November 2010 Security Bulletin Release

Hello all. As part of our usual cycle of monthly updates, today
Microsoft is releasing three security bulletins, addressing 11 vulnerabilities.
One of the bulletins has a Critical severity rating, while the other two are
rated Important. Recapping the trio:

  • MS10-087 This bulletin resolves five issues affecting
    all currently supported Microsoft Office products. The bulletin is rated Critical
    for Office 2007 and Office 2010 due to a preview pane vector in Outlook that
    could trigger the vulnerability when a customer views a specially crafted malicious
    RTF (Rich Text Format) file. The update also addresses an Office vector
    for the vulnerability described in Security
    Advisory 2269637
    , which has been
    referred to as “DLL Preloading” and “Binary planting.” MS10-087 is Microsoft’s top priority
    bulletin for deployment in November and has an Exploitability Index rating of 1.
  • MS10-088 This bulletin
    resolves two cooperatively disclosed vulnerabilities in Microsoft PowerPoint
    that could allow remote code execution if a user opens a specially crafted PowerPoint
    file. The overall severity rating is Important due to the user interaction
    required to open the malicious file and we give the bulletin a rating of 2 in
    our deployment priority assessment.
  • MS10-089 This bulletin
    resolves four cooperatively disclosed vulnerabilities in Unified Access Gateway
    (UAG), which is a component of Microsoft Forefront. The most significant of
    these could allow elevation of privilege if a user clicks on a malicious link
    on a website. This update is offered through the Microsoft Download Center and
    is not available through Microsoft Update at this time. With an overall severity
    rating of Important and user interaction required to exploit, we also give this
    a deployment priority of 2.

We are not aware of any active attacks seeking to exploit the
vulnerabilities addressed in this month’s release. Please see the video below for
additional information on the November bulletins:



As always, we recommend that customers deploy all security updates
as soon as possible. To further assist customers in their deployment planning,
here is an aggregate view of risk and impact and our deployment priority
guidance (click for larger view):



Our Security Research & Defense (SRD)
team takes a closer look at some of the issues raised by this month’s round of
bulletins today on its

More information about the
security updates can be found on the Microsoft Security Bulletin summary web page.  Our Exploitability
provides additional information to
help customers prioritize deployment of the monthly security bulletins.

Please join the monthly technical
webcast to learn more about the November 2010 security bulletin release. The
webcast is scheduled for Wednesday, November 10, 2010 at 11:00 a.m. PST (UTC -8).
Registration is available here.

Remember, you can follow the MSRC team for
late breaking news and updates on the threat landscape on Twitter at @MSFTSecResponse.


Jerry Bryant
Group Manager, Response Communications