Hi everyone. As part of our usual cycle of monthly
security updates, today Microsoft is releasing 17 bulletins addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint
Server and Exchange. Two of those bulletins carry a Critical rating, while 14
are rated Important and one is rated Moderate.
We've assigned our highest deployment priority to the two
Critical bulletins, though we recommend that customers deploy all updates as
soon as possible.
MS10-090 This bulletin resolves seven issues -- five Critical, two Moderate --
affecting all supported versions of Internet Explorer, on both Windows clients
and Windows servers. Among its other updates, it addresses a vulnerability
previously described in Security Advisory 2458511.
MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows'
OpenType Font driver. All three issues were privately reported and we are not
aware of any active attacks using them.
As mentioned, the other 15 bulletins this month carry
lower severity ratings - including MS10-092, the bulletin that closes out the last known vulnerability exploited by
the Stuxnet malware. To assist in your planning and implementation of the
bulletins, please consult this month's Deployment Priority chart (click for
Jerry Bryant, group manager for response communications,
gives more information about the December bulletins in this overview video:
More information about this month's security updates can
be found on the Microsoft Security Bulletin summary web page. Our Exploitability Index provides additional information to help
customers plan for deployment of these monthly security bulletins.
We are also releasing updated Malicious Software Removal
Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of
this month's update.
Finally, we invite everyone to join the monthly technical
webcast to learn more about the December 2010 security bulletin release. The webcast
is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC
-8). Registration is available here.
Remember, you can follow the MSRC team for late-breaking
news and updates on the threat landscape on Twitter at @MSFTSecResponse.
Senior Marketing Communications Manager