Further holes despite Microsoft's huge patch series
As announced, this February Patch Tuesday Microsoft released 13 bulletins to fix a total of 26 security holes. Critical patches have been released for all Windows versions since 2000 SP4 including Server 2003 and 2008 – both 32 and 64 bit. The patches for Office XP, 2003 and 2004 for Mac are rated "important". Most of the programming bugs described can potentially be exploited to infect vulnerable systems with malicious code and remotely take control of systems.
According to a post on the Microsoft Security Response Center (MSRC) blog, the bulletins concerning the vulnerabilities in the SMB network client (MS10-006), in the Windows Shell Handler (MS10-007), in several ActiveX controls (MS10-008) and in DirectShow (MS10-013) are particularly urgent. New on the list of crucial updates is bulletin MS10-015, which deals with the privilege escalation via Virtual DOS Machine introduced 17 years ago. Exploit code has recently appeared for this vulnerability.
Microsoft recommends that admins start their patch process with these five bulletins and has made the updates available via the usual update mechanisms. Windows users are also advised to update as soon as possible. A critical vulnerability in the IPv6 stack that affects Windows Vista and Server 2008 (MS10-009) has also been addressed.
The DoS vulnerability in the SMB clients of Windows 7 and Windows Server 2008 R2 as well as the hole in Internet Information Server 6.0 (IIS) when parsing file names with semi-colon extensions remain unpatched. There is a Fix-it tool for the previously unpatched security hole in Internet-Explorer.
- Microsoft Security Bulletin Summary for February 2010, security advisory from Microsoft.
- Microsoft to fix 26 vulnerabilities on patch day, a report from The H.