As part of Microsoft's regular Patch Tuesday schedule, the company released two patches that fix eight holes in Windows and Microsoft Office. Both patches have an overall rating of "important" but using another metric, Microsoft's Exploitability Index, they have earned the highest rating of "1." This means that Microsoft Security believes that exploit code is not only likely, but that it can be created in such a way as to be consistently successful.
Equally important was the stuff Microsoft did not choose to patch, but is investigating, or simply warning users about with workarounds that involve turning off the vulnerable feature. I'll get to those details in a minute. For now, here are the two patches:
- MS10-016 addresses one vulnerability in Windows and Office. It fixes problems in the Windows Movie Maker feature that shipped with XP, Vista and Windows 7 that could allow remote code execution.
- MS10-017 addresses seven vulnerabilities in Office, particularly in all versions of Excel, and experts suggest that this patch get your attention first. "MS10-017 should be addressed first on your network. Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars. Opening a malicious Excel document could lead to remote code execution," says Jason Miller, data and security team leader from patch vendor Shavlik Technologies.
- MS09-033 (Re-release) has been re-released to add Microsoft Virtual Server 2005 to affected software. This fixes problems in Virtual PC and Virtual Server (versions 2007 and 2005) that could allow elevation of privilege. This patch was originally issued in July. Microsoft says, This vulnerability could allow an attacker to run code with elevated privileges inside the hosted guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts on the guest operating system with full user rights."
In addition, Microsoft issued two "heads up" alerts about reported holes in Internet Explorer 6 and IE 7 (not IE8) and VBScript. Microsoft is investigating both holes, but has not yet created patches for them. As for the IE hole, Microsoft says that it has heard of some targeted attacks that could allow remote code execution, but some versions of the browser are not affects. "Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable."
The VBScript hole is also said to allow an attacker to executive code remotely thanks to everybody's favorite browser, Internet Explorer. It is reported to occur on Windows 2000, XP, Windows Server 2003.
A third interesting item to note this month is that users of Microsoft Producer 2003 are affected by the Movie Maker hole (MS10-016), says Miller, and no patch will be coming in the foreseeable future. Microsoft is instead advising administrators to get rid of the problematic component on user's machines.
Posted by Julie Bort
Like this post? Check out these others.
Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) All Microsoft Subnet bloggers on Twitter Julie Bort on Twitter
- Microsoft at last releases famed Red Hat/Linux virtualization drivers
- Microsoft redeeming itself on security issues?
- Microsoft publishes Outlook PST files, but uses funky patent language
- Microsoft confirms rootkit to blame for Windows crashes after patch is installed
- IE 6: Patch Tuesday won't be the same without you
- Microsoft fixes 26 security holes, warns on unpatched multi-vendor SSL vulnerability
- Introducing Windows Multipoint Server 2010
- SSIS 2008 Lookup Caching…
- 7 big IT orgs that showed Microsoft the door