This Azure Guest OS release come two months after the previous (v. 2.1). Does this release provide minor changes, or does it include patches for substantial security issues? Let’s dig and find out.
Microsoft announced Windows Azure Guest OS 2.2 (Release 201101-01) which contains 11 specified security patches. More specifically, this Azure Guest OS is comprised of:
- Windows Server 2008 R2, plus
- All security patches through December, 2010, and
- 2 updates to previous security patches
The 11 specified patches specified in the bulletin fall in to a few vulnerability categories. 9 of the patches were included in December’s Security Bulletin; the 3 marked with ‘*’ are patch updates. The bulletin IDs, ‘MS10-…’ gives away that they originated in 2010.
|Elevation of Privilege||MS10-092, MS10-098, MS10-100|
|Remote Code Execution||MS10-077*, MS10-091, MS10-095, MS10-096|
|Denial of Service||MS10-101, MS10-102|
|IE Cumulative Updates||MS10-090*|
|ASP.NET, Information Disclosure||MS10-070*|
MS10-070 & MS10-077 were originally released last year in September and October, respectively. MS10-090 was originally released in December, 2010, but was update in early January, 2011.
Even though most of these were in December’s Security Bulletin, we should take a look at the criticality and exploitability ratings for each (relative to Windows Server 2008 R2 for x64 only; impacts to Itanium-based systems my differ slightly)
|Bulletin||Severity Rating||Exploitability Rating|
|MS10-090||Critical||Consistent Exploit Code Likely|
|MS10-091||Critical||Consistent Exploit Code Likely|
|MS10-092||Important||Consistent Exploit Code Likely|
|MS10-095||Important||Consistent Exploit Code Likely|
|MS10-096||Important||Consistent Exploit Code Likely|
|MS10-098||Important||Consistent Exploit Code Likely|
|MS10-100||Important||Consistent Exploit Code Likely|
|MS10-101||Important||Functioning exploit code unlikely|
|MS10-102||Important||Functioning exploit code unlikely|
So, I think it’s safe to assess that this new Azure Guest OS includes some very significant security patches. Agree? Don’t agree? Leave a comment for us below.