Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today as part of our monthly security bulletin release we have two bulletins addressing three vulnerabilities in Microsoft Windows and Windows Server. This first bulletin is rated Important, while the second is rated Critical.
We are not aware of Proof of Concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month's release.
In the video below, Jerry Bryant discusses this month's bulletins in further detail:
As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).
Our risk and impact slide shows an aggregate view of the severity and exploitability index:
More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.
This month we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability. This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed. The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited. Customers are encouraged to review the new workaround and assess it for their particular environment. Please see the Security Research and Defense blog for more technical information and you can download the FixIt package here.
Last month we published a blog talking about the plan to back port Office File Validation to Office 2003 and 2007. We have still not announced the official launch date but the Office team made a post showing the user experience when a file does not pass Office File Validation.
Finally, please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the January 2011 security bulletin release. The webcast is scheduled for Wednesday, January 12, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.
For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.
Carlene ChmajSr. Security Response Communications Manager