Qualys Blog

www.qualys.com
wkandek

Patch Tuesday Bottomline – November 2010

Microsoft’s November Bulletin is relatively light and contains one update rated as "critical," and two rated as "important." The "critical" update affects Microsoft Office 2007 and 2010, while the "important" update affects PowerPoint and Microsoft ForeFront Unified access gateway. Microsoft did not release an update for the Internet Explorer zero day vulnerability for which it released an advisory and fix-it link last week.

MS10-087 is a code execution vulnerability that can be used by attackers in a drive-by download scenario where no user interaction is required to exploit this vulnerability. Attackers can do this by sending a specially crafted RTF mail message. The preview panel in Outlook 2007 or 2010 will incorrectly interpret the RTF and cause an attacker to take over the system. This bulletin also has a fix for the DLL planting issue for which Microsoft released advisory 2269637 in August. The issue is caused by applications passing an insufficiently qualified path when loading external libraries. After today’s fix, Microsoft Office will use a secure search order when loading libraries.

MS10-088 is a code execution vulnerability that affects PowerPoint 2002 and 2003. MS10-089 is an update for ForeFront Unified Access Gateway which is a SSL VPN. Without the fix, administrators who click the malicious XSS link could cause code execution allowing attackers to create users or change settings on the ForeFront server.

Leave a Reply