Skip to main content
MSRC

2010

Assessing the risk of the December security updates

Tuesday, December 14, 2010

Today we released seventeen security bulletins. Two have a maximum severity rating of Critical, fourteen have a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS10-090(IE) Victim browses to a malicious webpage.

Benefits of Office 2010 File Validation will be made available for Office 2003 and 2007

Tuesday, December 14, 2010

Hello everyone – We’re really excited to announce that Office File Validation, currently part of Office 2010, will soon be made available for Office 2003 and 2007. During development of Office 2010, the Office Team, in conjunction with members of the Microsoft Engineering Center (MSEC) organization, performed a number of actions to increase protections for file parsing code.

December 2010 Security Bulletin Release

Tuesday, December 14, 2010

Hi everyone. As part of our usual cycle of monthly security updates, today Microsoft is releasing 17 bulletins addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange. Two of those bulletins carry a Critical rating, while 14 are rated Important and one is rated Moderate. We’ve assigned our highest deployment priority to the two Critical bulletins, though we recommend that customers deploy all updates as soon as possible.

More about the Office File Validation backport plan

Tuesday, December 14, 2010

In November 2010, Microsoft released the first Security Bulletin (MS10-079) against an Office 2010 component, in this case Microsoft Word. Approximately 6 months had elapsed since Office 2010 launched in May and while it’s good for such a widely used product to be available for so long without any reported issues, we were naturally disappointed to release the first bulletin affecting Office 2010.

MS10-104: SharePoint 2007 Vulnerability

Tuesday, December 14, 2010

Today we released MS10-104 to address vulnerability CVE-2010-3964 in SharePoint 2007 server with an important severity rating. In this blog, we would like to cover some additional details of this vulnerability. Is my SharePoint server affected by this vulnerability? There are two types of installations for a SharePoint server: standalone and farm.

MS10-105: Image Filters Update

Tuesday, December 14, 2010

This month we shipped a security update and bulletin (ms10-105) to address vulnerabilities in the .cgm, .tif, .fpx, and .pct image filters. These filters are shipped with Microsoft Office to extend image rendering for applications. Neither Office 2010 nor Office 2007 use filters to perform rendering by default. Both use GDI+ instead.

December 2010 Advance Notification Service is released

Thursday, December 09, 2010

Hi everyone. Mike Reavey from the MSRC here. Today we’re releasing our Advance Notification Service for the December 2010 security bulletin release. As we do every month, we’ve given information about the coming December release and provided links to detailed information so you can plan your deployment by product, service pack level, and severity.

On the effectiveness of DEP and ASLR

Wednesday, December 08, 2010

DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against the types of exploits that we see in the wild today. Of course, any useful mitigation technology will attract scrutiny, and over the past year there has been an increasing amount of research and discussion on the subject of bypassing DEP and ASLR [1,2].