August 2010 Microsoft Black Tuesday Summary
Overview of the Aug 2010 Microsoft Patches and their status.
Update: Microsoft also released an advisory for an unpatched privilege escalation vulnerability
Update 2: Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.
# | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
---|---|---|---|---|---|---|
clients | servers | |||||
MS10-047 | Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (Replaces MS10-021 ) | |||||
Windows Kernel CVE-2010-1888 CVE-2010-1889 CVE-2010-1890 |
KB 981852 | no known exploits. | Severity:Important Exploitability: 1,2,? |
Important | Important | |
MS10-048 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Replaces MS10-032 ) | |||||
Windows Kernel CVE-2010-1887 CVE-2010-1894 CVE-2010-1895 CVE-2010-1896 CVE-2010-1897 |
KB 2160329 | PoC code apparently exists | Severity:Important Exploitability: ?,1,1,1,1 |
Important | Impoortant | |
MS10-049 | Vulnerabilities in SChannel could allow Remote Code Execution | |||||
IIS and SChannel CVE-2009-3555 CVE-2010-2566 |
KB 980436 | no known exploits. | Severity:Critical Exploitability: 3,2 |
Important | Critical | |
MS10-050 | Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (Replaces MS10-016 ) | |||||
Windows Movie Maker CVE-2010-2564 |
KB 981997 | no known exploits. | Severity:Important Exploitability: 1 |
Critical | Important | |
MS10-051 | Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (Replaces MS08-069 ) | |||||
Microsoft XML core services CVE-2010-2561 |
KB 2079403 | no known exploits. | Severity:Critical Exploitability: 2 |
Critical | Critical | |
MS10-052 | Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution | |||||
Microsoft MPEG Layer-3 Codecs CVE-2010-1882 |
KB 2115168 | no known exploits. | Severity:Critical Exploitability: 1 |
Critical | Important | |
MS10-053 | Cumulative Security Update for Internet Explorer (Replaces MS10-035 ) | |||||
Internet Explorer CVE-2010-1258 CVE-2010-2556 CVE-2010-2557 CVE-2010-2558 CVE-2010-2559 CVE-2010-2560 |
KB 2183461 | no known exploits. | Severity:Critical Exploitability: 3,2,1,2,2,1 |
Critical | Important | |
MS10-054 | Vulnerabilities in SMB Server Could Allow Remote Code Execution | |||||
SMB server CVE-2010-2550 CVE-2010-2551 CVE-2010-2552 |
KB 982214 | no known exploits. | Severity:Critical Exploitability: 2,3,3 |
Critical | Critical | |
MS10-055 | Vulnerability in Cinepak Codec Could Allow Remote Code Execution | |||||
Cinepak codec CVE-2010-2553 |
KB 982665 | no known exploits. | Severity:Critical Exploitability: 1 |
Critical | Important | |
MS10-056 | Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (Replaces MS09-068 M009-027 MS10-036 ) | |||||
Word CVE-2010-1900 CVE-2010-1901 CVE-2010-1902 CVE-2010-1903 |
KB 2269638 | no known exploits. | Severity:Critical Exploitability: 1,1,2,2 |
Critical | Important | |
MS10-057 | Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (Replaces MS10-036 MS10-038 ) | |||||
Excel CVE-2010-2562 |
KB 2269707 | no known exploits. | Severity:Important Exploitability: 1 |
Critical | Important | |
MS10-058 | Vulnerabilities in TCP/IP Could Allow Elevation of Privilege | |||||
Windows Networking (TCP/IP) CVE-2010-1892 CVE-2010-1893 |
KB 978886 | no known exploits. | Severity:Important Exploitability: 3,1 |
Important | Important | |
MS10-059 | Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege | |||||
Tracing Facility for Services CVE-2010-2554 CVE-2010-2555 |
KB 982799 | no known exploits. | Severity:Important Exploitability: ?,1 |
Important | Important | |
MS10-060 | Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (Replaces MS09-061 ) | |||||
.NET and Silverlight CVE-2010-0019 CVE-2010-1898 |
KB 2265906 | no known exploits. | Severity:Critical Exploitability: 1,1 |
Critical | Critical |
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them
---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
FOR408 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=22353
My next class:
LINUX Incident Response and Threat Hunting | Online | Japan Standard Time | Oct 21st - Oct 26th 2024 |
×
Diary Archives
Comments
jevansts
Aug 10th 2010
1 decade ago
GDub
Aug 10th 2010
1 decade ago
The other 2 updates would not install at all and gave me the error I reported above, ie. 80070643, unknown error.
At the moment I guess nobody else is seeing this so it must be somewhat rare... but if someone does come across this, the solution was (from CMD): wusa.exe /uninstall /kb:<KB Number> (that is, 978886.
jevansts
Aug 10th 2010
1 decade ago
For the Windows Updater issues either post to the Windows Update forum
http://social.answers.microsoft.com/Forums/en-US/vistawu/threads
or, since they are all Security updates, contact MS for *no-charge* support for getting them installed and troubleshooting compatibility -
" How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support website:
http://support.microsoft.com/common/international.aspx?rdpath=4
North American customers can also obtain instant access to unlimited no-charge email support or to unlimited individual chat support by visiting the following Microsoft website:
http://support.microsoft.com/oas/default.aspx?&prid=7552
For enterprise customers support for security updates is available through your usual support contacts. "
MowGreen
Aug 10th 2010
1 decade ago
I'm wondering why MS10-049 (SChannel) is Important for Clients and Critical for Servers when from everything I can work out it's a Client-Side Vuln.? What am I missing?
Also, there's been exploit code released for MS10-054 as of the 10th:
http://www.exploit-db.com/exploits/14607/
David
Aug 11th 2010
1 decade ago
-Al
Al - Your Data Center
Aug 11th 2010
1 decade ago
davef
Aug 11th 2010
1 decade ago
Jim
Aug 11th 2010
1 decade ago
@davef
Aug 12th 2010
1 decade ago
Do I need to assume Office SP1 is also vulnerable (Word vulnerability)?
Microsoft has omitted to state this in its bulletin, probably because they no longer offer patches for SP1.
If someone could clarify this point it would be quite useful.
Sugata
Aug 13th 2010
1 decade ago