January 2010 Security Bulletin Release

Summary of Microsoft’s Security Bulletin Release for January 2010

Hi Everyone,

We hope that 2010 is off to a good start for you. For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000. For all other versions of Windows, the vulnerability gets a Low rating.

We’ve given the bulletin an aggregate rating of “2” on our Exploitability Index. This applies to Windows 2000 systems. All other systems are rated “3”. The vulnerable code is present on newer operating systems but through the Security Development Lifecycle (SDL), there are several mitigations in place that help prevent the likelihood of exploitation. Our Security Research & Defense (SRD) team has a great write up on this in their blog. We do recommend that customers evaluate and deploy this update as soon as possible. Especially those on Windows 2000.

The following risk and impact slide reflects the aggregate severity and exploitability index rating for this bulletin:

As you can see from our Deployment Priority slide, we give this a “2” based on the lower exploitability index rating and the Low severity and mitigations on most of the affected platforms:

We also want to mention that we re-released MS09-035, an Active Template Library (ATL) bulletin that was released out-of-band in July 2009. Today, we added Windows Embedded CE 6.0 to the affected products list. I want to be clear that this rerelease affects only developers and OEMs building applications on top of Windows Embedded CE 6.0 or producing devices that use the operating system. For end users, no action is required. The vulnerable components were found during our ongoing investigation around ATL and we determined there are no known attack vectors. The update package, KB974616, will only be offered through the Microsoft Download Center.

Additionally, we released Security Advisory 979267 to increase awareness among customers regarding reports of vulnerabilities in Adobe Flash Player 6 which shipped with Windows XP. Given support ended in 2006 for Adobe Flash Player 6, Microsoft and Adobe recommend that customers uninstall this version and/or update to the latest version of Adobe’s Flash Player. Customers should note that Adobe addressed these vulnerabilities in newer versions of its software.

There are multiple ways to remove Adobe Flash Player 6 on Windows XP systems. For directions on the manual steps required to remove Adobe Flash Player 6 visit http://kb2.adobe.com/cps/127/tn_12727.html. Adobe also provides an uninstaller tool that removes all versions of the Flash player which you can find here: http://kb2.adobe.com/cps/141/tn_14157.html. NOTE: the uninstaller tool removes all versions of Flash and is not specific to Adobe Flash Player 6.

Please view the following video for more information about the updates we released today:

Get Microsoft Silverlight More viewing and listening options:

Today, we also added Win32/Rimecud to our Malicious Software Removal Tool (MSRT). This is a prevalent family of Worms that spread through fixed and removable drives in addition to Instant Messaging software.

For our live webcast tomorrow, I will be joined by Dustin Childs, security program manager with the Microsoft Security Response Center (MSRC), who manages many of the Windows security updates from initial report to releasing the update. We will go into the full details of this month’s bulletin release and encourage you to bring your questions where Dustin and I will cover them live on the air. Here are the registration details:

Date: Wednesday Jan 13
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427677

On a final note, I want to call out that this year we will reach end of life on three Windows products/Service Packs:

  • Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
  • Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
  • Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updated for Windows 2000.

It is important that customers stay current with the latest updates and Service Packs. For information on our support lifecycle policies and lifecycle information by product, please visit www.microsoft.com/lifecycle.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*