Written by Larry Seltzer, PC Magazine
Wednesday, 09 June 2010
Microsoft released ten security bulletins today and updates to various products to fix thirty-four separate vulnerabilities. Three of the updates have a maximum severity level of Critical. Two affect Microsoft Windows and one is a Cumulative Update for Internet Explorer.
The three Critical updates were:
* MS10-033: Vulnerabilities in Media Decompression Could Allow Remote Code Execution—Two vulnerabilities affecting a variety of components in almost all versions of Windows could lead to remote code execution. The user would have to open a malicious media file or receive streaming content. * MS10-034: Cumulative Security Update of ActiveX Kill Bits—Because of vulnerabilities in two COM objects from Microsoft and several others from Danske Bank, CA, Eastman Kodak and Avaya, this update applies kill bits to disable the components. * MS10-035: Cumulative Security Update for Internet Explorer—6 different vulnerabilities affecting all versions of Internet Explorer on all supported versions of Windows are fixed in this cumulative update. Several are rated likely to result in working exploit code, including the two which are ranked Critical.
The remaining seven vulnerabilities top out at Important, meaning that there is some significant mitigating factor or that the damage is limited:
* MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege —All supported versions of Windows are vulnerable to privilege elevation owing to three vulnerabilities. An attacker would need valid logon credentials in order to execute the attack. * MS10-036: Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution —Various Microsoft Office for Windows programs (not including Office 2010) are vulnerable to remote code execution if the user opens a malicious web page or e-mail attachment. Working exploit code is likely for this attack. * MS10-037: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege—All versions of Windows are vulnerable to an elevation of privilege vulnerability But the attacker needs valid logon credentials and consistent exploit code is not likely. MS10-038: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution—Excel and certain other Office programs on Windows and the Mac are vulnerable to remote code execution through 14 different vulnerabilities, most of which are likely to produce functioning exploit code. * MS10-039: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege—Two vulnerabilities in SharePoint could lead to denial of service (locking up the client session) or improper disclosure of information. * MS10-040: Vulnerability in Internet Information Services Could Allow Remote Code Execution —An authentication error in all versions of IIS could lead to remote code execution. * MS10-041: Vulnerability in Microsoft .NET Framework Could Allow Tampering—An attacker could tamper with signed XML content without being detected.
There were also a large number of non-security updates released today. including the following: * New versions of the Windows Malicious Software Removal Tool (32-bit and 64-bit) * An update for the Windows Mail Junk E-mail Filter * Updates to various versions of Microsoft .NET Framework—strengthens authentication credentials in specific scenarios. [Why is this classified as a non-security update? Is it really the same thing as MS10-041?]