[新闻] 20100609, 微软六月九日发行十个安全补丁

大家好,我是 Richard Chen。微软在六月九日清晨发行十个安全补丁,其中三个最高级别为严重等级,七个为重要等级。本次共修复34个漏洞,目前还没有观察到正在被利用的。

MS10-033 在所有支持周期内的 Windows 版本上都为严重等级,MS10-034 是 ActiveX Kill Bits 的累积性安全更新,MS10-035 是 IE 的累积性安全更新。这三个最高级别为严重等级的补丁都修复了会导致远程代码执行攻击的漏洞,请大家优先部署。

另外,MS10-039 修复了 安全通报 983438 描述的 Sharepoint 中存在的提权漏洞;MS10-035 解决了 安全通报 980088 描述的 IE 中存在的信息泄露漏洞。

公告 ID

公告标题和摘要

最高利用指数和漏洞影响

重新启动要求

受影响的软件

MS10-033

Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902) This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

严重 远程代码执行

可能需要重启

Microsoft Windows

MS10-034

Cumulative Security Update of ActiveX Kill Bits (980195) This security update addresses two privately reported vulnerabilities for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003, Windows Server2008, and Windows Server 2008 R2. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

严重 远程代码执行

可能需要重启

Microsoft Windows

MS10-035

Cumulative Security Update for Internet Explorer (982381) This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

严重 远程代码执行

需要重启

Microsoft Windows, Internet Explorer

MS10-032

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559) This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.

重要 权限提升

需要重启

Microsoft Windows

MS10-036

Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235) This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

重要 远程代码执行

可能需要重启

Microsoft Office

MS10-037

Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218) This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

重要 权限提升

可能需要重启

Microsoft Windows

MS10-038

Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452) This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

重要 远程代码执行

可能需要重启

Microsoft Office

MS10-039

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554) This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link.

重要 权限提升

可能需要重启

Microsoft Office, Microsoft Server Software

MS10-040

Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666) This security update resolves a privately reported vulnerability in Internet Information Services (IIS). The vulnerability could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

重要 远程代码执行

可能需要重启

Microsoft Windows

MS10-041

Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343) This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering in signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.

重要 数据篡改

可能需要重启

Microsoft Windows, Microsoft .NET Framework

详细信息请参考六月份安全公告摘要:

https://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx

更多参考资源:

谢谢!

Richard Chen

大中华区软件安全项目经理