Patch Tuesday Bottomline – June 2010

June is a big month for Microsoft patches, there are 10 bulletins covering 34 vulnerabilities. Four bulletins address 0-day issues, the most significant being MS10-035, which fixes the 0-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI'S competition at CANSECWEST, not a 0-day but high profile as it bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. MS10-039 addresses a second 0-day, the vulnerability in SharePoint, described by Microsoft in KB983438. MS10-032 and MS10-041 are the additional updates that fix vulnerabilities that were previously disclosed.

The most critical bulletins this month are MS10-035 for Internet Explorer, MS10-033 for DirectShow, and MS10-038 for Excel in Microsoft Office. All versions of IE, including IE8 are affected by MS10-035. There are 6 vulnerabilities in the update, 2 critical and it has an overall exploitability index of 1, indicating that an exploit is expected within 30 days. MS10-033 is a vulnerability in the MJPEG codec and affects a large number of Microsoft products, but its main attack vector is going to be through media files delivered through the Internet to Windows Media Player or IE. Excel has 14 vulnerabilities covered by MS10-038, with (continue reading...)