Today we released seventeen security bulletins. Two have a maximum severity rating of Critical, fourteen have a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin |
Most likely attack vector |
Max Bulletin Severity |
Max Exploit-ability |
Likely first 30 days impact |
Platform mitigations and key notes |
MS10-090 (IE) |
Victim browses to a malicious webpage. |
Critical |
1 |
Public exploit exists for CVE-2010-3962. Exploits works on IE6 and IE7 on Windows XP. |
We have not seen CVE-2010-3962 exploits that have successfully bypassed DEP. Therefore, IE8 users are at reduced risk. |
MS10-091 (Opentype Font driver) |
Victim using explorer.exe browses to a folder containing a malicious OTF file. |
Critical |
1 |
Likely to see an exploit released granting a local attacker SYSTEM level access. |
Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector. |
MS10-092 (Task Scheduler) |
Attacker running code on a machine already elevates from low-privileged account to SYSTEM. |
Important |
1 |
This vulnerability being exploited by Stuxnet malware. |
|
MS10-098 (win32k.sys) |
Attacker running code on a machine already elevates from low-privileged account to SYSTEM. |
Important |
1 |
Likely to see an exploit released granting a local attacker SYSTEM level access. |
|
MS10-105 (Graphics filters) |
Victim opens a malicious Office document |
Important |
1 |
Likely to see an exploit released for one or more of the CVE’s addressed by this bulletin. |
Later versions of Microsoft Office have disabled support for several of these graphics filters. Please see SRD blog post here for more detail. |
MS10-103 (Publisher) |
Victim opens a malicious .PUB file |
Important |
1 |
Likely to see an exploit released. |
|
MS10-099 (RRAS) |
Attacker running code on a machine already elevates from low-privileged account to SYSTEM. |
Important |
1 |
Likely to see an exploit released granting a local attacker SYSTEM level access. |
Systems that have not configured a VPN or RAS connection are not vulnerable by default. |
DLL Preloading Issues (MS10-093, MS10-094, MS10-095, MS10-096, MS10-097) |
Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share. |
Important |
1 |
Public proof-of-concept code already exists for several of these vulnerabilities. |
|
MS10-101 (Netlogon) |
Attacker sends malicious RPC network request to Windows Server acting as a domain controller. Request must be sent from a domain-joined workstation on which the attacker has administrative privileges. The request could bugcheck the Windows server. |
Important |
3 |
Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service. |
Attacker must have administrative rights on a domain-joined machine to launch this attack. |
MS10-102 (Hyper-V) |
Attacker with administrative control of a guest OS can bugcheck (reboot) the host OS. |
Important |
3 |
Unlikely to see wide-spread exploitation of this denial-of-service issue. |
|
MS10-100 (Consent) |
Attacker running code on a machine already elevates from low-privileged account to the workstation account (Machine$). |
Important |
1 |
While an exploit could be developed for this issue, the severity of the elevation is limited. This is not a typical elevation of privilege vulnerability which would result in administrative control of the system. |
|
MS10-104 (Sharepoint) |
If an off-by-default service is enabled, an attacker can upload a malicious executable and potentially cause it to be run with Guest privileges on Sharepoint Server. |
Important |
1 |
Unlikely to see wide-spread exploitation as the service is not enabled by default. |
Sharepoint servers in production unlikely to be vulnerable by default. See this SRD blog post for more information. |
MS10-106 (Exchange) |
Attacker sends malicious RPC network request to an Exchange Server causing it to enter an infinite loop denial-of-service condition. The specific RPC function requires the attacker to be authenticated. |
Moderate |
3 |
Due to the mitigating factors, unlikely to see wide-spread exploitation for denial of service. |
|
– Jonathan Ness, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*