Today, as part of our monthly security update cycle, we are releasing ** 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.
Our guidance on deployment priority is that customers should consider MS10-019, MS10-026, and MS10-027 as the top priority bulletins for April. We do however recommend that customers deploy all security updates as soon as possible.
- MS10-019 affects all versions of Windows. While we give this a 2 on the exploitability index, the issue would allow an attacker to alter signed executable content (PE and CAB files) without invalidating the signature. Note that WU/MU content is not affected by this issue due to additional checks made when validating signed content.
- MS10-026 does not affect Windows 7, Windows Server 2008 R2, or Itanium versions of Windows Server 2008 and Windows Server 2003. However, it is critical on Windows 2000, XP, Server 2003 and Server 2008. The vulnerability could be triggered simply by visiting a web page hosting a specially crafted AVI file that began streaming when the page loads.
- MS10-027 affects only Windows 2000 and Windows XP users who could potentially be exploited simply by visiting a specially crafted web page.
|More listening and viewing options: - Windows Media Video (WMV) - Windows Media Audio (WMA) - iPod Video (MP4) - MP3 Audio - High Quality WMV (2.5 Mbps) - Zune Video (WMV)
The graphic below shows our overall deployment priority guidance. Note that this is general guidance. Each customer should evaluate based on their own environment. For example, those with large Windows 2000 deployments would likely want to bump MS10-025 up on their priority list.
The Severity and Exploitability Index slide gives an aggregate view of the overall risk and impact or each bulletin.
We continue to encourage customers to upgrade to the latest operating systems to benefit from the increased security protections provided by these platforms. Understanding that no software is perfect, the table below demonstrates the reduced impact of the April security bulletins on operating systems that have benefitted from the Security Development Lifecycle (SDL):
This month we are closing out the following to Security Advisories. Please note that while these issues have been open, we have not seen any active attacks against them in our extensive monitoring of the threat landscape.
There is one additional item I want to mention concerning the April security updates. MS10-021 is a Windows Kernel update. You may recall that the last Kernel update, MS10-015, exposed some systems that were infected with the Alureon rootkit. For MS10-021, and for all of our Kernel updates going forward, we have included detection logic for unusual conditions or modifications to the Windows Kernel binaries. If such conditions are detected, the update will return an error to the user and fail to install. Customers who see this error should contact our Customer Service and Support team for help determining if you have malware on your system.
Additional details about this month’s bulletins can also be found on the Security Research & Defense team blog.
As always, Microsoft encourages system administrators to join the monthly technical webcast to learn more about the April 2010 security bulletin release. Registration information:
· Date: Wednesday, April 14, 2010
· Time: 11:00 a.m. PDT (UTC -8)
Also, another reminder that we recently announced a new corporate Twitter account for security response communications. You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.
Group Manager, Response Communications
*This posting is provided “AS IS” with no warranties, and confers no rights*