Today we released nine security bulletins addressing 26 CVE’s (13 Microsoft and 13 Oracle CVE’s). Five of the bulletins have a maximum severity rating of Critical and the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(Windows Common Controls)
See this SRD blog post for more detail about this specific vulnerability, how it differs from the previous MSCOMCTL issue released in April, and workaround options we recommend to harden against any future vulnerabilities in this component.
This vulnerability cannot be triggered from within Outlook's preview pane. The email-based RTF attack vector would require double-clicking the RTF attachment.
(Windows Networking Components)
(Oracle Outside In for Exchange)
(Windows drivers [win32k.sys])
In addition to the nine new security bulletins, we have re-released MS12-043 to make available a security update for Microsoft XML Core Services 5.0 that was unavailable at the time of initial release.
Finally, we have also released a new security advisory, KB 2661254, to inform customers of an update available on the Download Center that restricts the use of certificates with RSA keys less than 1024 bits in length. This advisory announces that we plan to release this update through Microsoft Update in October, 2012 after customers have a chance to evaluate their unique environments with the update and take necessary actions to use certificates of 1024 or greater bit length.
- Jonathan Ness, MSRC Engineering