Today we released ten security bulletins. Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Most likely attack vector
Max Bulletin Severity
Max Exploit-ability Index Rating
Likely first 30 days impact
Platform mitigations and key notes
Victim browses to a malicious webpage.
Proof-of-concept has been presented publicly for Information Disclosure issue.
Likely to also see exploit released for one or more of these memory corruption vulnerabilities.
IE users on later platforms at reduced risk due to Protected Mode mitigating the information disclosure issue. IE8 users on Windows Vista and Windows 7 at reduced risk due to presence of DEP and ASLR.
Please see this SRD blog post for more information
Victim browses to a malicious webpage or opens a malicious AVI movie with Media Player.
Likely to see an exploit released able to exploit the vulnerability in MJPEG parsing.
May see an exploit released able to exploit one or both of the Microsoft ActiveX controls.
CVE-2010-0252: Victim must have Office XP’s Data Analyzer (MSDA) package installed to be vulnerable.
CVE-2010-0811: User interaction required
Attacker already running code with low privileges on a vulnerable machine runs a malicious EXE to elevate to a higher privilege level.
Likely to see an exploit released able to elevate from a low privileged user on the box to a higher privilege.
Please see this SRD blog post for more information about exploitability
Victim opens a malicious XLS file that exploits a vulnerability to run arbitrary code.
Exploit likely to be developed for one of more of these XLS parsing vulnerabilities in the next 30 days.
Victim opens a malicious Office document that instantiates an ActiveX control to result in code execution.
Likely to see malicious Office documents that exploit this within the next 30 days.
Victim clicks an attacker-sent link to a Sharepoint server on which they have administrative rights. Attacker-supplied link causes them to take an automatic action on the Sharepoint Server.
Proof-of-concept already public for this issue. However, we have not heard of real-world attacks from either customers or partners.
Attacker connects remotely over HTTP to IIS server that has installed the (optional) Channel Binding Update and has enabled (off-by-default) Windows Authentication.
Less likely to see exploits developed resulting in successful code execution in next 30 days.
Local user running at low privileges on a vulnerable machine runs a malicious EXE to elevate to a higher privilege level.
Less likely to see exploits developed resulting in successful code execution in next 30 days
Custom .NET applications that rely on XML signature protection as tamper protection could be tampered with in an undetected manner.
Unlikely to see exploit developed in the next 30 days.
No Microsoft .NET applications are vulnerable to this issue. Usage of the specific API thought to be low in real-world.
Special thanks to all of MSRC Engineering for their work on these cases.
- Jonathan Ness, MSRC Engineering