Today Microsoft released 2 bulletins addressing 8 vulnerabilities affecting Windows and Microsoft Office products. Both of the bulletins are rated important meaning some users interaction is needed to exploit the vulnerability and allow remote code execution. One thing that this month’s updates have in common is that they both are addressing issues that require some social engineering and there are no network based attack vectors. However neither one is addressing Advisory 981169 the vulnerability in VBScript pertaining to IE. This is where a user visiting a specially crafted webpage will be presented with a popup asking to press the F1 key to become infected.
MS10-016 affects Windows XP SP2, SP3, Vista SP1, SP2 and Windows 7 32 and 64bit versions. It addresses a vulnerability in movie maker versions 2.1 and 6.0 that ships with both in XP and Windows Vista. Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. For users who have version 2.6 installed on a supported versions of Windows including 7, you will be offered the update. However Movie Maker 2.6 is optional on Windows 7 so if you don’t have this installed you are not affected and don’t need the bulletin. For those users who do have it installed, to become infected users would need to open a specially crafted Movie Maker project file.
MS10-016 also affects Microsoft Producer 2003. This is a free download but has what Microsoft calls a “limited distribution” so they are not currently offering an update to resolve the issue.
This seems a little odd to me. I mean no matter how “limited” why would you not want to fix the issue. Not only is it a bug in your software but it leaves users vulnerable and isn’t that what we are trying to prevent? With that said a current workaround is to disassociate the project file type from the application. This isn’t a complete fix but Microsoft says it adds an extra layer of security.
MS10-017 is addressing issues in multiple versions of Microsoft Office for both Windows and Mac. On the Windows platform the versions affected are Office XP, 2003 and 2007 along with supported versions of Excel viewer and SharePoint 2007. The Mac versions affected are 2004, 2008 and open XML file format converter for the Mac. To take advantage of this exploit there will need to be some user interaction by opening a specially crafted file.
As always I suggest downloading and installing the bulletins at your earliest convenience.