Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2010 > AV10-017: Microsoft Security Bulletin Summary for June 2010

Institutional links

Microsoft Security Bulletin Summary for June 2010

Number: AV10-017
Date: 8 June 2010

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft security bulletin which addresses 3 Critical and 7 important vulnerabilities.

Assessment

Microsoft has released the following security bulletins:

MS10-033 - Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902)
Details: This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact of Vulnerability: Remote Code Execution 
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-1879, CVE-2010-1880
http://www.microsoft.com/technet/security/bulletin/MS10-033.mspx

MS10-034 - Cumulative Security Update of ActiveX Kill Bits (980195)
Details: This security update addresses two privately reported vulnerabilities for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003, Windows Server2008, and Windows Server 2008 R2.
The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
Impact of Vulnerability: Remote Code Execution 
Maximum Severity Rating: Critical
Maximum Exploitability Index: N/A
Affected Products: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-0252, CVE-2010-0811
http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx

MS10-035 - Cumulative Security Update for Internet Explorer (982381)
Details: This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact of Vulnerability: Remote Code Execution 
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Internet Explorer 5.01 Service Pack 4 and Internet Explorer 6 Service Pack 1, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8.
CVE reference: CVE-2010-0255, CVE-2010-1257, CVE-2010-1259, CVE-2010-1260, CVE-2010-1261, CVE-2010-1262
http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx

MS10-032 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
Details: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.
Impact of Vulnerability: Elevation of Privilege 
Maximum Severity Rating: Important
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-0484, CVE-2010-0485, CVE-2010-1255
http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx

MS10-036 - Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)
Details: This security update resolves a privately reported vulnerability in COM validation in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher, or PowerPoint file with an affected version of Microsoft Office. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
Impact of Vulnerability: Remote Code Execution 
Maximum Severity Rating: Important
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Office XP, Microsoft Office 2003, 2007 Microsoft Office System.
CVE reference: CVE-2010-1263
http://www.microsoft.com/technet/security/bulletin/MS10-036.mspx

MS10-037 - Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
Details: This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Impact of Vulnerability: Elevation of Privilege 
Maximum Severity Rating: Important
Maximum Exploitability Index: 2 - Inconsistent exploit code likely
Affected Products: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-0819
http://www.microsoft.com/technet/security/bulletin/ms10-037.mspx

MS10-038 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452)
Details: This security update resolves fourteen privately reported vulnerabilities in Microsoft Office. The more severe vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact of Vulnerability: Remote Code Execution 
Maximum Severity Rating: Important
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Office Suites and Components, Microsoft Office for Mac, Other Office Software 
CVE reference: CVE-2010-0821, CVE-2010-0822, CVE-2010-0823, CVE-2010-1245, CVE-2010-1246, CVE-2010-1247, CVE-2010-1248, CVE-2010-1249, CVE-2010-1250, CVE-2010-1251, CVE-2010-1252, CVE-2010-1253, CVE-2010-1254
http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx

MS10-039 - Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
Details: This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link.
Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Important
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Office Software, Windows SharePoint Services.
CVE reference: CVE-2010-0817, CVE-2010-1257, CVE-2010-1264
http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx

MS10-040 - Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
Details: This security update resolves a privately reported vulnerability in Internet Information Services (IIS). The vulnerability could allow remote code execution if a user received a specially crafted HTTP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Maximum Exploitability Index: 2 - Inconsistent exploit code likely
Affected Products: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2010-1256
http://www.microsoft.com/technet/security/bulletin/MS10-040.mspx

MS10-041 - Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
Details: This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow data tampering in signed XML content without being detected. In custom applications, the security impact depends on how the signed content is used in the specific application. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability.
Impact of Vulnerability: Tampering
Maximum Severity Rating: Important
Maximum Exploitability Index: 3 - Functioning exploit code unlikely
Affected Products: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
CVE reference: CVE-2009-0217
http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx

Suggested action

CCIRC recommends that administrators test and deploy these updates at the earliest opportunity. Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:
http://blogs.technet.com/b/srd/archive/2010/06/08/assessing-the-risk-of-the-june-security-bulletins.aspx

References:
http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-06-08
Top of Page
Top of Page
Important Notices