Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of “1” so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today’s security updates can be found on the Microsoft Security Bulletin webpage.
MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension.
The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.
MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited.
Since both of today’s bulletins require user interaction, we give them both a “2” on our deployment priority scale:
Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month’s bulletins:
In the following video, Adrian Stone and I give a brief overview of today’s bulletins:
|More listening and viewing options:|
Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions.
Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.
Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us.
Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Sr. Security Communications Manager Lead
*This posting is provided "AS IS" with no warranties, and confers no rights.*