Today are releasing two security bulletins, MS10-030 and MS10-031 to address two vulnerabilities in Windows and Microsoft Office, both rated Critical. As always, we recommend that customers test and deploy both security updates as soon as possible.
MS10-030 is a Windows-based update resolving one vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail. Windows 2000, XP, Vista, Server 2003, and Server 2008 all have a severity rating of Critical. Windows 7 and Windows Server 2008 R2 are rated Important when an affected mail client is installed. However, neither has a mail client installed by default. To successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server. Or, an attacker could perform a man in the middle attack and attempt to alter responses to the client. Heap mitigations built into Windows Vista and newer operating systems make exploitation of this vulnerability unlikely. Overall, we have rated this 2 on our Exploitability Index and do not expect reliable exploit code to surface in the next 30 days.
MS10-031 addresses one vulnerability in Microsoft Visual Basic for Applications (VBA). This security update is rated Critical for Microsoft VBA SDK 6.0 and third-party applications that use Microsoft VBA. For all supported versions of Office XP, Office 2003 and Office 2007, MS10-031 is rated Important due to the user interaction required in order to successfully exploit this issue. The update addresses the vulnerability by modifying the way VBA searches for ActiveX Controls embedded in documents. This bulletin is also rated a 2 on our Exploitability Index.
|More listening and viewing options:|
Our deployment priority guidance reflects the reduced exploitability index ratings for these bulletins. We have also provided the usual Risk & Impact slide showing the aggregate severity and exploitability index ratings.
Click images to enlarge. These graphs are available for public use.
For more information about the security updates go to the Microsoft Security Bulletin summary webpage. Microsoft’s Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins. Also, our Security Research & Defense team has provided more in-depth analysis on their blog here.
Two other items of Note:
Security Advisory 983438 is available and includes workarounds for customers regarding a cross-site scripting (XSS) vulnerability in SharePoint Server. We are not aware of any active attacks at this time and we will continue to monitor the threat landscape and post an updated security advisory should it be needed.
Microsoft is also asking that customers on platforms nearing end-of-support update to the latest supported service packs or to the latest operating systems in order to continue receiving security updates.
- Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, and are encouraged to upgrade to Service Pack 3 or to Windows 7 as soon as possible.
- Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, Microsoft will no longer provide security or any other updates for Windows 2000.
We encourage customers to join our technical webcast tomorrow to learn more about the today’s security bulletin release. The webcast is scheduled for Wednesday, May 12, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.
Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.
Group Manager, Response Communications
*This posting is provided "AS IS" with no warranties, and confers no rights*