December 2010 Microsoft Black Tuesday Summary

Published: 2010-12-14. Last Updated: 2010-12-14 19:41:00 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

Overview of the December 2010 Microsoft Patches and their status.
 

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-090 Cumulative Security Update for Internet Explorer (Replaces MS10-071 )
Internet Explorer
CVE-2010-3340
CVE-2010-3342
CVE-2010-3343
CVE-2010-3345
CVE-2010-3346
CVE-2010-3348
CVE-2010-3962
 
KB 2416400 Currently being exploited. Severity:Critical
Exploitability: 1,?,1,1,1,?,1
Important Important
MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (Replaces MS10-078 MS10-037)

Microsoft Windows OpenType Font (OTF) Driver
CVE-2010-3956
CVE-2010-3957
CVE-2010-3959
 

KB 2416400 No known exploits. Severity:Critical
Exploitability: 1,1,2
Critical Critical
MS10-092 Vulnerability in Task Scheduler Could Allow Elevation of Privilege
Microsoft Task Scheduler
CVE-2010-3338
 
KB 2305420 Currently being exploited. Severity:Important
Exploitability: 1
Important Important
MS10-093 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (Replaces MS10-050 )
Windows Movie Maker
CVE-2010-3967
 
KB 2424434 Vulnerability disclosed publicy. Severity:Important
Exploitability: 1
Important N/A
MS10-094 Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (Replaces MS08-053 MS10-033 )
Windows Media Encoder
CVE-2010-3965
 
KB 2447961 Vulnerability disclosed publicy. Severity:Important
Exploitability: 1
Important Important
MS10-095 Vulnerability in Microsoft Windows Could Allow Remote Code Execution
Microsoft Windows
CVE-2010-3966
 
KB 2385678 No known exploits. Severity:Important
Exploitability: 1
Important Important
MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution
Microsoft Windows Address Book
CVE-2010-3147
 
KB 2423089 Vulnerability disclosed publicy. Severity:Important
Exploitability: 1
Important Important
MS10-097 Insecure Library Loading in Internet Connection Sign up Wizard Could Allow Remote Code Execution
Microsoft Windows
CVE-2010-3144
 
KB 2443105 Vulnerability disclosed publicy. Severity:Important
Exploitability: 1
Important Important
MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Replaces MS10-073 )

Microsoft Windows Kernel-mode Drivers
CVE-2010-3939
CVE-2010-3940
CVE-2010-3941
CVE-2010-3942
CVE-2010-3943
CVE-2010-3944
 

KB 2436673 Vulnerability disclosed publicy. Severity:Important
Exploitability: 1,1,2,2,1,1
Critical Critical
MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege
Microsoft Windows Remote Access NDProxy Component
CVE-2010-3963
 
KB 2440591 No known exploits. Severity:Important
Exploitability: 1
Important Important
MS10-100 Vulnerability in Consent User Interface
User Account Control
CVE-2010-3961
 
KB 2442962 No known exploit. Severity:Important
Exploitability: 1
Important Important
MS10-101 Vulnerability in Windows Netlogon Service
Netlogon/RPC Service
CVE-2010-2742
 
KB 2207559 No known exploit. Severity:Important
Exploitability: 3
Important Important
MS10-102 Vulnerability in Hyper-V Could Allow Denial of Service
Microsoft Windows
CVE-2010-3960
 
KB 2345316 No known exploits. Severity:Important
Exploitability: 2
Important Important
MS10-103 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (Replaces MS10-023 MS10-036 )
Microsoft Publisher
CVE-2010-2569
CVE-2010-2570
CVE-2010-2571
CVE-2010-3954
CVE-2010-3955
 
KB 2292970 Remote code execution. Severity:Important
Exploitability: 1,1,2,2,3
Important Important
MS10-104 Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution
Microsoft SharePoint
CVE-2010-3964
 
KB 2433089 Remote code execution. Severity:Important
Exploitability: 1
Important Critical
MS10-105 Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (Replaces MS08-044 )
Microsoft Office Graphics
CVE-2010-3945
CVE-2010-3946
CVE-2010-3947
CVE-2010-3949
CVE-2010-3950
CVE-2010-3951
CVE-2010-3952
 
KB 968095 Remote code execution. Severity:Important
Exploitability: 1,2,2,2,2,2,2
Critical Important
MS10-106 Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (Replaces MS10-024 )
Microsoft Exchange Server
CVE-2010-3937
 
KB 2407132 No known exploits. Severity:Moderate
Exploitability: 3
N/A Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

 As always, please use the contact form for comments about patches.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

5 comment(s)

Comments

Please take note that MS10-091 is primarily listed in it's title as "Remote Code Execution" but is also a Elevation of Privilege to Kernel Mode.
MS010-090 should be raised to critical.
ITs currently being exploited and have been alterted by national certs as critical.
I was thinking the same for MS10-092. TDL4 and maybe others use this vulnerability to infect the system.
MS10-091 should have a link to KB2296199, not KB2416400
There are some reports, that KB2416400 fails to install on some Windows 7 x64 systems with error code 80092004. While the exact reasons for the failing aren't known yet AFAIK, it seems to "caused" by an privious installation of a "Hotfix", most likely KB2422556. A german languaged writeup on this (including some possible workarounds) could be found here: http://patch-info.de/artikel/2010/12/14/1005

Diary Archives