Microsoft Security Response Center Blog

Assessing the risk of the June Security Bulletins

Tuesday, June 08, 2010

Today we released ten security bulletins. Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first 30 days impact Platform mitigations and key notes MS10-035(IE) Victim browses to a malicious webpage.

• Exploitability
• IE
• Internet Explorer (IE)
• Rating
• Risk Asessment
• Security Bulletin
• Win32k.sys

June 2010 Security Bulletin Release

Tuesday, June 08, 2010

Hi everyone, Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical.

• ActiveX
• Exploitability
• Exploitability Index
• Internet Explorer (IE)
• Killbit
• Microsoft Office
• Microsoft Windows
• Risk Assessment
• Security Advisory
• Security Bulletin
• Security Update
• Video

MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Tuesday, June 08, 2010

Today we released a security update rated Important for CVE-2010-1255 in MS10-032. This vulnerability affects the win32k.sys driver. This blog post provides more information about this vulnerability that can help with prioritizing the deployment of updates this month. What’s the risk? A local attacker could write a custom user-mode attack application that passes a bad buffer to win32k.

• Risk Asessment
• Win32k.sys

MS10-035: Cross-Domain Information Disclosure Vulnerability

Tuesday, June 08, 2010

Today we released MS10-035, a security update with an Important severity update, addressing CVE-2010-0255. We’d like to talk briefly about that specific vulnerability and how we’ve addressed it. Background information This issue primarily impacts Internet Explorer running on Windows XP. Attacks against Internet Explorer running on Windows Vista and newer platforms are mitigated by Internet Explorer Protected Mode.

• Cross-Domain
• IE
• Internet Explorer (IE)
• Mitigations
• Protected Mode IE

MS10-041: XML Signature HMAC Truncation Bypass Vulnerability

Tuesday, June 08, 2010

Today we released MS10-041 addressing an issue in the implementation of the XML signature functionality in the .NET Framework with an Important severity rating. We’d like to shed more light on that case here. Am I at risk? No Microsoft products are subject to this vulnerability. However, .NET applications that use the System.

• .NET Framework
• PowerShell
• Risk Asessment
• Visual Studio
• XML

June 2010 Security Bulletin Advance Notification

Thursday, June 03, 2010

Hi everyone, Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities. Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important. Two bulletins, both with a severity rating of Important, affect Microsoft Office.

• Internet Explorer (IE)
• Microsoft Office
• Microsoft Windows
• Security Bulletin
• Security Update

Office Security Engineering: BlueHat v9 Presentation Revisited

Friday, May 21, 2010

Hi, this is Tom Gallagher from the Office Trustworthy Computing team. At Blue Hat v9, David Conger and I presented some of the security engineering work that we were doing to help ensure the security of Office 2010. We don’t want a single bug in our parsing code to allow arbitrary code to harm a customer’s machine by doing things like installing a rootkit.

• BlueHat Security Briefings
• Community-based Defense
• Emerging Threat
• Microsoft Windows
• Security Conference Engagement
• Security Engineering
• Security Research

Strengthening the Security Cooperation Program

Tuesday, May 18, 2010

Handle: Cap’n Steve IRL: Steve Adegbite Rank: Senior Security Program Manager Lead Likes: Reverse Engineering an obscene amount of code and ripping it up on a snowboard Dislikes: Not much but if you hear me growl…run G’day Mate! I have always wanted to say that. I am here at the AusCERT 2010 conference in the beautiful Gold coast, Australia.

• CERT
• Community-based Defense
• Internet Explorer (IE)
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Risk Assessment
• Security Advisory
• Security Assurance
• Security Bulletin
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools

May 2010 Security Bulletin Webcast

Friday, May 14, 2010

Hi everyone, Today we posted the questions and answers from this month’s security bulletin webcast. There were a few questions but overall, the webcast was pretty quick with only two bulletins. For the June bulletin release, our webcast will be on Wednesday June 9, 2010 at 11:00 a.m. PDT (UTC -7).

Monthly Security Bulletin Webcast Q&A - May 2010

Friday, May 14, 2010

Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Group Manager, Response Communications Website: TechNet/security Chat Topic: May 2010 Security Bulletin Release Date: Wednesday, May 12, 2010 Q: Is Outlook Express installed by default in a Windows 2003 installation? A: Outlook Express was included as an in-box component of Windows Server 2003.

• Pages
• Webcast Q&A