Microsoft Security Bulletin Summary – November 2010

Microsoft has released three security bulletins, covering 11 vulnerabilities, with one rated as Critical and the other two, as Important.

The first one is the MS10-087, which resolves five issues – one public and four private, affecting all currently supported Microsoft Office products.

This security update is rated Critical for Microsoft Office 2007 and Microsoft Office 2010, due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file.

It is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011, as well as Open XML File Format Converter for Mac.

The update also targets an Office vector for the vulnerability described in Security Advisory 2269637 – a vector that affects the way that applications load external libraries.

This is caused by insecure programming practices that allow "binary planting" or "DLL preloading attacks", which lets an attacker remotely execute arbitrary code when the user runs the vulnerable application by opening a file from an untrusted location.

MS10-087 is Microsoft's top priority bulletin for setup in November and has an Exploit ability Index rating of 1.

The second security bulletin is MS10-088, and it takes care of two vulnerabilities in Microsoft PowerPoint, that could allow remote code execution.

By preventing the remote code execution, the bulletin keeps a potential attacker from taking complete control of the system – installing programs, view, modify or delete data, or create accounts with full user rights.

This security update is rated Important for supported editions of Microsoft PowerPoint 2002, Microsoft PowerPoint 2003, and Microsoft Office 2004 for Mac, as well as for Microsoft PowerPoint Viewer 2007 Service Pack 2, and Bink gives its deployment a rating of 2.

Finally, the MS10-089 resolves four cooperatively disclosed vulnerabilities in Unified Access Gateway(UAG), a part of Microsoft Forefront.

The most serious of them could allow elevation of privilege if a user visits an affected Web site using a specially crafted URL, so the security update changes the way that the UAG handles input and redirects verification.

It is rated Important for all supported versions of Forefront Unified Access Gateway 2010.