January Out of Band Microsoft Patch Tuesday Roundup

Last updated at Wed, 26 Jul 2017 16:28:00 GMT

After a quiet Patch Tuesday last week with only one vulnerability announced, that calm has been followed by a bit of a storm.  Here is a quick summary of this month's summary of Microsoft's Out of Band Security update ... 

1 updates, with 8 vulnerabilities covered. Here's the breakdown: 

MS10-002: Rated Critical. Potential Remote Code Execution, covering 8 vulnerabilities: CVE-2009-4074 (XSS Filter Script Handling), CVE-2010-0027 (URL Validation), CVE-2010-0244 (Uninitialized Memory Corruption), CVE-2010-0245 (Uninitialized Memory Corruption), CVE-2010-0246 (Uninitialized Memory Corruption), CVE-2010-0247 (Uninitialized Memory Corruption), CVE-2010-0248 (HTML Object Memory Corruption), and CVE-2010-0249 (HTML Object Memory Corruption). This update replaces MS09-072 from December of last year, which was critical for all platforms except Server 2003 and Server 2008. 

As with MS09-072, this one needs a little more explanation to lay out what severity ratings map to what: 

BY IE VERSION
- IE 5.01 & 6 are rated Critical on Windows 2000
- IE 6, 7, & 8 are rated Critical on XP
- IE 6 is rated *MODERATE*, IE 7 & 8 are rated *CRITICAL* on Server 2003
- MS09-072 was reversed: Critical on IE 6; Moderate on IE 7 & 8 for Server 2003
- IE 7 & 8 are rated Critical on Vista
- IE 7 & 8 are rated *CRITICAL* on Server 2008
- MS09-072 was rated Moderate for Server 2008
- IE 8 is rated *CRITICAL* on Server 2008 R2
- MS09-072 was rated Moderate for Server 2008 R2
- IE 8 is rated Critical on Windows 7 

BY VULNERABILITY
- CVE-2009-4074:
- Moderate (Information Disclosure) for IE 8 on XP, Vista, and Windows 7
- Low (Information Disclosure) for IE 8 on Server 2003, Server 2008, and Server 2008 R2 

- CVE-2010-0027:
- Critical (Remote Code Execution) for IE 7 on XP, Server 2003, Vista, Server 2008, and Windows 7
- Critical (Remote Code Execution) for IE 8 on XP, Server 2003, Vista, Server 2008, Windows 7, and Server 2008 R2 

- CVE-2010-0244:
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003, Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2 

- CVE-2010-0245:
- Critical (Remote Code Execution) for IE 8 on XP and Vista
- Moderate (Remote Code Execution) for IE 8 on Server 2003 and Server 2008
- Low (Denial of Service) for IE 8 on Windows 7 and Server 2008 R2 

- CVE-2010-0246:
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2 

- CVE-2010-0247:
- Critical (Remote Code Execution) for IE 5.01 on Windows 2000
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate for IE 6 on Server 2003 

- CVE-2010-0248:
- Critical (Remote Code Execution) for IE 6 on Windows 2000, XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003 and Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for Server 2003, Server 2008, and Server 2008 R2 

- CVE-2010-0249:
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003 and Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2 

Hopefully this makes things a little clearer. 

There has been a lot of buzz about this one, and we'd like to take a moment to thank the research community (and our own Metasploit team) for raising the profile of this issue and helping to raise the priority for Microsoft's update(s).  As expected, there are some who would paint the efforts of community researchers and the Metasploit project as "enabling the bad guys".  This could not be further from the truth … underestimating the severity of an existing risk does nothing to protect systems from compromise.  Customers are getting the IE fix nearly 3 weeks earlier due in part to the availability of public exploit code and supporting research.  Despite the fact that Microsoft has known about the issue since August, we believe they should be applauded for their responsiveness following the release of public exploit code.  We feel very strongly that this is an example of community research prompting vendor actions that are ultimately in the best interest of customers. 

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these vulnerabilities and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft's update release. 

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts. 

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release. 

As always, Happy patching!!