Bulletin ID: MS12-083 |
Title: Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809) |
Update Type: Security Update |
Severity: Important |
Date: 2012-12-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker presents a revoked certificate to an IP-HTTPS server commonly used in Microsoft DirectAccess deployments. To exploit the vulnerability, an attacker must use a certificate issued from the domain for IP-HTTPS server authentication. Logging on to a system inside the organization would still require system or domain credentials. | ||||
Vulnerabilities: CVE-2012-2549 |
Included Updates: 2765809 |
Applies to: Server Core installation option Windows Server 2008 R2 Windows Server 2012 |
Bulletin ID: MS12-080 |
Title: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-12-11 |
Description: This security update resolves publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. | ||||
Vulnerabilities: CVE-2012-3214 CVE-2012-3217 CVE-2012-4791 |
Included Updates: 2746157 2784126 2785908 2787763 |
Applies to: Microsoft Server Software |
Bulletin ID: MS12-079 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-12-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Office software, or previews or opens a specially crafted RTF email message in Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-2539 |
Included Updates: 2687412 2760405 2760410 2760416 2760421 2760497 2760498 2780642 |
Applies to: Components Microsoft Office Suites Other Microsoft Office Software |
Bulletin ID: MS12-060 |
Title: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-12-11 |
Description: This security update resolves a privately reported vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability. | ||||
Vulnerabilities: CVE-2012-1856 |
Included Updates: 2597986 2687441 2711207 2720573 2726929 983811 983812 |
Applies to: Host Integration Server 2004 Office 2003 Office 2007 Office 2010 SQL Server 2000 |
Bulletin ID: MS12-059 |
Title: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918) |
Update Type: Security Update |
Severity: Important |
Date: 2012-12-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1888 |
Included Updates: 2598287 2687508 2733918 |
Applies to: Office 2010 |
Bulletin ID: MS12-057 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879) |
Update Type: Security Update |
Severity: Important |
Date: 2012-12-11 |
Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or embeds a specially crafted Computer Graphics Metafile (CGM) graphics file into an Office file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-2524 |
Included Updates: 2596615 2596754 2687501 2687510 2731879 |
Applies to: Office 2007 Office 2010 |
Bulletin ID: MS12-076 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184) |
Update Type: Security Update |
Severity: Important |
Date: 2012-11-13 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file with an affected version of Microsoft Excel. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1885 CVE-2012-1886 CVE-2012-1887 CVE-2012-2543 |
Included Updates: 2597126 2687307 2687311 2687313 2687481 2720184 |
Applies to: Components Microsoft Office Suites Microsoft Office for Mac Other Microsoft Office Software |
Bulletin ID: MS12-074 |
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-11-13 |
Description: This security update resolves five privately reported vulnerabilities in the .NET Framework. The most severe of these vulnerabilities could allow remote code execution if an attacker convinces the user of a target system to use a malicious proxy auto configuration file and then injects code into the currently running application. | ||||
Vulnerabilities: CVE-2012-1895 CVE-2012-1896 CVE-2012-2519 CVE-2012-4776 CVE-2012-4777 |
Included Updates: 2698023 2698032 2698035 2729449 2729450 2729451 2729452 2729453 2729460 2729462 2737019 2737083 2737084 |
Applies to: |
Bulletin ID: MS12-073 |
Title: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829) |
Update Type: Security Update |
Severity: Moderate |
Date: 2012-11-13 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The more severe vulnerability could allow information disclosure if an attacker sends specially crafted FTP commands to the server. | ||||
Vulnerabilities: CVE-2012-2531 CVE-2012-2532 |
Included Updates: 2716513 2719033 2733829 |
Applies to: Server Core installation option Windows 2008 R2 Windows 7 Windows Server 2008 Windows Vista |
Bulletin ID: MS12-046 |
Title: Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960) |
Update Type: Security Update |
Severity: Important |
Date: 2012-11-13 |
Description: This security update resolves one publicly disclosed vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1854 |
Included Updates: 2553447 2596744 2598243 2687626 2707960 |
Applies to: Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS12-070 |
Title: Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849) |
Update Type: Security Update |
Severity: Important |
Date: 2012-10-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-2552 |
Included Updates: 2716427 2716429 2716433 2716434 2716435 2716436 2716439 2716440 2716441 2716442 2754849 983814 |
Applies to: |
Bulletin ID: MS12-067 |
Title: Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2742321) |
Update Type: Security Update |
Severity: Important |
Date: 2012-10-09 |
Description: This security update resolves publicly disclosed vulnerabilities in Microsoft FAST Search Server 2010 for SharePoint. The vulnerabilities could allow remote code execution in the security context of a user account with a restricted token. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled. | ||||
Vulnerabilities: CVE-2012-1766 CVE-2012-1767 CVE-2012-1768 CVE-2012-1769 CVE-2012-1770 CVE-2012-1771 CVE-2012-1772 CVE-2012-1773 CVE-2012-3106 CVE-2012-3107 CVE-2012-3108 CVE-2012-3109 CVE-2012-3110 |
Included Updates: 2553402 2742321 |
Applies to: |
Bulletin ID: MS12-065 |
Title: Vulnerability in Microsoft Works Could Allow Remote Code Execution (2754670) |
Update Type: Security Update |
Severity: Important |
Date: 2012-10-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-2550 |
Included Updates: 2754670 |
Applies to: |
Bulletin ID: MS12-064 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-10-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office. The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0182 CVE-2012-2528 |
Included Updates: 2553488 2598237 2687314 2687315 2687401 2687483 2687485 2742319 |
Applies to: Components Microsoft Office Suites Other Microsoft Office Software |
Bulletin ID: MS12-058 |
Title: Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-10-09 |
Description: This security update resolves publicly disclosed vulnerabilities in Microsoft Exchange Server WebReady Document Viewing. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. | ||||
Vulnerabilities: CVE-2012-1766 CVE-2012-1767 CVE-2012-1768 CVE-2012-1769 CVE-2012-1770 CVE-2012-1771 CVE-2012-1772 CVE-2012-1773 CVE-2012-3106 CVE-2012-3107 CVE-2012-3108 CVE-2012-3109 CVE-2012-3110 |
Included Updates: 2740358 2756485 2756496 2756497 |
Applies to: Exchange Server 2007 Exchange Server 2010 |
Bulletin ID: MS12-053 |
Title: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-10-09 |
Description: This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. | ||||
Vulnerabilities: CVE-2012-2526 |
Included Updates: 2723135 |
Applies to: Windows XP |
Bulletin ID: MS12-061 |
Title: Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584) |
Update Type: Security Update |
Severity: Important |
Date: 2012-09-24 |
Description: This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2012-1892 |
Included Updates: 2719584 |
Applies to: Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 |
Bulletin ID: MS12-035 |
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-07-10 |
Description: This security update resolves two privately reported vulnerabilities in the .NET Framework. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0160 CVE-2012-0161 |
Included Updates: 2604042 2604078 2604092 2604094 2604105 2604110 2604111 2604114 2604115 2604121 2693777 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-016 |
Title: Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-07-10 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0014 CVE-2012-0015 |
Included Updates: 2633870 2633873 2633874 2633879 2633880 2651026 2668562 |
Applies to: Silverlight Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-100 |
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-07-10 |
Description: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. | ||||
Vulnerabilities: CVE-2011-3414 CVE-2011-3415 CVE-2011-3416 CVE-2011-3417 CVE-2012-0160 CVE-2012-0161 |
Included Updates: 2638420 2656351 2656352 2656353 2656355 2656356 2656358 2656362 2657424 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-078 |
Title: Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-07-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. | ||||
Vulnerabilities: CVE-2011-1253 |
Included Updates: 2572066 2572067 2572069 2572073 2572075 2572076 2572077 2572078 2604930 2617986 |
Applies to: Silverlight Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-044 |
Title: Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-07-10 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. | ||||
Vulnerabilities: CVE-2011-1271 |
Included Updates: 2518863 2518864 2518865 2518866 2518867 2518869 2518870 2530095 2538814 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-039 |
Title: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956) |
Update Type: Security Update |
Severity: Important |
Date: 2012-06-12 |
Description: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Lync. The most severe vulnerabilities could allow remote code execution if a user views shared content that contains specially crafted TrueType fonts. | ||||
Vulnerabilities: CVE-2011-3402 CVE-2012-0159 CVE-2012-1849 CVE-2012-1858 |
Included Updates: 2693282 2696031 2702444 2707956 2708980 |
Applies to: Microsoft Communicator 2007 R2 Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendant (32-bit) Microsoft Lync 2010 Attendant (64-bit) Microsoft Lync 2010 Attendee |
Bulletin ID: MS12-038 |
Title: Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-06-12 |
Description: This security update resolves one privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2012-1855 |
Included Updates: 2686827 2686828 2686830 2686831 2686833 2706726 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-025 |
Title: Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-06-12 |
Description: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2012-0163 |
Included Updates: 2656368 2656369 2656370 2656372 2656373 2656374 2656376 2656378 2671605 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-031 |
Title: Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981) |
Update Type: Security Update |
Severity: Important |
Date: 2012-05-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0018 |
Included Updates: 2597981 |
Applies to: Office 2010 |
Bulletin ID: MS12-030 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830) |
Update Type: Security Update |
Severity: Important |
Date: 2012-05-08 |
Description: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0141 CVE-2012-0142 CVE-2012-0143 CVE-2012-0184 CVE-2012-0185 CVE-2012-1847 |
Included Updates: 2553371 2596842 2597086 2597161 2597162 2597166 2597969 2663830 |
Applies to: Office 2003 Office 2007 Office 2010 |
Bulletin ID: MS12-029 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-05-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0183 |
Included Updates: 2596880 2596917 2598332 2680352 |
Applies to: Office 2003 Office 2007 |
Bulletin ID: MS12-021 |
Title: Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) |
Update Type: Security Update |
Severity: Important |
Date: 2012-05-08 |
Description: This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2012-0008 |
Included Updates: 2644980 2645410 2651019 2669970 |
Applies to: Visual Studio 2008 Visual Studio 2010 |
Bulletin ID: MS12-028 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185) |
Update Type: Security Update |
Severity: Important |
Date: 2012-04-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office and Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0177 |
Included Updates: 2596871 2639185 2680317 2680326 |
Applies to: Microsoft Works 9 Office 2007 Works 6-9 Converter |
Bulletin ID: MS12-027 |
Title: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-04-10 |
Description: This security update resolves a privately disclosed vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability. | ||||
Vulnerabilities: CVE-2012-0158 |
Included Updates: 2597112 2598039 2598041 2664258 983808 983809 |
Applies to: Office 2003 Office 2007 Office 2010 SQL Server 2000 |
Bulletin ID: MS06-029 |
Title: Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442) |
Update Type: Security Update |
Severity: Important |
Date: 2012-04-04 |
Description: This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the vulnerability could perform script injection attacks. | ||||
Vulnerabilities: CVE-2006-1193 |
Included Updates: 912442 |
Applies to: Exchange 2000 Server Exchange Server 2003 |
Bulletin ID: MS06-019 |
Title: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-04-04 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. | ||||
Vulnerabilities: CVE-2006-0027 |
Included Updates: 916803 |
Applies to: Exchange 2000 Server Exchange Server 2003 |
Bulletin ID: MS05-048 |
Title: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245) |
Update Type: Security Update |
Severity: Important |
Date: 2012-04-04 |
Description: This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-1987 |
Included Updates: 901017 906780 907245 |
Applies to: Exchange 2000 Server Windows 2000 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |
Bulletin ID: MS05-035 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-04-04 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0564 |
Included Updates: 895589 903672 |
Applies to: Office 2002/XP |
Bulletin ID: MS05-023 |
Title: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169) |
Update Type: Security Update |
Severity: Critical |
Date: 2012-04-04 |
Description: This update resolves two newly-discovered vulnerabilities in Microsoft Word that could allow an attacker to run arbitrary code on a users system. The vulnerabilities are documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0963 CAN-2005-0558 |
Included Updates: 887978 890169 |
Applies to: Office 2002/XP Office 2003 |
Bulletin ID: MS05-006 |
Title: Vulnerability in Windows SharePoint Services and SharePoint Team Services Could Allow Cross-Site Scripting and Spoofing Attacks (887981) |
Update Type: Security Update |
Severity: Moderate |
Date: 2012-04-04 |
Description: This update resolves a newly-discovered, privately-reported vulnerability. A cross-site scripting and spoofing vulnerability exists in the affected software that could allow an attacker to convince a user to run a malicious script. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. | ||||
Vulnerabilities: CAN-2005-0049 |
Included Updates: 887981 890829 |
Applies to: Office 2002/XP Windows Server 2003 Windows Server 2003, Datacenter Edition |
Bulletin ID: MS04-027 |
Title: Vulnerability in WordPerfect Converter Could Allow Code Execution (884933) |
Update Type: Security Update |
Severity: Important |
Date: 2012-04-04 |
Description: This update resolves a newly discovered, privately reported vulnerability. A remote code execution vulnerability exists in the WordPerfect 5.x Converter that is provided as part of the affected software. The vulnerability is documented in the Vulnerability Details section of this bulletin. | ||||
Vulnerabilities: CAN-2004-0573 |
Included Updates: 873379 884933 |
Applies to: Office 2002/XP |
Bulletin ID: MS12-022 |
Title: Vulnerability in Expression Design Could Allow Remote Code Execution (2651018) |
Update Type: Security Update |
Severity: Important |
Date: 2012-03-13 |
Description: This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2012-0016 |
Included Updates: 2651018 2667724 2667725 2667727 2667730 2675064 |
Applies to: Expression Design 1 Expression Design 2 Expression Design 3 Expression Design 4 |
Bulletin ID: MS12-017 |
Title: Vulnerability in DNS Server Could Allow Denial of Service (2647170) |
Update Type: Security Update |
Severity: Important |
Date: 2012-03-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server. | ||||
Vulnerabilities: CVE-2012-0006 |
Included Updates: 2647170 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS11-067 |
Title: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230) |
Update Type: Security Update |
Severity: Important |
Date: 2012-03-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Report Viewer. The vulnerability could allow information disclosure if a user views a specially crafted Web page. In all cases, however, an attacker would have no way to force a user to visit the Web site. Instead, an attacker would have to persuade a user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the vulnerable Web site. | ||||
Vulnerabilities: CVE-2011-1976 |
Included Updates: 2548826 2578230 2579115 |
Applies to: Report Viewer 2005 Visual Studio 2005 |
Bulletin ID: MS11-025 |
Title: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212) |
Update Type: Security Update |
Severity: Important |
Date: 2012-03-13 |
Description: This security update resolves a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file is located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by the affected application. | ||||
Vulnerabilities: CVE-2010-3190 |
Included Updates: 2467173 2500212 2538218 2538241 2538242 2538243 2542054 2565057 2565063 |
Applies to: Visual Studio 2005 Visual Studio 2008 Visual Studio 2010 |
Bulletin ID: MS12-015 |
Title: Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510) |
Update Type: Security Update |
Severity: Important |
Date: 2012-02-14 |
Description: This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0019 CVE-2012-0020 CVE-2012-0136 CVE-2012-0137 CVE-2012-0138 |
Included Updates: 2597170 2663510 |
Applies to: Office 2010 |
Bulletin ID: MS12-014 |
Title: Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637) |
Update Type: Security Update |
Severity: Important |
Date: 2012-02-14 |
Description: This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .avi file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-3138 |
Included Updates: 2661637 |
Applies to: Windows XP |
Bulletin ID: MS12-012 |
Title: Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719) |
Update Type: Security Update |
Severity: Important |
Date: 2012-02-14 |
Description: This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .icm or .icc file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-5082 |
Included Updates: 2643719 |
Applies to: Windows Server 2008 Windows Server 2008 R2 |
Bulletin ID: MS12-011 |
Title: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841) |
Update Type: Security Update |
Severity: Important |
Date: 2012-02-14 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. These vulnerabilities could allow elevation of privilege or information disclosure if a user clicked a specially crafted URL. | ||||
Vulnerabilities: CVE-2012-0017 CVE-2012-0144 CVE-2012-0145 |
Included Updates: 2553413 2597124 2663841 |
Applies to: Office 2010 |
Bulletin ID: MS12-002 |
Title: Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381) |
Update Type: Security Update |
Severity: Important |
Date: 2012-01-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0009 |
Included Updates: 2603381 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows XP Windows XP x64 Edition |