In August, Microsoft released a whopping 15 security bulletins on Patch Tuesday. Nine of the updates were labeled as critical, with the remaining six marked as important. These patches addressed flaws in Windows, Internet Explorer, Office, the .NET Framework, and Silverlight, fixing a total of 35 vulnerabilities. (For a complete list of August's security bulletins, go tohttp://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx.)
Today Microsoft issued an additional nine security bulletins to address vulnerabilities in Windows and Office. Four of the updates are critical; five are labeled important.
According to Jason Miller, data and security team manager at Shavlik Technologies, the most important updates for administrators to address this month are MS10-061 and MS10-062:
MS10-061 fixes a vulnerability in the Print Spooler service in Windows XP. If you are running Windows XP and sharing a printer, attackers can compromise the machine with an over-the-network printrequest. This vulnerability was found in the Stuxnet malware family and it is currently being exploited in the wild. The Stuxnet malware family has lead to a couple of patches for zero-day exploits, such as MS10-046. MS10-046 was released out-of-band to fix the Windows LNK vulnerability. The Stuxnet malware family prompted this release as it was exploiting the vulnerability as a zero-day.
MS10-062 fixes a vulnerability in the MPEG-4 codec on Windows operating systems. If a user opens a specially crafted malicious media file (AVI) with a media player, an attacker can take control of the machine via remote code execution. Viewing media formats is becoming more and more common for both work and home users. It is not safe to assume that media viewing only occurs at home and not on your network. Media file distribution can happen in many ways, such as visiting a website that hosts malicious media files, viewing media files from a streaming server, or opening the slapstick funny email attachment from your friends.
For the complete list of September's security bulletins, go to http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. In addition, Microsoft is hosting a webcast about these bulletins on September 15, at 11:00 a.m. PST. Click here to register for Microsoft's September Security Bulletin webcast.