Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: November 2010 Microsoft Black Tuesday Summary - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
November 2010 Microsoft Black Tuesday Summary

Overview of the November 2010 Microsoft Patches and their status.
 

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-087 Vulnerabiliites in Microsoft Office code execution (Replaces MS10-003 MS10-036)
Microsoft Office
CVE-2010-3333
CVE-2010-3334
CVE-2010-3335
CVE-2010-3336
CVE-2010-3337
KB 2423930 exploit available. Severity:Critical
Exploitability: 1
Critical Important
MS10-088 Vulnerabilities in Microsoft PowerPoint code execution (Replaces MS10-004, MS10-036, MS09-017)
Microsoft Office
CVE-2010-2572
CVE-2010-2573
KB 2293386 . Severity:Important
Exploitability: 1
Critical Important
MS10-089 Vulnerabilities in Forefront Unified Access Gateway escalation of privilege
Forefront UAG
CVE-2010-2732
CVE-2010-2733
CVE-2010-2734
CVE-2010-3936
KB 2316074 . Severity:Important
Exploitability: 1
N/A Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them
I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3557 Posts
ISC Handler
Anyone having difficulty installing the Office 2010 patch for Windows Vista 32-bit? It downloads, tries to install, and Windows Update immediately says code 80200053, unknown error after it tries to install it. It got the other patches (well, the November malicious software tool) and that "installed" fine. A reboot didn't solve it as I tried again to download/install the Office patch afterwards.
Gilbert

21 Posts
Never mind. After 4 tries, it finally went through. Sheesh.
Gilbert

21 Posts
Would it be practical to include (as a separate table within the same monthly article) a listing of current Adobe and Quicktime products with this monthly publication?

I know the non-MS update cycles do not match the MS cycle. I wish they did, since it could mean doing all my testing once a month.

Putting the info into a single place each month (allowing for out-of-band events) would give us a centralized place to check to ensure we didn't miss something since the last Black Tuesday announcement.

A point to consider may be that there would need to be a limit to the number of products included in such a revision. If adding Adobe stuff is ok, would adding Quicktime be too much?

Perhaps a test for inclusion might be whether or not the "general population" would be affected by a specific product update. For example, how many would be affected by Acrobat updates but not care about Photoshop, AutoCAD, etc?

Anyone else have any thoughts? Myself, I am so appreciative for what ISC does as it is that I'm not going to squawk if nothing changes, but can see how this would be an improvement (at least, for me it would be.)

:)
Nathan

8 Posts
Win7 x64: The office patches installed fine, but I had problems with 80200053 on the November MSRT download. Multiple tries got it to install. Note: There are new silent errors this month such as ->Scan ERROR: resource process://pid:5240 (code 0x00000005 (5)) . One of these processes is the Windows audiodg.exe. Manually downloading and running MSRT results in the same error. (in \windows\debug\mrt.log)

Nathan
1 Posts
I agree with Joel that it would be great to have a central list of common software and the current patch level. I also agree that with all the good work the ISC handlers already do I would hate to add more work to them.

If this is something that could be easily done and not add to the already busy work day for the handlers I would be all for it.

Thanks again to all the handlers and their continued efforts to keep us safe.
PW

63 Posts
Microsoft delayed patches for Mac OS X Office 2004 and 2008 by at least one month, according to Computerworld.com.

Yet somehow Microsoft had the resources to patch Mac OS X Office 2011, released 16 days ago.
PW
8 Posts
I don't know about the complete goodness of Secunia's PSI, but it seems to catch things at what is for me, an acceptable low lag time on Java and Adobe patches. The new 2.0xx versions also offer automagical patching on several applications.
BezantSoft

14 Posts

Sign Up for Free or Log In to start participating in the conversation!