Patch Tuesday – Jan 2010

From the look of things Microsoft is starting off slow this year with only one of each in today’s release – one bulletin, one advisory and one re-released bulletin. However, there is still no bulletin for Security Advisory 977544 – the Vulnerability in SMB Could Allow Denial of Service. Microsoft says they are still working on an update for this issue and are not aware of any attacks using the exploit code.

The bulletin they did release is MS10-001, addressing a vulnerability in the Embedded Open Type Font Engine (OET) and is considered critical if you are running Windows 2000 and low for any other version of windows. This was responsibly disclosed and Microsoft is not aware of any active attacks as of yet. I should also note that if a user is logged on with admin privileges and an attacker successfully exploits this vulnerability they would have control of the users machine.

Microsoft also re-released MS09-035 Active Template Library (ATL) bulletin after adding Windows Embedded CE 6.0 to the affected product list. This release only affects developers and OEMs building application on top of CE 6 or producing devices that use the operating system.

The last release from Microsoft was a Security Advisory 979267 to increase awareness regarding reports of vulnerabilities in Adobe Flash player 6 which shipped with Windows XP. I would like to mention that Flash 6.0 is a very old version, considering it came with XP, so please update to the latest version of Flash.

Please note that Adobe is releasing APSB10-02 Security Advisory today to resolve critical vulnerabilities being actively exploited in Adobe Reader and Acrobat 9.2 on Windows, Mac, and UNIX.

Even with only one update from Microsoft, I would suggest that everyone installs it as a matter of standard procedure. But I would make the Adobe update my first priority this month.