Today we released eleven security bulletins with security updates addressing 25 CVE’s. Five of the bulletins have at least one CVE rated Critical. We hope that the table below helps you prioritize this month’s deployment.
There is one additional factor not represented in this table. MS10-019 may be more important to prioritize than it would appear at first glance. User education for years has stressed the need to check the signer or publisher of executable content before allowing it to run. MS10-019 represents an opportunity for attackers to potentially embed malicious content in an executable or executable-equivalent without invalidating the Authenticode-assured publisher. Specifically, the vulnerability allows an attacker to downgrade from strong Authenticode v2 checks to the weaker Authenticode v1 algorithm. The vulnerabilities addressed by MS10-019 will not lead to code execution directly for default installations; however, if you have users making Authenticode-based trust decisions to run content that might have been modified by malicious attackers, MS10-019 should be prioritized higher for your environment.
- Jonathan Ness and Andrew Roths, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*