Nisan 2010 Windows patch

It is very refreshing to see that the number of out-of-band Microsoft
updates has been kept to a minimum this time around! Unfortunately,
we have 11 patches fixing a total of 25 security holes. Do not forget,
if you are using the RTM version of Vista (one without any service packs
installed), you are no longer supported and will not be offered these
patches; you will need to get at least SP1 installed to have user
support again.

Security patches

• MS10-019/KB981210
  - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Problems
  with the Authenticode Verification system can allow remote code
  execution attacks, which are not mitigated by lower user permissions.
  Install this fix immediately. 98KB - 870KB
• MS10-020/KB980232
  - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This
  patch fixes a problem in SMB handling where an attacker could send a
  specially crafted response to an SMB request that would allow a remote
  code execution attack. You will want to install this patch immediately,
  because the attacker gets full privileges regardless of the user’s
  permission level. 235KB - 1.2MB
• MS10-021/KB979683
  - Important (2000, XP, Vista, 2003)/Moderate (7, 2008, 2008 R2):
  This patch addresses a number of problems. Luckily, even the worst of
  them requires the attacker to be logged on. Some of the problems fixed
  are escalation of privileges; others are denial-of-service problems.
  Install the patch during your next patch cycle. 1.6MB - 7.8MB
• MS10-022/KB981169 - Important
  (XP, 2003)/Low (Vista, 7, 2008, 2008 R2): This is the fix for
  the already exploited F1 problem. The severity on this one is not
  critical, since it requires a user to perform certain actions under
  certain circumstances to be exploited. Install the patch during your
  usual window. 221KB - 1.1MB
• MS10-023/KB981160 - Important
  (Publisher 2002, Publisher 2003, Publisher 2007): If you are
  using Publisher, this patch fixes a remote code execution exploit when
  opening specially crafted files. Install this for the folks who use
  Publisher. 2.9MB - 5.2M
• MS10-024/KB976323 - Important
  (2000, XP, 2003, 2008, 2008 R2, Exchange 2000, Exchange 2003, Exchange
  2007, Exchange 2010): A bug in the SMTP server system can allow
  denial-of-service attacks. Install this patch on any servers running
  SMTP. 434KB - 1.4MB
• MS10-025/KB980858 - Critical
  (2000): Windows Media Services on Windows 2000 can allow remote
  code execution attacks. Install this patch immediately on those
  servers. 700KB
• MS10-026/KB977816 - Critical
  (2000, XP, 2003, 2008)/Important (Vista): If you open a
  specially crafted AVI file or view a stream of malicious MPEG-3 encoded
  media, your system could be open to a remote code execution attack.
  Accounts with lower permissions may mitigate the risks slightly, but do
  not count on it, because the information I have read says that could be
  trouble. Install this patch immediately to protect against this. 159KB -
  865KB
• MS10-027/KB979402 - Critical
  (2000, XP): Another Windows Media Player vulnerability. Again,
  if you open media that has been specially crafted, remote code execution
  may result, with the attacker’s rights hopefully being lowered by the
  user having lowered rights. Install the patch as soon as you can. 2.3MB
• MS10-028/KB980094 - Important
  (Visio 2002, Visio 2003, Visio 2007): This remote code
  execution exploit is triggered by opening malicious Visio files. The
  attacker should get the user’s rights, so lowered privileges should
  prevent some of the damage. Install for Visio users as soon as you can.
  10.9MB - 15.5MB
• MS10-029/KB978338 - Moderate
  (XP, Vista, 2003, 2008): A lack of filtering capabilities
  (included in later versions of Windows) allows an attacker to spoof an
  IPv4 address; this patch fixes it. Update your systems with this patch
  during your normal time for patching. 637KB - 2.9MB

Other updates

There are none to report this month.

“The Usual Suspects”: Updates to the
Malicious Software Removal Tool (9.8MB - 10.1MB) and Junk Email filters
(2.2MB).

Changed, but not significantly:

• IIS Extended
  Protection for Authentication (KB973917)

Updates since the last Patch Tuesday

MS10-018/KB980182 - Critical
(2000, XP, Vista, 7, 2003, 2008, 2008 R2): This is a giant
cumulative update for every version of Internet Explorer that Microsoft
supports. It fixes a total of 10 security holes, some of which allow
remote code execution and others that let the attacker get data they
should not. There is also a huge pile of nonsecurity fixes. You should
install this immediately if you have not yet done so. 3.3MB - 40.6MB

There have been a number of minor items added and updated since the
last Patch Tuesday:

• IE 8 Compatibility View
  List (KB980302) 33KB - 681KB

Changed, but not significantly:

• Windows 7 and
  Vista Browser Choice Screen (KB976002)
• Windows 7 and 2008
  R2 Application Compatibility Update (KB976264)