October 2010 Microsoft Black Tuesday Summary

Overview of the October 2010 Microsoft Patches and their status.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
#	Affected	Contra Indications	Known Exploits	Microsoft rating	clients	servers
MS10-071	Cumulative Security Update for Internet Explorer (Replaces MS10-053 )
MS10-071	Internet Explorer CVE-2010-0808 CVE-2010-3243 CVE-2010-3324 CVE-2010-3325 CVE-2010-3326 CVE-2010-3327 CVE-2010-3328 CVE-2010-3329 CVE-2010-3330 CVE-2010-3331	KB 2360131	CVE-2010-3325 and CVE-2010-3324 have been disclosed publicly.	Severity:Critical Exploitability: ?,3,3,3,?,1,1,3,1	Critical	Important
MS10-072	Vulnerabilities in SafeHTML (Replaces MS10-039 )
MS10-072	Internet Explorer CVE-2010-3243 CVE-2010-3324	KB 2412048	CVE-2010-3324 has been disclosed publicly.	Severity:Important Exploitability: 3,3	Less urgent	Important
MS10-073	Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-048 )
MS10-073	Kernel Mode Drivers CVE-2010-2549 CVE-2010-2743 CVE-2010-2744	KB 981957	This vulnerability has been disclosed publicly and is currently being exploited in the Internet ecosystem.	Severity:Important Exploitability: 3,?,1	Important	Important
MS10-074	Vulnerability in Microsoft Foundation Classes (Replaces MS07-012 )
MS10-074	Foundation Classes CVE-2010-3227	KB 2387149	No known exploits.	Severity:Moderate Exploitability: ?	Important	Important
MS10-075	Vulnerability Media Player Network Sharing Service
MS10-075	Media Player Network Sharing Service CVE-2010-3225	KB 2281679	no known exploits.	Severity:Critical Exploitability: ?	Critical	Important
MS10-076	Vulnerability in the Embedded OpenType Font Engine
MS10-076	OpenType Font Engine CVE-2010-1883	KB 982132	No known exploits.	Severity:Critical Exploitability: ?	Critical	Important
MS10-077	Vulnerability in .NET Framework Could Allow Remote Code Execution
MS10-077	.NET Framework CVE-2010-3228	KB 2160841	No known exploits.	Severity:Critical Exploitability: 1	Critical	PATCH NOW!
MS10-078	Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (Replaces MS10-037 )
MS10-078	OpenType Font (OTF) CVE-2010-2740 CVE-2010-2741	KB 2279986	No known exploits.	Severity:Important Exploitability: 1,1	Critical	Important
MS10-079	Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Replaces MS09-068 MS10-056 )
MS10-079	Microsoft Word CVE-2010-3214 CVE-2010-3216	KB 2293194	No known exploits.	Severity:Important Exploitability: 1,1	Critical	Important
MS10-080	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS10-038 MS10-057 )
MS10-080	Excel CVE-2010-3232 CVE-2010-3234 CVE-2010-3235 CVE-2010-3236 CVE-2010-3238 CVE-2010-3239	KB 2293211	No known exploits.	Severity:Important Exploitability: 1,1,1,1,1,1	Important	Important
MS10-081	Comctl32 Heap Overflow Vulnerability
MS10-081	Comctl32 CVE-2010-2746	KB 2296011	No known exploits.	Severity:Important Exploitability: 1	Critical	Important
MS10-082	Vulnerability in Windows Media Player Could Allow Remote Code Execution (Replaces MS10-027 )
MS10-082	Microsoft Windows CVE-2010-2745	KB 2378111	No known exploits.	Severity:Important Exploitability: 1	PATCH NOW!	Critical
MS10-083	Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution
MS10-083	Internet Explorer CVE-2010-1263	KB 2405882	No known exploits.	Severity:Important Exploitability: 1	PATCH NOW!	Critical
MS10-084	Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (Replaces MS10-066 )
MS10-084	Microsoft Windows CVE-2010-3222	KB 2360937	This vulnerability has been disclosed publicly.	Severity:Important Exploitability: 1	Critical	Important
MS10-085	Vulnerability in SChannel Could Allow Denial of Service (Replaces MS10-049 )
MS10-085	Microsoft Windows, IIS CVE-2010-3229	KB 2183461	No known exploits.	Severity:Important Exploitability: 3	Important	Important
MS10-086	Vulnerability in Windows Shared Cluster Disks Could Allow Tampering
MS10-086	Microsoft Windows	KB 2294255	No known exploits.	Severity:Moderate Exploitability: ?	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

Thanks to fellow handlers Johannes, Scott, and Guy!

Cheers,
Adrien de Beaupré
EWA-Canada.com

Adrien de Beaupre

353 Posts
ISC Handler

Oct 12th 2010
8 years ago

I disagree with your assessment of the .net patch. It should be "uninstall .net 4 unless you really need it".

Unless a vendor application needs it, there's no reason to be running .net and thus no reason to patch it.

Susan

34 Posts

Quote

Oct 12th 2010
8 years ago

By all means, uninstall if not needed, but our ratings assume that it is installed.

Jim

407 Posts
ISC Handler

Quote

Oct 12th 2010
8 years ago

Interesting... MSRT goes after ZeuS/Zbot this month. About time, ya' think?
http://blogs.technet.com/b/mmpc/archive/2010/10/12/msrt-on-zbot-the-botnet-in-a-box.aspx
.

Jack

160 Posts

Quote

Oct 12th 2010
8 years ago

Side note on MS10-073 per MSSRD Blog http://blogs.technet.com/b/srd/archive/2010/10/12/assessing-the-risk-of-the-october-security-updates.aspx it was one of the exploits used in Stuxnet.

Tim

9 Posts

Quote

Oct 12th 2010
8 years ago

MS10-72,73, and 74 indicate they relate to one or more publically disclosed vulnerabilities. You mention it on 71 and 84, so I figured you'd want to be thorough for the rest.

Tim
8 Posts

Quote

Oct 12th 2010
8 years ago

Is there a, non-toll free, equivalent of 1-866-PCSAFETY for those of us that don't live in the USA?

Tim
10 Posts

Quote

Oct 13th 2010
8 years ago

Seccubus, this is probably what you are looking for: support.microsoft.com/common/…

Guy

443 Posts
ISC Handler

Quote

Oct 13th 2010
8 years ago

Just ready MS10-077 carefully. This server patch allows code to be executed on a client. Is there a corresponding client patch?

Guy
10 Posts

Quote

Oct 13th 2010
8 years ago

I run Microsoft Security Essentials on a couple of home machines. Looks like they also released a "client update package" for that product.

Dean

135 Posts

Quote

Oct 13th 2010
8 years ago

anyone else have windows 7 computers explode this morning? I had 3 win7 computers BSOD this morning. I have not determined for certain that it is windows update...but further investigation shows the 3 32-bit win7 machines no longer functioning, but 64-bit win7 still fine.

Blagarswinth