Microsoft June Patch Summary

As expected, Microsoft has released 10 patches fro 34 vulnerabilities.   Summary:  Get the relevant patches tested and applied as quickly as you can.

MS10-032  describes 3 vulnerabilities affecting Windows Kernel-Mode drivers.  1 of the vulnerabilities (CVE-2010-0485) was publicly disclosed prior to the release of this bulletin.

MS10-033  describes 2 critical vulnerabilities affecting all versions of Windows.  Both vulnerabilities were responsibly disclosed, however media related vulnerabilities are generally prime candidates for reverse engineering and exploit development efforts. 

MS10-034  ActiveX Kill Bits are always a regular part of Microsoft’s patch Tuesday strategy.  I hope that their provisioning is a stop-gap containment effort, and are not considered a fix unto themselves.  In addition to 5 third-party class IDs, Microsoft is adding kill bits for 2 of its own products, Data Analyzer and IE8 Developer Tools.  It is important to note that even if the software does not exist on a system, adding the kill bits remains an important part of in-depth security, in case the controls are installed at a later date.

MS10-035  This IE cumulative patch addresses 6 vulnerabilities including the public CVE-2010-0255, and the IE8 PWN2OWN bug.  Patch this one immediately.

MS10-036  This bulletin addresses a single vulnerability affecting Excel, PowerPoint, Word, Publisher and Visio components of Office 2003 and 2007, as well as Office XP, 2003 and 2007.

MS10-037  A single vulnerability affecting OpenType CFF Fonts which could lead to elevation of privilege.

MS10-038  addresses a whopping 14 vulnerabilities.

MS10-039  addresses 3 vulnerabilities in SharePoint and InfoPath, including the public SharePoint XSS that was receiving some attention a couple of months ago.

MS10-040  fixes a single vulnerability in IIS.   IIS is only vulnerable in a specific configuration, where Extended Protection for Authentication is enabled and Windows credentials are used for authentication.  It is still recommended that all IIS users apply this update in case their configuration is later modified.

MS10-041  patches a single vulnerability related to a specific .NET method that could be subject to authentication bypass.  Content protected by a XML Signature verified using the affected method could potentially be tampered with and replaced with new content.

MS10-032 Win32k Improper Data Validation Vulnerability CVE-2010-0484
Win32k Window Creation Vulnerability CVE-2010-0485
Win32k TrueType Font Parsing Vulnerability CVE-2010-1255
MS10-033 Media Decompression Vulnerability CVE-2010-1879
MJPEG Media Compression Vulnerability CVE-2010-1880
MS10-034 Microsoft Data Analyzer ActiveX Control Vulnerability CVE-2010-0252
Microsoft Internet Explorer 8 Developer Tools Vulnerability CVE-2010-0811
MS10-035 Cross-Domain Information Disclosure Vulnerability CVE-2010-0255
toStaticHTML information Disclosure Vulnerability CVE-2010-1257
Uninitialized Memory Corruption Vulnerability I CVE-2010-1259
HTML Element Memory Corruption Vulnerability CVE-2010-1260
Uninitialized Memory Corruption Vulnerability II CVE-2010-1261
Memory Corruption Vulnerability CVE-2010-1262
MS10-036 COM validation Vulnerability CVE-2010-1263
MS10-037 OpenType CFF Font Driver Memory Corruption Vulnerability CVE-2010-0819
MS10-038 Excel Record Parsing Memory Corruption Vulnerability CVE-2010-0821
Excel Object Stack Overflow Vulnerability CVE-2010-0822
Excel Memory Corruption Vulnerability I CVE-2010-0823
Excel Record Memory Corruption Vulnerability I CVE-2010-0824
Excel Record Memory Corruption Vulnerability II CVE-2010-1245
Excel RTD Memory Corruption Vulnerability CVE-2010-1246
Excel Memory Corruption Vulnerability II CVE-2010-1247
Excel HFPicture Memory Corruption Vulnerability CVE-2010-1248
Excel Memory Corruption Vulnerability III CVE-2010-1249
Excel EDG Memory Corruption Vulnerability CVE-2010-1250
Excel Record Stack Corruption Vulnerability CVE-2010-1251
Excel String Variable Vulnerability CVE-2010-1252
Excel ADO Object Vulnerability CVE-2010-1253
Mac Office Open XML Permissions Vulnerability CVE-2010-1254
MS10-039 Help.aspx XSS Vulnerability CVE-2010-0817
toStaticHTML Information Disclosure Vulnerability CVE-2010-1257
Sharepoint Help Page Denial of Service Vulnerability CVE-2010-1264
MS10-040 IIS Authentication Memory Corruption Vulnerability CVE-2010-1256
MS10-041 XML Signature HMAC Truncation Authentication Bypass Vulnerability CVE-2009-0217

Recommendation:  Test and patch, as always.