Partner Alert: MS Security Bulletin MS10-018


This alert is to provide you with an overview of Microsoft Security Bulletin MS10-018, the Cumulative Security Update for Internet Explorer, released (out-of-band) on Tuesday, March 30. This bulletin addresses ten vulnerabilities in Internet Explorer. Microsoft recommends that partners secure their own systems, then reach out to customers to assist them in ensuring their systems are secured.

 

You are invited to attend a live webcast hosted by the Microsoft U.S. partner team to address partner questions about this bulletin.  This webcast will also be recorded. 

Title: Information About Microsoft’s March 2010 Out-of-Band Security Bulletin Release

Date: Thursday, April 1, 2010, at 9:00 A.M. Pacific Time.

URL: https://training.partner.microsoft.com/learning/app/management/registrationex/LMS_Registration.aspx?UserMode=0&ActivityId=579197

 

Please see below for important resources and a bulletin summary.

 

KEY RESOURCES

·         We recommend Microsoft partners use the Microsoft TechNet Security TechCenter as a source of security information: http://technet.microsoft.com/security

·         Security Bulletin MS10-018 – Cumulative Security Update for Internet Explorer (980182): http://www.microsoft.com/technet/security/bulletin/MS10-018.mspx

·         Security Advisory 981374 – Vulnerability in Internet Explorer Could Allow Remote Code Execution:  http://www.microsoft.com/technet/security/advisory/981374.mspx

·         Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/

·         Internet Explorer 8 Deployment Guide: http://technet.microsoft.com/en-us/library/cc985339.aspx

 

BULLETIN SUMMARY

Bulletin ID

Bulletin Title

Maximum Severity Rating

Vulnerability Impact

Restart Requirement

Affected Software

MS10-018

Cumulative Security Update for Internet Explorer (980182)

Critical

Remote Code Execution

Requires a restart

All supported versions of Internet Explorer on supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2.*

* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Affected software listed above is an abstract. Please see the bulletin at the link in the left column for complete details.

 

New Security Bulletin Technical Details

 

In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle Web site at http://support.microsoft.com/lifecycle/.

 

Bulletin Identifier

Microsoft Security Bulletin MS10-018

Bulletin Title

Cumulative Security Update for Internet Explorer (980182)

Executive Summary

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

 

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 981374.

Affected Software

All supported versions of Internet Explorer on supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2*.


* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link below for more details.

CVE, Exploitability Index Rating

·          CVE-2010-0267: Uninitialized Memory Corruption Vulnerability (EI = 3)

·         

Comments (0)