Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2010 > AV10-003: Microsoft Security Bulletin for the Month of January

Institutional links

Microsoft Security Bulletin for the Month of January

Number: AV10-003
Date: 12 January 2010

Purpose

The purpose of this advisory is to bring attention to the following vulnerability (critical) in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS10-001 - Critical - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)

Details: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Impact: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: Inconsistent exploit code likely Affected Products: Microsoft Windows CVE reference: CVE-2010-0018

Suggested action

CCIRC recommends that administrators test and deploy these updates at the earliest opportunity. Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:

http://blogs.technet.com/msrc/archive/2010/01/12/january-2010-security-bulletin-release.aspx

References:
http://www.microsoft.com/technet/security/bulletin/MS10-jan.mspx
   

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-01-12
Top of Page
Top of Page
Important Notices