It’s hard to believe it’s already been four weeks since the last one, but here we are again with another episode of the Microsoft patch Tuesday summary.  This release is very large (the largest ever) with 49 different vulnerabilities.  Here are a few things that stood out to me about this month’s set of patches:

• 80% of the vulnerabilities patched are client-side.  Everyday activities like visiting websites or viewing office documents are affected.  Although the risks of these vulnerabilities can be mitigated by changing users’ actions, web browsing and document sharing are such a central part of our knowledge-centric life that mitigating the risk by asking users to change their behavior is unlikely to work very well.  Patching client-side code is very important, as is having the right security layers in place to filter out malicious content.
• Word and Excel alone account for more than half (27 of 49) of this month’s vulnerabilities.
• Fonts (in particular, embedded fonts) continue to be a focus for vulnerability discovery.
• Microsoft patch schedules tend to alternate months between heavy and light, with October typically being the heaviest month of the year.  This October is no exception.

Without further ado, here is the list of vulnerabilities patched in this release.  I’ve broken them out into a few basic categories:

Local Vulnerabilities

• CVE-2010-2549 - Win32K Reference Count Vulnerability
• CVE-2010-2743 - Win32K Keyboard Layout Vulnerability
• CVE-2010-2744 - Win32k Window Class Vulnerability
• CVE-2010-3222 - LPC Message Buffer Overrun Vulnerability
• CVE-2010-3223 - Permissions on New Cluster Disks Vulnerability

Office Document Vulnerabilities

• CVE-2010-1883 - Embedded OpenType Font Integer Overflow Vulnerability
• CVE-2010-2747 - Word Uninitialized Pointer Vulnerability
• CVE-2010-2748 - Word Boundary Check Vulnerability
• CVE-2010-2750 - Word Index Vulnerability
• CVE-2010-3214 - Word Stack Overflow Vulnerability
• CVE-2010-3215 - Word Return Value Vulnerability
• CVE-2010-3216 - Word Bookmarks Vulnerability
• CVE-2010-3217 - Word Pointer Vulnerability
• CVE-2010-3218 - Word Heap Overflow Vulnerability
• CVE-2010-3219 - Word Index Parsing Vulnerability
• CVE-2010-3220 - Word Parsing Vulnerability
• CVE-2010-3221 - Word Parsing Vulnerability
• CVE-2010-3230 - Excel Record Parsing Integer Overflow Vulnerability
• CVE-2010-3231 - Excel Record Parsing Memory Corruption Vulnerability
• CVE-2010-3232 - Excel File Format Parsing Vulnerability
• CVE-2010-3233 - Lotus 1-2-3 Workbook Parsing Vulnerability
• CVE-2010-3234 - Formula Substream Memory Corruption Vulnerability
• CVE-2010-3235 - Formula Biff Record Vulnerability
• CVE-2010-3236 - Out Of Bounds Array Vulnerability
• CVE-2010-3237 - Merge Cell Record Pointer Vulnerability
• CVE-2010-3238 - Negative Future Function Vulnerability
• CVE-2010-3239 - Extra Out of Boundry Record Parsing Vulnerability
• CVE-2010-3240 - Real Time Data Array Record Vulnerability
• CVE-2010-3241 - Out-of-Bounds Memory Write in Parsing Vulnerability
• CVE-2010-3242 - Ghost Record Type Parsing Vulnerability
• CVE-2010-3329 - Uninitialized Memory Corruption Vulnerability
• CVE-2010-3331 - Uninitialized Memory Corruption Vulnerability

Web Browser Vulnerabilities

• CVE-2010-1883 - Embedded OpenType Font Integer Overflow Vulnerability
• CVE-2010-2740 - OpenType Font Parsing Vulnerability
• CVE-2010-2741 - OpenType Font Validation Vulnerability
• CVE-2010-2745 - Windows Media Player Memory Corruption Vulnerability
• CVE-2010-2746 - Comctl32 Heap Overflow Vulnerability
• CVE-2010-3243 - HTML Sanitization Vulnerability
• CVE-2010-3324 - HTML Sanitization Vulnerability
• CVE-2010-3325 - CSS Special Character Information Disclosure Vulnerability
• CVE-2010-3326 - Uninitialized Memory Corruption Vulnerability
• CVE-2010-3327 - Anchor Element Information Disclosure Vulnerability
• CVE-2010-3328 - Uninitialized Memory Corruption Vulnerability
• CVE-2010-3329 - Uninitialized Memory Corruption Vulnerability
• CVE-2010-3330 - Cross-Domain Information Disclosure Vulnerability

Other Vulnerabilities

• CVE-2010-3225 - RTSP Use After Free Vulnerability
• CVE-2010-3228 - .NET Framework x64 JIT Compiler Vulnerability
• CVE-2010-3229 - TLSv1 Denial of Service Vulnerability
• CVE-2010-3227 - Windows MFC Document Title Updating Buffer Overflow Vulnerability
• CVE-2010-1263 - COM Validation Vulnerability

Interesting Vulnerabilities

The list of vulnerabilities is too long this month for me to go through them one by one in this short blog post, but here are a few that stood out for me:

CVE-2010-3228 - .NET Framework x64 JIT Compiler Vulnerability

This vulnerability can be used to infect clients via malicious “XAML browser applications” (http://en.wikipedia.org/wiki/XAML_Browser_Applications) and can also be used to compromise servers that allow custom ASP.NET applications to be uploaded.  .NET applications are supposed to run inside a sandbox, but this vulnerability allows them to escape.

CVE-2010-2740, CVE-2010-2741, CVE-2010-2745 & CVE-2010-2746

These 4 vulnerabilities affect web browsers other than Internet Explorer on Windows.  There has been a recent trend of users using browsers other than IE (IE’s “market share” is now below 60%), perhaps out of concern for security.  It’s interesting to note that even when you use a non-Microsoft browser, your browser can still be affected by Microsoft vulnerabilities.

CVE-2010-3225 - RTSP Use After Free Vulnerability

Almost all the vulnerabilities in this month’s update require some form of user interaction, such as visiting a malicious website or opening a malicious document.  Although this issue only affects computers with media sharing enabled, it requires neither authentication nor user interaction.

As we do every month, we’ve released a signature update to address the vulnerabilities fixed in today’s patches.   Happy patching!