Assessing the risk of the December security updates

Bulletin

Most likely attack vector

Max Bulletin Severity

Max  Exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS10-090

(IE)

Victim browses to a malicious webpage.

Critical

1

Public exploit exists for CVE-2010-3962.  Exploits works on IE6 and IE7 on Windows XP.

We have not seen CVE-2010-3962 exploits that have successfully bypassed DEP.  Therefore, IE8 users are at reduced risk.

MS10-091

(Opentype Font driver)

Victim using explorer.exe browses to a folder containing a malicious OTF file.

Critical

1

Likely to see an exploit released granting a local attacker SYSTEM level access. 

Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. 

MS10-092

(Task Scheduler)

Attacker running code on a machine already elevates from low-privileged account to SYSTEM.

Important

1

This vulnerability being exploited by Stuxnet malware.

MS10-098

(win32k.sys)

Attacker running code on a machine already elevates from low-privileged account to SYSTEM.

Important

1

Likely to see an exploit released granting a local attacker SYSTEM level access. 

MS10-105

(Graphics filters)

Victim opens a malicious Office document

Important

1

Likely to see an exploit released for one or more of the CVE’s addressed by this bulletin.

Later versions of Microsoft Office have disabled support for several of these graphics filters.  Please see SRD blog post here for more detail.

MS10-103

(Publisher)

Victim opens a malicious .PUB file

Important

1

Likely to see an exploit released.

MS10-099

(RRAS)

Attacker running code on a machine already elevates from low-privileged account to SYSTEM.

Important

1

Likely to see an exploit released granting a local attacker SYSTEM level access. 

Systems that have not configured a VPN or RAS connection are not vulnerable by default.

DLL Preloading Issues

(MS10-093, MS10-094, MS10-095, MS10-096, MS10-097)

Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share.

Important

1

Public proof-of-concept code already exists for several of these vulnerabilities.

MS10-101

(Netlogon)

Attacker sends malicious RPC network request to Windows Server acting as a domain controller.  Request must be sent from a domain-joined workstation on which the attacker has administrative privileges.  The request could bugcheck the Windows server.

Important

3

Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service.

Attacker must have administrative rights on a domain-joined machine to launch this attack.

MS10-102

(Hyper-V)

Attacker with administrative control of a guest OS can bugcheck (reboot) the host OS.

Important

3

Unlikely to see wide-spread exploitation of this denial-of-service issue.

MS10-100

(Consent)

Attacker running code on a machine already elevates from low-privileged account to the workstation account (Machine$).

Important

1

While an exploit could be developed for this issue, the severity of the elevation is limited.  This is not a typical elevation of privilege vulnerability which would result in administrative control of the system.

MS10-104

(Sharepoint)

If an off-by-default service is enabled, an attacker can upload a malicious executable and potentially cause it to be run with Guest privileges on Sharepoint Server.

Important

1

Unlikely to see wide-spread exploitation as the service is not enabled by default.

Sharepoint servers in production unlikely to be vulnerable by default.  See this SRD blog post for more information.

MS10-106

(Exchange)

Attacker sends malicious RPC network request to an Exchange Server causing it to enter an infinite loop denial-of-service condition.  The specific RPC function requires the attacker to be authenticated.

Moderate

3

Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service.