LanGuard reports



Supported Microsoft Security Bulletins


More information on 2010 updates



Bulletin ID:
MS10-106
Title:
Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)
Update Type:
Security Update
Severity:
Moderate
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Vulnerabilities:
CVE-2010-3937
Included Updates:
2407132
Applies to:
Exchange Server 2007

Bulletin ID:
MS10-105
Title:
Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-3945
CVE-2010-3946
CVE-2010-3947
CVE-2010-3949
CVE-2010-3950
CVE-2010-3951
CVE-2010-3952
Included Updates:
2288931
2289078
2289162
2289163
2431831
2456849
968095
Applies to:
Microsoft Works 9
Office 2002/XP
Office 2003
Office 2007
Office 2010

Bulletin ID:
MS10-104
Title:
Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007.
Vulnerabilities:
CVE-2010-3964
Included Updates:
2433089
2455005
Applies to:
Office 2007

Bulletin ID:
MS10-103
Title:
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2569
CVE-2010-2570
CVE-2010-2571
CVE-2010-3954
CVE-2010-3955
Included Updates:
2284692
2284695
2284697
2292970
2409055
Applies to:
Office 2002/XP
Office 2003
Office 2007
Office 2010

Bulletin ID:
MS10-102
Title:
Vulnerability in Hyper-V Could Allow Denial of Service (2345316)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-3960
Included Updates:
2345316
Applies to:
Windows Server 2008
Windows Server 2008 R2

Bulletin ID:
MS10-101
Title:
Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability.
Vulnerabilities:
CVE-2010-2742
Included Updates:
2207559
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2

Bulletin ID:
MS10-100
Title:
Vulnerability in Consent User Interface Could Allow Elevation of Privilege (2442962)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-3961
Included Updates:
2442962
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-099
Title:
Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-3963
Included Updates:
2440591
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-097
Title:
Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-3144
Included Updates:
2443105
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-096
Title:
Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2010-3147
Included Updates:
2423089
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-094
Title:
Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2010-3965
Included Updates:
2447961
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-093
Title:
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2010-3967
Included Updates:
2424434
Applies to:
Windows Vista

Bulletin ID:
MS10-092
Title:
Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-3338
Included Updates:
2305420
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-086
Title:
Vulnerability in Windows Shared Cluster Disks Could Allow Tampering (2294255)
Update Type:
Security Update
Severity:
Moderate
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in Windows Server 2008 R2 when used as a shared failover cluster. The vulnerability could allow data tampering on the administrative shares of failover cluster disks. By default, Windows Server 2008 R2 servers are not affected by this vulnerability. This vulnerability only applies to the cluster disks used in a failover cluster.
Vulnerabilities:
CVE-2010-3223
Included Updates:
2294255
Applies to:
Windows Server 2008 R2

Bulletin ID:
MS10-083
Title:
Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)
Update Type:
Security Update
Severity:
Important
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-1263
Included Updates:
2405882
979687
979688
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-076
Title:
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
Update Type:
Security Update
Severity:
Critical
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-1883
Included Updates:
982132
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-075
Title:
Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679)
Update Type:
Security Update
Severity:
Critical
Date:
2010-12-14
Description:
This security update resolves a privately reported vulnerability in the Microsoft Windows Media Player Network Sharing Service. The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.
Vulnerabilities:
CVE-2010-3225
Included Updates:
2281679
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Vista

Bulletin ID:
MS10-074
Title:
Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution (2387149)
Update Type:
Security Update
Severity:
Moderate
Date:
2010-12-14
Description:
This security update resolves a publicly disclosed vulnerability in the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user is logged on with administrative user rights and opens an application built with the MFC Library. An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-3227
Included Updates:
2387149
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-088
Title:
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)
Update Type:
Security Update
Severity:
Important
Date:
2010-11-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2572
CVE-2010-2573
Included Updates:
2293386
2413272
2413304
2413381
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-087
Title:
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
Update Type:
Security Update
Severity:
Critical
Date:
2010-11-09
Description:
This security update resolves one publicly disclosed vulnerability and five privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2573
CVE-2010-3333
CVE-2010-3334
CVE-2010-3335
CVE-2010-3336
CVE-2010-3337
Included Updates:
2289158
2289161
2289169
2289187
2423930
Applies to:
Office 2002/XP
Office 2003
Office 2007
Office 2010

Bulletin ID:
MS10-084
Title:
Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2360937)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-3222
Included Updates:
2360937
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-082
Title:
Vulnerability in Windows Media Player Could Allow Remote Code Execution (2378111)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2745
Included Updates:
2378111
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-080
Title:
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2293211)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves thirteen privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file or a specially crafted Lotus 1-2-3 file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-3230
CVE-2010-3231
CVE-2010-3232
CVE-2010-3233
CVE-2010-3234
CVE-2010-3235
CVE-2010-3236
CVE-2010-3237
CVE-2010-3238
CVE-2010-3239
CVE-2010-3240
CVE-2010-3241
CVE-2010-3242
Included Updates:
2293211
2344875
2344893
2345017
2345035
2345088
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-079
Title:
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2293194)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2747
CVE-2010-2748
CVE-2010-2750
CVE-2010-3214
CVE-2010-3215
CVE-2010-3216
CVE-2010-3217
CVE-2010-3218
CVE-2010-3219
CVE-2010-3220
CVE-2010-3221
Included Updates:
2293194
2328360
2344911
2344993
2345000
2345009
2345015
2345043
2346411
Applies to:
Office 2002/XP
Office 2003
Office 2007
Office 2010

Bulletin ID:
MS10-078
Title:
Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves two privately reported vulnerabilities in the Windows OpenType Font (OTF) format driver. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-2740
CVE-2010-2741
Included Updates:
2279986
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-072
Title:
Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)
Update Type:
Security Update
Severity:
Important
Date:
2010-10-12
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft SharePoint and Windows SharePoint Services. The vulnerabilities could allow information disclosure if an attacker submits specially crafted script to a target site using SafeHTML.
Vulnerabilities:
CVE-2010-3243
CVE-2010-3324
Included Updates:
2345212
2345304
2345322
2346298
2412048
Applies to:
Office 2007
Office 2010
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2

Bulletin ID:
MS10-062
Title:
Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)
Update Type:
Security Update
Severity:
Critical
Date:
2010-10-12
Description:
This security update resolves a privately reported vulnerability in MPEG-4 codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0818
Included Updates:
975558
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-069
Title:
Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)
Update Type:
Security Update
Severity:
Important
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-1891
Included Updates:
2121546
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-068
Title:
Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)
Update Type:
Security Update
Severity:
Important
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if an authenticated attacker sent specially crafted Lightweight Directory Access Protocol (LDAP) messages to a listening LSASS server. In order to successfully exploit this vulnerability, an attacker must have a member account within the target Windows domain. However, the attacker does not need to have a workstation joined to the Windows domain.
Vulnerabilities:
CVE-2010-0820
Included Updates:
981550
982000
983539
Applies to:
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-067
Title:
Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922)
Update Type:
Security Update
Severity:
Important
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-2563
Included Updates:
2259922
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-066
Title:
Vulnerability in Remote Procedure Call Could Allow Remote Code Execution (982802)
Update Type:
Security Update
Severity:
Important
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-2567
Included Updates:
982802
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-065
Title:
Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)
Update Type:
Security Update
Severity:
Important
Date:
2010-09-14
Description:
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Information Services (IIS). The most severe of these vulnerabilities could allow remote code execution if a client sends a specially crafted HTTP request to the server. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Vulnerabilities:
CVE-2010-1899
CVE-2010-2730
CVE-2010-2731
Included Updates:
2124261
2267960
2271195
2290570
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-064
Title:
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)
Update Type:
Security Update
Severity:
Critical
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened or previewed a specially crafted e-mail message using an affected version of Microsoft Outlook that is connected to an Exchange server with Online Mode. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2728
Included Updates:
2288953
2293422
2293428
2315011
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-063
Title:
Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113)
Update Type:
Security Update
Severity:
Critical
Date:
2010-09-14
Description:
This security update resolves a privately reported vulnerability in the Unicode Scripts Processor. The vulnerability could allow remote code execution if a user viewed a specially crafted document or Web page with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2738
Included Updates:
2288608
2288613
2288621
2320113
981322
Applies to:
Office 2002/XP
Office 2003
Office 2007
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-061
Title:
Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
Update Type:
Security Update
Severity:
Critical
Date:
2010-09-14
Description:
This security update resolves a publicly disclosed vulnerability in the Print Spooler service. The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC. By default, printers are not shared on any currently supported Windows operating system.
Vulnerabilities:
CVE-2010-2729
Included Updates:
2347290
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-050
Title:
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)
Update Type:
Security Update
Severity:
Important
Date:
2010-08-24
Description:
This security update resolves a privately reported vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2564
Included Updates:
981997
Applies to:
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-060
Title:
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)
Update Type:
Security Update
Severity:
Critical
Date:
2010-08-10
Description:
This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.
Vulnerabilities:
CVE-2010-0019
CVE-2010-1898
Included Updates:
2265906
978464
983582
983583
983587
983588
983589
983590
Applies to:
Silverlight
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-059
Title:
Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)
Update Type:
Security Update
Severity:
Important
Date:
2010-08-10
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-2554
CVE-2010-2555
Included Updates:
982799
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-057
Title:
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)
Update Type:
Security Update
Severity:
Important
Date:
2010-08-10
Description:
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2562
Included Updates:
2264397
2264403
2269707
Applies to:
Office 2002/XP
Office 2003

Bulletin ID:
MS10-056
Title:
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)
Update Type:
Security Update
Severity:
Critical
Date:
2010-08-10
Description:
This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-1900
CVE-2010-1901
CVE-2010-1902
CVE-2010-1903
Included Updates:
2092914
2251389
2251399
2251419
2251437
2269638
2277947
Applies to:
Microsoft Works 9
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-055
Title:
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)
Update Type:
Security Update
Severity:
Critical
Date:
2010-08-10
Description:
This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2553
Included Updates:
982665
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-052
Title:
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)
Update Type:
Security Update
Severity:
Critical
Date:
2010-08-10
Description:
This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-1882
Included Updates:
2115168
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-045
Title:
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
Update Type:
Security Update
Severity:
Important
Date:
2010-07-13
Description:
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0266
Included Updates:
978212
980371
980373
980376
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-044
Title:
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
Update Type:
Security Update
Severity:
Critical
Date:
2010-07-13
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0814
CVE-2010-1881
Included Updates:
979440
981716
982335
Applies to:
Office 2003
Office 2007

Bulletin ID:
MS10-043
Title:
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
Update Type:
Security Update
Severity:
Critical
Date:
2010-07-13
Description:
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
Vulnerabilities:
CVE-2009-3678
Included Updates:
2032276
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2

Bulletin ID:
MS10-042
Title:
Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
Update Type:
Security Update
Severity:
Critical
Date:
2010-07-13
Description:
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.
Vulnerabilities:
CVE-2010-1885
Included Updates:
2229593
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-041
Title:
Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
Update Type:
Security Update
Severity:
Important
Date:
2010-07-13
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering of signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.
Vulnerabilities:
CVE-2009-0217
Included Updates:
979904
979906
979907
979909
979910
979911
979913
979916
981343
982865
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-026
Title:
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
Update Type:
Security Update
Severity:
Critical
Date:
2010-06-22
Description:
This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file containing an MPEG Layer-3 audio stream. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0480
Included Updates:
977816
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS09-061
Title:
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
Update Type:
Security Update
Severity:
Critical
Date:
2010-06-22
Description:
This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.
Vulnerabilities:
CVE-2009-0090
CVE-2009-0091
CVE-2009-2497
Included Updates:
953295
953297
953298
953300
974291
974292
974378
974417
974467
974468
974469
974470
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-040
Title:
Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
Update Type:
Security Update
Severity:
Important
Date:
2010-06-08
Description:
This security update resolves a privately reported vulnerability in Internet Information Services (IIS). The vulnerability could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Vulnerabilities:
CVE-2010-1256
Included Updates:
982666
Applies to:
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-039
Title:
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
Update Type:
Security Update
Severity:
Important
Date:
2010-06-08
Description:
This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link.
Vulnerabilities:
CVE-2010-0817
CVE-2010-1257
CVE-2010-1264
Included Updates:
2028554
979441
979445
980923
983444
Applies to:
Office 2003
Office 2007
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2

Bulletin ID:
MS10-038
Title:
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
Update Type:
Security Update
Severity:
Important
Date:
2010-06-08
Description:
This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0821
CVE-2010-0822
CVE-2010-0823
CVE-2010-0824
CVE-2010-1245
CVE-2010-1246
CVE-2010-1247
CVE-2010-1248
CVE-2010-1249
CVE-2010-1250
CVE-2010-1251
CVE-2010-1252
CVE-2010-1253
CVE-2010-1254
Included Updates:
2027452
982299
982331
982333
Applies to:
Office 2002/XP
Office 2007

Bulletin ID:
MS10-036
Title:
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
Update Type:
Security Update
Severity:
Important
Date:
2010-06-08
Description:
This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
Vulnerabilities:
CVE-2010-1263
Included Updates:
982122
982124
982126
982127
982133
982134
982135
982157
982158
982308
982311
982312
983235
Applies to:
Office 2003
Office 2007

Bulletin ID:
MS10-035
Title:
Cumulative Security Update for Internet Explorer (982381)
Update Type:
Security Update
Severity:
Critical
Date:
2010-06-08
Description:
This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0255
CVE-2010-1257
CVE-2010-1259
CVE-2010-1260
CVE-2010-1261
CVE-2010-1262
Included Updates:
982381
Applies to:
Windows 2000
Windows 7
Windows Internet Explorer 7.0 Dynamic Installer
Windows Internet Explorer 8 Dynamic Installer
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-033
Title:
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
Update Type:
Security Update
Severity:
Critical
Date:
2010-06-08
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-1879
CVE-2010-1880
Included Updates:
975562
978695
979332
979482
979902
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-031
Title:
Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213)
Update Type:
Security Update
Severity:
Critical
Date:
2010-05-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0815
Included Updates:
976321
976380
976382
978213
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-030
Title:
Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)
Update Type:
Security Update
Severity:
Critical
Date:
2010-05-11
Description:
This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0816
Included Updates:
978542
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-025
Title:
Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
Update Type:
Security Update
Severity:
Critical
Date:
2010-04-27
Description:
This security update resolves a privately reported vulnerability in Windows Media Services running on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. On Microsoft Windows 2000 Server, Windows Media Services is an optional component and is not installed by default.
Vulnerabilities:
CVE-2010-0478
Included Updates:
980858
Applies to:
Windows 2000

Bulletin ID:
MS10-024
Title:
Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
Update Type:
Security Update
Severity:
Important
Date:
2010-04-16
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service. The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service. By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.
Vulnerabilities:
CVE-2010-0024
CVE-2010-0025
Included Updates:
976323
976702
976703
981832
Applies to:
Exchange 2000 Server
Exchange Server 2003
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-029
Title:
Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
Update Type:
Security Update
Severity:
Moderate
Date:
2010-04-13
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Moderate for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Windows 7 and Windows Server 2008 R2 are not vulnerable because these operating systems include the feature deployed by this security update. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-0812
Included Updates:
978338
Applies to:
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-028
Title:
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Update Type:
Security Update
Severity:
Important
Date:
2010-04-13
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Office Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0254
CVE-2010-0256
Included Updates:
979356
979364
979365
980094
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-027
Title:
Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
Update Type:
Security Update
Severity:
Critical
Date:
2010-04-13
Description:
This security update resolves a privately reported vulnerability in Windows Media Player. The vulnerability could allow remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0268
Included Updates:
979402
Applies to:
Windows 2000
Windows XP

Bulletin ID:
MS10-023
Title:
Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Update Type:
Security Update
Severity:
Important
Date:
2010-04-13
Description:
This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0479
Included Updates:
980466
980469
980470
981160
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS09-033
Title:
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
Update Type:
Security Update
Severity:
Important
Date:
2010-03-15
Description:
This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerabilities:
CVE-2009-1542
Included Updates:
969856
Applies to:
Virtual PC
Virtual Server

Bulletin ID:
MS10-017
Title:
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)
Update Type:
Security Update
Severity:
Important
Date:
2010-03-09
Description:
This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0257
CVE-2010-0258
CVE-2010-0260
CVE-2010-0261
CVE-2010-0262
CVE-2010-0263
CVE-2010-0264
Included Updates:
978380
978382
978383
978471
978474
979439
980150
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-016
Title:
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
Update Type:
Security Update
Severity:
Important
Date:
2010-03-09
Description:
This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0265
Included Updates:
975561
Applies to:
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-015
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)
Update Type:
Security Update
Severity:
Important
Date:
2010-03-02
Description:
This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-0232
CVE-2010-0233
Included Updates:
977165
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-014
Title:
Vulnerability in Kerberos Could Allow Denial of Service (977290)
Update Type:
Security Update
Severity:
Important
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
Vulnerabilities:
CVE-2010-0035
Included Updates:
977290
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008

Bulletin ID:
MS10-013
Title:
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935)
Update Type:
Security Update
Severity:
Critical
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0250
Included Updates:
975560
977914
977935
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-011
Title:
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037)
Update Type:
Security Update
Severity:
Important
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
Vulnerabilities:
CVE-2010-0023
Included Updates:
978037
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-010
Title:
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894)
Update Type:
Security Update
Severity:
Important
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-0026
Included Updates:
977894
Applies to:
Windows Server 2008
Windows Server 2008 R2

Bulletin ID:
MS10-009
Title:
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145)
Update Type:
Security Update
Severity:
Critical
Date:
2010-02-09
Description:
This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.
Vulnerabilities:
CVE-2010-0239
CVE-2010-0240
CVE-2010-0241
CVE-2010-0242
Included Updates:
974145
Applies to:
Windows Server 2008
Windows Vista

Bulletin ID:
MS10-007
Title:
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
Update Type:
Security Update
Severity:
Critical
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
Vulnerabilities:
CVE-2010-0027
Included Updates:
975713
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-005
Title:
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706)
Update Type:
Security Update
Severity:
Moderate
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0028
Included Updates:
978706
Applies to:
Windows 2000
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-004
Title:
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416)
Update Type:
Security Update
Severity:
Important
Date:
2010-02-09
Description:
This security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0029
CVE-2010-0030
CVE-2010-0031
CVE-2010-0032
CVE-2010-0033
CVE-2010-0034
Included Updates:
973143
975416
976881
Applies to:
Office 2002/XP
Office 2003

Bulletin ID:
MS10-003
Title:
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
Update Type:
Security Update
Severity:
Important
Date:
2010-02-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0243
Included Updates:
977896
978214
Applies to:
Office 2002/XP

Bulletin ID:
MS09-060
Title:
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
Update Type:
Security Update
Severity:
Critical
Date:
2010-02-09
Description:
This security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft Office that were compiled with a vulnerable version of Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2009-0901
CVE-2009-2493
CVE-2009-2495
Included Updates:
972363
973702
973705
973709
973965
974234
974554
974556
Applies to:
Office 2002/XP
Office 2003
Office 2007

Bulletin ID:
MS10-001
Title:
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
Update Type:
Security Update
Severity:
Critical
Date:
2010-01-12
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-0018
Included Updates:
972270
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition