SMB, DirectShow top the list of Microsoft patches

Share this article:

Microsoft on Tuesday issued a doozy of a security update, patching 26 vulnerabilities with 13 bulletins.

Eleven of the patches repair holes in Windows, while two of the fixes affect older versions of Office.

The software giant called out five of the bulletins as priorities to patch.

They include MS10-006, which addresses two "critical" bugs in the Server Message Block (SMB) protocol, affecting all Windows versions except Vista and Server 2008.

"In the simplest scenario, a system connecting to a network file share is an SMB Client," Jerry Bryant, senior security communications manager, explained Tuesday in a blog post. "The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it."

Experts at Symantec also considered this issue to be a biggie.

“The SMB Server path name overflow vulnerability tops my list this month,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “Server-side vulnerabilities aren't too common anymore, but they're a golden goose for attackers when they are discovered. With this one, if an attacker can find a vulnerable remote server that has a guest account set up, just like that, they've got access to the machine and possibly the entire local network — all without any user involvement required.”

MS10-007, meanwhile, offers a fix for a critical flaw in the Windows Shell Handler, impacting Windows 2000, XP and Server 2003. MS10-008 provides a cumulative update for ActiveX kill bits.

Perhaps the most pressing to patch is MS10-013, rectifies a critical vulnerability in DirectShow, the media-streaming architecture for Windows that permits applications to display audio and video. The bug affects all versions of Windows. Users can be affected if they open a maliciously crafted AVI file either through an email link or on a website.

"The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected," said Andrew Storms, director of security operations at nCircle, a vulnerability management firm. "Since media is what excites people most on the internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware."

Finally, Microsoft ranked MS10-015 as high priority, even though it only carries an "important" rating, because the company is aware of publicly available proof-of-concept code circulating for the privilege-escalation kernel vulnerability that the bulletin addresses.

Among those issues that missed the cut this month: an Internet Explorer vulnerability, announced last week, and another bug in SMB, revealed in November.

Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."