Alert – Critical Product Vulnerability – January 21, 2010 (Out-of-Band) Microsoft Security Bulletin Release







What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on January 21, 2010.



New Security Bulletin


Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:























Bulletin ID


Bulletin Title


Maximum Severity Rating


Vulnerability Impact


Restart Requirement


Affected Software


MS10-002


Cumulative Security Update for Internet Explorer (978207)


Critical


Remote Code Execution


Requires a restart


All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2*.


* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link in the left column for more details.


 



Public Bulletin Webcast


 


Microsoft will host a webcast to address customer questions on this bulletin:


Title: Information About Microsoft’s January 2010 Out-of-Band Security Bulletin Release


Date: Thursday, January 21, 2010, at 1:00 P.M. Pacific Time (U.S. & Canada).


URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627


 



Public Resources related to this alert


 


·         Security Bulletin MS10-002 – Cumulative Security Update for Internet Explorer (978207):
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx


 


·         Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/


 


·         Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/


 


·         Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/


 


·         Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl/


 



New Security Bulletin Technical Details


 


In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle Web site at http://support.microsoft.com/lifecycle/.


 











































Bulletin Identifier


Microsoft Security Bulletin MS10-002


Bulletin Title


Cumulative Security Update for Internet Explorer (978207)


Executive Summary


This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.


 


The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.


 


This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.


Affected Software


All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2*.






* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link below for more details.


CVE, Exploitability Index Rating


·         CVE-2010-0244: Uninitialized Memory Corruption Vulnerability (EI = 1)


·         CVE-2010-0245: Uninitialized Memory Corruption Vulnerability (see note below)


·         CVE-2010-0246: Uninitialized Memory Corruption Vulnerability (see note below)


·         CVE-2010-0247: Uninitialized Memory Corruption Vulnerability (EI = 1)


·         CVE-2010-0248: HTML Object Memory Corruption Vulnerability (EI = 2)


·         CVE-2010-0249: HTML Object Memory Corruption Vulnerability (EI = 1)


·         CVE-2009-4074: XSS Filter Script Handling Vulnerability (see note below)


·         CVE-2010-0027: URL Validation Vulnerability (EI = 1)


 


Note: Please see the Exploitability Index table of the bulletin summary page for more details: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx


Attack Vectors


·         A maliciously crafted Web page


·         A maliciously crafted HTML e-mail


Mitigating Factors


·         Users would have to be persuaded to visit a malicious Web site.


·         Exploitation only gains the same user rights as the logged on account. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


·         By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted Sites zone.


·         By default, IE on Windows 2003 and Windows 2008 runs in a restricted mode.


Restart Requirement


The update will require a restart.


Bulletins Replaced by This Update


MS09-072


Publicly Disclosed?
Exploited?


CVE-2010-0249 has been publicly disclosed prior to release.


CVE-2010-0249 has been exploited in the wild at release.


Full Details


http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx


 



Regarding Information Consistency


 


We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.


 


If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.


 


Thank you,



Microsoft CSS Security Team

Comments (0)