Microsoft Patches Eleven Vulnerabilities in Windows, IIS and Office

Microsoft has released security updates to address eleven vulnerabilities in Windows, Internet Information Services (IIS) and Microsoft Office, including four of critical impact.

It's worth noting that none of the security bulletins rated as critical apply to the Windows 7 or Windows Server 2008 R2 products.

"This is due to security enhancements such as additional heap mitigations built into the newer operating systems," explains Jerry Bryant, Microsoft's Group Manager of Response Communications.

Microsoft advises system administrators to prioritize the MS10-061 and MS10-062 updates in their patch deployment process, since the vulnerabilities covered by these two security bulletins carry the highest risks and highest exploitability index rating (1).

MS10-061 in particular referrs to a vulnerability in the Print Spooler Service (CVE-2010-2729), which is actively exploited in the wild by a sophisticated piece of malware dubbed Stuxnet.

Microsoft has learned of this issue and investigated it with the help of researchers from antivirus vendors Kaspersky Lab and Symantec.

The vulnerability described in MS10-062 and identified as CVE-2010-0818 was reported privately to Microsoft by Matthew Watchinski of Sourcefire VRT and is located in the MPEG-4 Codec.

This issue is rated critical for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

It can be exploited to launch drive-by download attacks by tricking users into opening a maliciously crafted media file or stream.

MS10-063 and MS10-064 also cover critical remote code execution flaws in Windows and Microsoft Office, but their exploitability index is lower because successful attacks require special conditions.

The rest of the vulnerabilities addressed by MS10-065, MS10-066, MS10-067, MS10-068 and MS10-069 have a maximum security rating of Important.

"Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible," notes Mr. Bryant.

Microsoft is also releasing two Security Advisories to provide workarounds or information about a privilege escalation issue in Outlook Web Access (OWA) and a new Windows feature, which enables Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.