Today we’re releasing two security bulletins, MS10-030 and MS10-031, to address two vulnerabilities in Windows and Microsoft Office, both rated Critical. As always, we recommend that customers test and deploy both security updates as soon as possible.
MS10-030 is a Windows-based update resolving one vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail. Windows 2000, XP, Vista, Server 2003, and Server 2008 all have a severity rating of Critical. Windows 7 and Windows Server 2008 R2 are rated Important when an affected mail client is installed. However, neither has a mail client installed by default. To successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server. Or, an attacker could perform a man in the middle attack and attempt to alter responses to the client. Heap mitigations built into Windows Vista and newer operating systems make exploitation of this vulnerability unlikely. Overall, we have rated this 2 on our Exploitability Index and do not expect reliable exploit code to surface in the next 30 days.
MS10-031 addresses one vulnerability in Microsoft Visual Basic for Applications (VBA). This security update is rated Critical for Microsoft VBA SDK 6.0 and third-party applications that use Microsoft VBA. For all supported versions of Office XP, Office 2003 and Office 2007, MS10-031 is rated Important due to the user interaction required in order to successfully exploit this issue. The update addresses the vulnerability by modifying the way VBA searches for ActiveX Controls embedded in documents. This bulletin is also rated a 2 on our Exploitability Index.
You can read more and get all the details straight from the Microsoft Security Response Center here.
J.C. Hornbeck | System Center Knowledge Engineer