Today we released sixteen security bulletins. Four have a maximum severity rating of Critical, ten have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS10-071 (IE) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see a code execution exploit developed for memory corruption vulnerabilities. | Neither IE7 nor IE8 vulnerable to CVE-2010-3326, one of the two Critical issues addressed by this security bulletin. |
| MS10-076 (EOT) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see an exploit released for older platforms | ASLR on Windows Vista and later operating systems makes building a successful exploit for code execution much more difficult. |
| MS10-077 (.Net Framework) | Victim running 64-bit Windows browses to a malicious webpage. Also could be used by malicious attacker allowed to run ASP.Net code on 64-bit IIS server to run arbitrary code. | Critical | 1 | Likely to see an ASP.Net exploit released capable of running arbitrary code. | 32-bit platforms not affected. |
| MS10-075(WMP) | Attacker sends malicious RTSP network packet to Windows Vista and Windows 7 client on the same network who has opted-in to Windows Media Network Sharing service. Only Windows 7 Home Edition opts-in by default. | Critical | 1 | Likely to see a code execution exploit developed. Unlikely to see wide-spread exploitation due to feature being accessible only on local subnet and being off-by-default on most versions of Windows. | Service is reachable only by machines on local subnet. Domain-joined machines are not vulnerable by default. Feature is on-by-default only for Windows 7 Home Edition. |
| MS10-073 (Win32k.sys) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Stuxnet malware currently leverages this vulnerability for local elevation of privilege if run on Windows XP. | The local elevation of privilege vulnerability used by Stuxnet (CVE-2010-2743) reachable only on Windows XP, not later platforms. |
| MS10-082 (WMP) | User interaction required when visiting a malcious website. | Important | 1 | Likely to see a code execution exploit developed. | Internet Explorer users are not vulnerable. |
| MS10-081 (Comctl32) | No known attack vectors using Microsoft software. Victim using a 3rd party image viewer could be vulnerable when browsing to a malicious webpage. | Important | 1 | Likely to see a code execution exploit developed. | No attack vectors if using only Microsoft software. Seethis SRD blog post for more information. |
| MS10-079 (Word) | Victim opens a malicious .DOC file | Important | 1 | Likely to see a code execution exploit developed. | Nine of the eleven issues affect only Office 2002 and Office for Mac platforms. |
| MS10-080 (Excel) | Victim opens a malicious .XLS file | Important | 1 | Likely to see a code execution exploit developed. | Excel 2010 not vulnerable. Ten of the thirteen issues affect only Office 2002 and Office for Mac platforms. |
| MS10-084(LPC) | Attacker running code on a machine elevates from low-privileged account to SYSTEM. | Important | 1 | Proof-of-concept publicly released already. | |
| MS10-078(OTF font) | No remote attack vectors using Microsoft software. Victim using a 3rd party browser could be vulnerable when browsing to a malicious webpage. | Important | 1 | Likely to see a code execution exploit developed. | |
| MS10-083 (COM) | Victim opens a malicious Wordpad document or malicious shortcut file, instantiating a COM object that would otherwise not run. | Important | 1 | May see proof-of-concept code developed. | |
| MS10-072 (SafeHTML) | Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential information disclosure. | Important | 3 | No chance for direct code execution. | |
| MS10-085 (SChannel) | Attacker sends a malicious client-side certificate to an IIS server, causing it to restart. | Important | 3 | No chance for code execution. | Affects only applications, features, or services that are configured to accept SSL connections. |
| MS10-074 (MFC) | Victim uses an application built using MFC to open untrusted content. No Microsoft attack vectors. | Moderate | n/a | No known Microsoft attack vectors. See this SRD blog post for more information. | |
| MS10-086 (Cluster Disk Setup) | Attacker tampers with files to which they would otherwise not have access due to incorrect ACL’s assigned during the setup of shared cluster disks. | Moderate | n/a | Seethis SRD blog post for more information about this vulnerability. |
Thanks to Fermin J. Serna, David Ross, and Richard van Eeden of the MSRC Engineering team for validating the accuracy of this table. And, of course, thanks to the whole MSRC Engineering for their work on this month’s cases.
Update Oct 18, 2010: Clarified scope of MS10-085
- Jonathan Ness and Andrew Roths, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*