December 2010 Patch Tuesday is a whopper

Filed Under: Malware, Microsoft, Vulnerability, Windows

Microsoft has released their latest batch of security updates that have become to be known as Patch Tuesday. This month MS has shipped 17 advisories/patches which fix 40 known vulnerabilities.

Only two advisories are marked critical this month. The first critical fix is likely the most important. MS10-090, addresses 5 critical and 2 moderate flaws in Internet Explorer some of which are being actively exploited in the wild.

MS10-090 not only affects Windows 7 and Internet Explorer 8 as noted in the screenshot, it impacts all versions of Internet Explorer that are currently supported. For more information refer to our blog Internet Explorer users warned of new zero-day attacks.

Update: SophosLabs have posted our vulnerability analysis for MS10-090 in the Sophos knowledgebase.Windows Update from Windows 7 x64 Dec 2010The second critical fix, MS10-091, addresses a privately disclosed bug in font handling. This one is strange in that it is a more severe flaw in Windows 7, 2008 and Vista than in XP and 2003.

On the older OSs this flaw allows elevation of privilege which could allow an attacker who gains access to a system with standard user rights to become an administrator. On Windows 7, 2008 and Vista this flaw can be used to remotely execute code as an administrator. Although this is not known to be actively exploited in the wild I would make this a very high priority patch now that it has been publicly acknowledged.

Other items to note this month are that the last of the Stuxnet vulnerabilities have been addressed with MS10-092.

The kernel EoP vulnerability I reported last month doesn't appear to have been addressed, nor is a new CSS vulnerability in Internet Explorer that was disclosed last week on the Full Disclosure mailing list. As usual I guess we have plenty to look forward to on January 11th, 2011 starting the new year off on the right security footing.

Update: SophosLabs have updated the latest vulnerabilities knowledgebase article with information about all of the patches released today.

, , , , ,

You might like

10 Responses to December 2010 Patch Tuesday is a whopper

  1. TtT · 1353 days ago

    My computer froze trying to restart after the update and I had to turn it off. Now in the middle of the loading screen I get blue screened. :-/

    damn microsoft....

  2. Tyw7 · 1353 days ago

    First off you was late posting this. You said 10 p.m. Pacific time. Plus, how can you know if the uac vulnerability is fixed or not? It could be using a different name or included by one of the patches? What ms bulletin number is it under?

    • Chester Wisniewski · 1353 days ago

      Microsoft releases their patches at 10 AM Pacific Standard Time. It does not appear that they have fixed the kernel exploit that bypasses UAC as they have not issued an advisory nor have they assigned a CVE. I will test this against the proof-of-concept later on and verify this.

      • What's the ETA of this test? I can't wait for your result!

        • Chester Wisniewski · 1352 days ago

          I just tried it on Windows 7 x32 and it appears to still be vulnerable. I expect MS will post an advisory on this soon, but then again its coming up on 3 weeks and they haven't responded yet (aside from a tweet from @MSFTSecResponse on Nov 24)

      • Tyw7 · 1352 days ago

        Yes please do. It could be that microsoft didn't want hackers knowing about the vulnerability.

  3. Andy · 1353 days ago

    And since the update, my McAfee HIPS is going wild popping up Intrusion Detection Alerts on any users with Windows 7 and Office 2003 running. Anybody else got this ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.