Today we released seventeen security bulletins. Two have a maximum severity rating of Critical, fourteen have a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS10-090(IE) | Victim browses to a malicious webpage. | Critical | 1 | Public exploit exists for CVE-2010-3962. Exploits works on IE6 and IE7 on Windows XP. | We have not seen CVE-2010-3962 exploits that have successfully bypassed DEP. Therefore, IE8 users are at reduced risk. |
| MS10-091(Opentype Font driver) | Victim using explorer.exe browses to a folder containing a malicious OTF file. | Critical | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. |
| MS10-092(Task Scheduler) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | This vulnerability being exploited by Stuxnet malware. | |
| MS10-098(win32k.sys) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | |
| MS10-105(Graphics filters) | Victim opens a malicious Office document | Important | 1 | Likely to see an exploit released for one or more of the CVE’s addressed by this bulletin. | Later versions of Microsoft Office have disabled support for several of these graphics filters. Please see SRD blog post here for more detail. |
| MS10-103(Publisher) | Victim opens a malicious .PUB file | Important | 1 | Likely to see an exploit released. | |
| MS10-099(RRAS) | Attacker running code on a machine already elevates from low-privileged account to SYSTEM. | Important | 1 | Likely to see an exploit released granting a local attacker SYSTEM level access. | Systems that have not configured a VPN or RAS connection are not vulnerable by default. |
| DLL Preloading Issues(MS10-093, MS10-094, MS10-095, MS10-096, MS10-097) | Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share. | Important | 1 | Public proof-of-concept code already exists for several of these vulnerabilities. | |
| MS10-101(Netlogon) | Attacker sends malicious RPC network request to Windows Server acting as a domain controller. Request must be sent from a domain-joined workstation on which the attacker has administrative privileges. The request could bugcheck the Windows server. | Important | 3 | Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service. | Attacker must have administrative rights on a domain-joined machine to launch this attack. |
| MS10-102(Hyper-V) | Attacker with administrative control of a guest OS can bugcheck (reboot) the host OS. | Important | 3 | Unlikely to see wide-spread exploitation of this denial-of-service issue. | |
| MS10-100(Consent) | Attacker running code on a machine already elevates from low-privileged account to the workstation account (Machine$). | Important | 1 | While an exploit could be developed for this issue, the severity of the elevation is limited. This is not a typical elevation of privilege vulnerability which would result in administrative control of the system. | |
| MS10-104(Sharepoint) | If an off-by-default service is enabled, an attacker can upload a malicious executable and potentially cause it to be run with Guest privileges on Sharepoint Server. | Important | 1 | Unlikely to see wide-spread exploitation as the service is not enabled by default. | Sharepoint servers in production unlikely to be vulnerable by default. See this SRD blog post for more information. |
| MS10-106(Exchange) | Attacker sends malicious RPC network request to an Exchange Server causing it to enter an infinite loop denial-of-service condition. The specific RPC function requires the attacker to be authenticated. | Moderate | 3 | Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service. |
Thanks to the whole MSRC Engineering for their work on this month’s cases.
- Jonathan Ness, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*