Microsoft fixes 26 security holes, warns on unpatched multi-vendor SSL vulnerability

Patch Tuesday whopper is full of surprises, including first Hyper-V-specific patch

As expected, today's Patch Tuesday is a doozie. Microsoft released 13 bulletins to fix 26 vulnerabilities in Windows and Microsoft Office. This includes the first Hyper-V-specific patch. But wait, there's more. Microsoft also issued a security advisory (977377) over a publicly-known vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

As an issue affecting an Internet standard, Microsoft says that the problem affects multiple vendors. Microsoft has not patched the problem, but has issued a warning and a workaround for a hole that could could allow spoofing in TLS/SSL. Microsoft says it is not aware of any attacks in the wild but is investigating. The workaround enables system administrators to disable TLS and SSL renegotiation functionality, but this could break a good many applications that rely on TLS or SSL.

The hole affects nearly every Windows version including Windows 7 and the Server Core version of Windows Server 2008 R2.

As for Patch Tuesday, of the 13 patches, five are rated critical, seven rated important and one rated moderate –11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

Microsoft says that enterprise customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015. These not only fix critical holes -- the ones most likely to give hacker high access -- but holes in which they think hackers already have exploit code in the works, or will soon. More details of each of those holes can be found on the Microsoft Security blog.

The Security blog didn't specifically call out MS10-010 , which appears to be the first Hyper-V-specific patch. This patch is rated important and fixes an attack that could result in denial of service. It affects both Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V.

Microsoft says, "The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

A search of the Security Bulletin database, and of Securina's database revealed no other patches specifically for Hyper-V, so I have concluded that this is a first. Does it mean that fears over virtualization security have been validated?

Please note, that most of these patches will require Windows to restart. Here is the full list of links to the information on all of today's patches:

Microsoft also says that its the Malicious Software Removal Tool (MSRT) was updated to include Win32/Pushbot.

Like this post? Check out these others.

• Startup Huddle wins Microsoft's SharePoint 2010 contest
• Microsoft gags ex-CFO Chris Liddel and pays him $1.9M
• Microsoft posts record-breaking Q2, thanks to consumers, Windows 7
• 7 big IT orgs that showed Microsoft the door
• Most business will adopt Windows 7 by 2011, but prefer Google's cloud
• Microsoft Exchange/Outlook 2010 UC Mobile and Voicemail Features (Beta) Release!
• Windows 7 Remote Admin Tools: Controls Windows Server 2008 from your Windows 7 desktop
• Secrets of Exchange Server 2010

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter

• Microsoft
• Security
• Hyper-V
• Microsoft security
• Microsoft Security alert
• Patch Tuesday
• SSL