Patch Tuesday Wednesday (JAN-2010)

I was on holiday for this month’s Patch Tuesday *happy, happy, joy, joy!*, so here is a late recap on this month’s patching including the out of band patch issued later in the month.

This month we have one (1) new security bulletin, and one (1) out of band patch issued later in the month. A restart will be required.

For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000. For all other versions of Windows, the vulnerability gets a Low rating. [1]

Bulletin	KB number	Description	Severity	Impact	Software
MS10-001	972270	Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution	Remote Code Execution	Critical	Microsoft Windows

Out of Band Patch

Bulletin	KB number	Description	Severity	Impact	Software
MS10-002	978207	Cumulative Security Update for Internet Explorer	Remote Code Execution	Critical	Microsoft Windows

For this month:

re MS10-002;

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons). — SANS [7]

PATCH NOW:
NOW: MS10-002 !