Patch/Configuration Management, Vulnerability Management

SMB, DirectShow top the list of Microsoft patches

Microsoft on Tuesday issued a doozy of a security update, patching 26 vulnerabilities with 13 bulletins.

Eleven of the patches repair holes in Windows, while two of the fixes affect older versions of Office.

The software giant called out five of the bulletins as priorities to patch.

They include MS10-006, which addresses two "critical" bugs in the Server Message Block (SMB) protocol, affecting all Windows versions except Vista and Server 2008.

"In the simplest scenario, a system connecting to a network file share is an SMB Client," Jerry Bryant, senior security communications manager, explained Tuesday in a blog post. "The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it."

Experts at Symantec also considered this issue to be a biggie.

“The SMB Server path name overflow vulnerability tops my list this month,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “Server-side vulnerabilities aren't too common anymore, but they're a golden goose for attackers when they are discovered. With this one, if an attacker can find a vulnerable remote server that has a guest account set up, just like that, they've got access to the machine and possibly the entire local network — all without any user involvement required.”

MS10-007, meanwhile, offers a fix for a critical flaw in the Windows Shell Handler, impacting Windows 2000, XP and Server 2003. MS10-008 provides a cumulative update for ActiveX kill bits.

Perhaps the most pressing to patch is MS10-013, rectifies a critical vulnerability in DirectShow, the media-streaming architecture for Windows that permits applications to display audio and video. The bug affects all versions of Windows. Users can be affected if they open a maliciously crafted AVI file either through an email link or on a website.

"The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected," said Andrew Storms, director of security operations at nCircle, a vulnerability management firm. "Since media is what excites people most on the internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware."

Finally, Microsoft ranked MS10-015 as high priority, even though it only carries an "important" rating, because the company is aware of publicly available proof-of-concept code circulating for the privilege-escalation kernel vulnerability that the bulletin addresses.

Among those issues that missed the cut this month: an Internet Explorer vulnerability, announced last week, and another bug in SMB, revealed in November.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.