Hi everyone. As part of our usual monthly update cycle, today Microsoft is releasing four security bulletins to address five vulnerabilities in Windows and Microsoft Office.
MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.
MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.
MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.
MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.
The following video provides an overview of these four bulletins:
Other listening and viewing options:
Both Windows vulnerabilities and one Office vulnerability have Critical severity ratings, while the second Office vulnerability carries an Important severity rating.
As always, Microsoft recommends that customers test and deploy all security updates as soon as possible. We recommend that deployment priority be given to MS10-042 and MS10-045.
For a more in-depth look at these issues, our Security Research & Defense (SRD) team has taken a closer look at both these bulletins on its blog.
We also include one bulletin re-release, MS10-024, in this cycle. The re-release will address the issue previously noted in KB976323, in which the installation of the bulletin reset user-configured settings for SMTP servers on Windows Server 2008-based systems with Internet Information Services (IIS) installed. Users who have previously installed MS01-024 will not be offered the re-released update.
Today also marks the end of support for Windows XP Service Pack 2. Customers who have not migrated from this version are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7. In addition, after today's bulletin release, we will no longer provide support for all Windows 2000 products as we have reached the end of extended support.
More information about the security updates can be found on the Microsoft Security Bulletin summary webpage. Our Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins.
Please join the monthly technical webcast to learn more about the May 2010 security bulletin release. The webcast is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.
Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.
Group Manager, Response Communications