Today as part of our monthly security bulletin release we have two bulletins addressing three vulnerabilities in Microsoft Windows and Windows Server. This first bulletin is rated Important, while the second is rated Critical.
- MS11-001. This bulletin resolves one reported issue rated Important and affecting Windows Vista. This security bulletin addresses a vulnerability in Windows Backup Manager. This has an Exploitability Index rating of 1, and gets a 2 on our deployment priority list.
- MS11-002. This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server. It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a web based attack vector, this is at the top of our deployment priority list.
We are not aware of Proof of Concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month's release.
In the video below, Jerry Bryant discusses this month's bulletins in further detail:
As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).
Our risk and impact slide shows an aggregate view of the severity and exploitability index:
More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.
This month we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability. This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed. The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited. Customers are encouraged to review the new workaround and assess it for their particular environment. Please see the Security Research and Defense blog for more technical information and you can download the FixIt package here.
Last month we published a blog talking about the plan to back port Office File Validation to Office 2003 and 2007. We have still not announced the official launch date but the Office team made a post showing the user experience when a file does not pass Office File Validation.
Finally, please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the January 2011 security bulletin release. The webcast is scheduled for Wednesday, January 12, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.
For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.
Sr. Security Response Communications Manager