Hi everyone. As part of our usual cycle of monthly security updates, today Microsoft is releasing 17 bulletins addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange. Two of those bulletins carry a Critical rating, while 14 are rated Important and one is rated Moderate.

We've assigned our highest deployment priority to the two Critical bulletins, though we recommend that customers deploy all updates as soon as possible.

  • MS10-090 This bulletin resolves seven issues -- five Critical, two Moderate -- affecting all supported versions of Internet Explorer, on both Windows clients and Windows servers. Among its other updates, it addresses a vulnerability previously described in Security Advisory 2458511.
  • MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows' OpenType Font driver. All three issues were privately reported and we are not aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry lower severity ratings - including MS10-092, the bulletin that closes out the last known vulnerability exploited by the Stuxnet malware. To assist in your planning and implementation of the bulletins, please consult this month's Deployment Priority chart (click for larger view).

Jerry Bryant, group manager for response communications, gives more information about the December bulletins in this overview video:

 

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help customers plan for deployment of these monthly security bulletins.

 

We are also releasing updated Malicious Software Removal Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of this month's update.

Finally, we invite everyone to join the monthly technical webcast to learn more about the December 2010 security bulletin release. The webcast is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC -8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking news and updates on the threat landscape on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Senior Marketing Communications Manager