Today we released ten security bulletins. Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability Index Rating | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS10-035(IE) | Victim browses to a malicious webpage. | Critical | 1 | Proof-of-concept has been presented publicly for Information Disclosure issue.Likely to also see exploit released for one or more of these memory corruption vulnerabilities. | IE users on later platforms at reduced risk due to Protected Mode mitigating the information disclosure issue. IE8 users on Windows Vista and Windows 7 at reduced risk due to presence of DEP and ASLR.Please see this SRD blog post for more information |
| MS10-033(quartz.dll) | Victim browses to a malicious webpage or opens a malicious AVI movie with Media Player. | Critical | 1 | Likely to see an exploit released able to exploit the vulnerability in MJPEG parsing. | |
| MS10-034(killbits) | Victim browses to a malicious webpage. | Critical | n/a | May see an exploit released able to exploit one or both of the Microsoft ActiveX controls. | CVE-2010-0252: Victim must have Office XP’s Data Analyzer (MSDA) package installed to be vulnerable.CVE-2010-0811: User interaction required |
| MS10-032(kernel drivers) | Attacker already running code with low privileges on a vulnerable machine runs a malicious EXE to elevate to a higher privilege level. | Important | 1 | Likely to see an exploit released able to elevate from a low privileged user on the box to a higher privilege. | Please see this SRD blog post for more information about exploitability |
| MS10-038(Excel) | Victim opens a malicious XLS file that exploits a vulnerability to run arbitrary code. | Important | 1 | Exploit likely to be developed for one of more of these XLS parsing vulnerabilities in the next 30 days. | |
| MS10-036(Office ActiveX) | Victim opens a malicious Office document that instantiates an ActiveX control to result in code execution. | Important | 1 | Likely to see malicious Office documents that exploit this within the next 30 days. | |
| MS10-039(SharePoint) | Victim clicks an attacker-sent link to a Sharepoint server on which they have administrative rights. Attacker-supplied link causes them to take an automatic action on the Sharepoint Server. | Important | 1 | Proof-of-concept already public for this issue. However, we have not heard of real-world attacks from either customers or partners. | |
| MS10-040(IIS) | Attacker connects remotely over HTTP to IIS server that has installed the (optional) Channel Binding Update and has enabled (off-by-default) Windows Authentication. | Important | 2 | Less likely to see exploits developed resulting in successful code execution in next 30 days. | |
| MS10-037(OpenType) | Local user running at low privileges on a vulnerable machine runs a malicious EXE to elevate to a higher privilege level. | Important | 2 | Less likely to see exploits developed resulting in successful code execution in next 30 days | |
| MS10-041(.NET) | Custom .NET applications that rely on XML signature protection as tamper protection could be tampered with in an undetected manner. | Important | 3 | Unlikely to see exploit developed in the next 30 days. | No Microsoft .NET applications are vulnerable to this issue. Usage of the specific API thought to be low in real-world.Please see this SRD blog postfor more information |
Special thanks to all of MSRC Engineering for their work on these cases.
- Jonathan Ness, MSRC Engineering