Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.
The three Critical bulletins get our highest deployment priority this month. Those are:
- MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
- MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
- MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.
In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:
More listening and viewing options:
More listening and viewing options:
Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.
Here is our overall deployment priority information:
There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:
- MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
- MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
- MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.
As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.
If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:
When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
I hope you can join us then.
Group Manager, Response Communications
Follow us on Twitter: @MSFTSecResponse