Skip to main content
MSRC

Month Archives: April 2010

April 2010 Security Bulletin Release

Tuesday, April 13, 2010

Hi everyone, Today, as part of our monthly security update cycle, we are releasing ** 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.

Read More

Assessing the risk of the April Security Bulletins

Monday, April 12, 2010

Today we released eleven security bulletins with security updates addressing 25 CVE’s. Five of the bulletins have at least one CVE rated Critical. We hope that the table below helps you prioritize this month’s deployment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS10-027 (WMP) Victim browses to a malicious webpage.

Read More

Does Microsoft Change My Automatic Updates Settings?

Monday, April 12, 2010

Handle: Jman IRL: Jerry Bryant Rank: Group Manager, Response Communications Likes: Quad lattes, geek toys, responsible disclosure Dislikes: Tomatoes, slow drivers (frontgaters) As a follow on to the WGA and Security Updates post by Dustin Childs, I wanted to address another common question we get regarding both security and non-security updates that customers receive from Microsoft through Windows Update or Microsoft Update.

Read More

MS10-020: SMB Client Update

Monday, April 12, 2010

Today Microsoft released MS10-020, which addresses several vulnerabilities in the Windows SMB client. This blog post provides additional details to help prioritize installation of the update, and understand the attack vectors and mitigations that apply. Client-side vulnerabilities The first thing to realize is that this update addresses vulnerabilities in the SMB ** client ** in Windows.

Read More

New email address for Microsoft security email notifications

Monday, April 12, 2010

4/13/2010 Update: The migration to the new mail system has not gone fully as planned but the good news in our update today is that we “will” be using a microsoft.com email address to send the security notifications to customers. The bad news is that PGP signing is not working correctly in the new system so the mailers going out today announcing our security bulletin release will not be signed.

Read More

Registry vulnerabilities addressed by MS10-021

Monday, April 12, 2010

MS10-021 addresses eight different Windows vulnerabilities. Five of them, CVE-2010-0234 through CVE-2010-0238, stem from an obscure bit of Windows registry functionality called “registry links”. A quick search in MSDN reveals this description: “REG_LINK: Specifies a Unicode symbolic link. Used internally. Applications do not use this type”. Clear as mud, right? Registry links are similar to symbolic links in NTFS (http://msdn.

Read More