XP and sharing a printer, attackers can compromise the machine with an over-the-network print request," explains Jason Miller, data and security team manager, Shavlik Technologies. Even the Server Core version of Windows Server 2008 is affected, although Vista and Windows 7 is not.

I think this could be the very first patch for Server Core (I'm looking into that).

MS10-062 addresses a vulnerability in the MPEG-4 codec. If a user opens an evil media file (AVI) with a media player, an attacker can take control of the machine. What's so scary about this one is that the file can be distributed in many ways, says Miller, including over the Web, downloading from a streaming server or via an e-mail attachment.

Miller notes that MS10-064 could be urgent for many enterprises as it attacks Exchange via an evil e-mail message. It doesn't affect Outlook 2010 but for earlier versions, simply viewing the message in the preview pane can give the hacker access.

Here are the links to all the bulletins and Microsoft's recommended patching priority, courtesy of Microsoft.

Microsoft September Security Bulletins:
· MS10-061 addresses one vulnerability in Windows, has a maximum security rating of Critical and an Exploitability Index rating of 1.
· MS10-062 addresses one vulnerability in Windows, has a maximum security rating of Critical and an Exploitability Index rating of 1.
· MS10-063 addresses one vulnerability in Windows and Office, has a maximum security rating of Critical and an Exploitability Index rating of 1.
·  MS10-064 addresses one vulnerability in Office, has a maximum security rating of Critical and an Exploitability Index rating of 2.
· MS10-065 addresses three vulnerabilities in Windows, has a maximum security rating of Important and an Exploitability Index rating of 1.
· MS10-066 addresses one vulnerability in Windows, has a maximum security rating of Important and an Exploitability Index rating of 1.
· MS10-067 addresses one vulnerability in Windows, has a maximum security rating of Important and an Exploitability Index rating of 1.
· MS10-068 addresses one vulnerability in Windows, has a maximum security rating of Important and an Exploitability Index rating of 1.
· MS10-069 addresses one vulnerability in Windows, has a maximum security rating of Important and an Exploitability Index rating of 1.

^{Click image to enlarge. Source: Microsoft.}

One thing I noticed is what wasn't in this Patch Tuesday. Nothing about fixes for the DLL problem that caused such a stir earlier this month. Also, no fix for the years-old Internet Explorer issue (which affects IE8) for which a Google researcher released proof-of-concept.

Meanwhile, Microsoft admits that it knows of at least two more unpatched holes that the Stuxnet worm can exploit.

And then Microsoft hinted that it was researching a publicly disclosed hole in Office 2010, too, with this remark. "Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms," says Jerry Bryant, MSRC group manager.

This likely refers to a report of a security flaw in Microsoft Office 2010 from researchers at Vupen Security in July. The researchers decided to report on the flaw to customers of their Vupen Threat Protection Program but, at that time, they didn't send technical details of the flaw to Microsoft. Microsoft was not amused.

In any case, the battle continues, with both researchers and hackers finding holes in Microsoft products and the Microsoft security team trying to plug them without crashing your systems. Doesn't there have to be an easier way?

Check out these other posts from Microsoft Subnet

• All of today's Microsoft news and blogs
• Microsoft beat up, then defended over ancient IE8 zero-day
• Sources to protect you from the zero-day Windows DLL exploit
• Nearly half of Microsoft's 2010 security patches have known problems
• Microsoft fixes buggy patch for Windows Server 2008

Like RSS? Subscribe to all Microsoft Subnet bloggers.
Like e-mail? Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Like Twitter? Follow All Microsoft Subnet bloggers on Twitter @microsoftsubnet

Follow Julie Bort on Twitter @Julie188 or connect with me on my Facebook Like Page

• Microsoft
• DLL
• Internet Explorer
• Microsoft security
• Patch Tuesday
• Windows security