Today, as part of our regular monthly security bulletin release process, we are releasing 16 comprehensive updates addressing 49 vulnerabilities affecting Windows, Internet Explorer (IE), Microsoft Office, and the .NET Framework. This release represents our commitment to provide predictable, high-quality updates as part of the service our customers get when they buy Microsoft products.
Looking at the number and type of updates this month, we have a fairly standard number of bulletins affecting products like Windows and Office. This month we also have a few bulletins originating from product groups that we don't see on a regular basis. For example, SharePoint, the Microsoft Foundation Class (MFC) Library (which is an application framework for programming in Windows), and the .NET Framework. It's worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities.
- MS10-071 (Critical) Cumulative Security Update for Internet Explorer. Note: Internet Explorer 8 is only affected by one RCE listed and IE 9 beta is not affected.
- MS10-076 (Critical) Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution.
- MS10-077 (Critical) Vulnerability in .NET Framework Could Allow Remote Code Execution. Note: this affects .NET Framework 4.0.
- MS10-075 (Critical) Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution.
Below is the aggregate risk and impact for October and the overall deployment priority information to further aid in prioritization:
The video below provides additional viewpoints on the priority bulletins and explains why each should be at the top of your list to install:
Our Security Research & Defense team has written blog posts to provide further technical details on the bulletins. Also of note, MS10-073 contains an update (rated Important) that addresses a local Elevation of Privilege as part of the two additional Stuxnet related elevate privilege vulnerabilities we announced in September. The second and final issue will be addressed in an upcoming bulletin.
Tomorrow, please join Jerry Bryant, group manager, Response Communications, and special guest Jonathan Ness, principle security SDE lead, from the Security Research & Defense team for a webcast where they will go into details on this month's release. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:
Date: Wednesday, October 13, 2010
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration
Security Response Senior Communications Manager
Follow us on Twitter: @MSFTSecResponse