Microsoft has released three security bulletins, covering 11 vulnerabilities, with one rated as Critical and the other two, as Important.

The first one is the MS10-087, which resolves five issues – one public and four private, affecting all currently supported Microsoft Office products.

This security update is rated Critical for Microsoft Office 2007 and Microsoft Office 2010, due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file.

It is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011, as well as Open XML File Format Converter for Mac. More »

Microsoft plans to plug no less than 34 security holes in Windows, office and Internet Explorer come June 8th, 2010. The move is part of the company’s monthly patch cycle scheduled for release on patch-Tuesday, the second Tuesday of every month.

There will be a total of 10 security bulletins as a part of the June update release, three of which carry the maximum severity rating of Critical, meaning that they are designed to patch vulnerabilities, which, in the eventuality of a successful exploit could allow attackers to perform remote code execution on a vulnerable system.

“Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important. Two bulletins, both with a severity rating of Important, affect Microsoft Office. One bulletin, again with a severity rating of Important, affects both Windows and Office. More »

While a vulnerability does exist in the latest Windows client and server platforms with Aero enabled, actually getting exploit code to work and performing successful attacks are not likely to happen. Microsoft downplayed the risk users of Windows 7 64-bit, Windows Server 2008 R2 for 64-bit systems and Windows Server 2008 R2 Itanium systems were exposed to, indicating that the new zero-day, for which details had been disclosed in the wild, was extremely hard to exploit. At the same time, the Redmond company underlined that it was not aware of any attacks targeting the flaw, or of exploit code capable of reaching execution.

Jerry Bryant, group manager, Response Communications, Microsoft, revealed that the new security hole resided in the Windows Canonical Display Driver (cdd.dll). Microsoft has already published Security Advisory 2028859, informing customers of the issue and offering advice on how to stay protected until a patch is offered. More »

Microsoft has reacted rapidly to public reports of a zero-day denial-of-service vulnerability in its latest iterations of the Windows client and server operating systems, and is providing customers with guidance on how to block potential attempts to take advantage of the security flaw. In this regard, the Redmond company has underlined that no exploits or attacks have been detected for the denial-of-service (DoS) hole in the Microsoft Server Message Block (SMB) Protocol impacting both SMBv1 and SMBv2 in Windows 7 and Windows Server 2008 R2. However, Proof of Concept (PoC) code was irresponsibly published in the wild, making it extremely easy for attackers to build exploits putting at risk users of Windows 7.

“Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this DoS vulnerability would not allow an attacker to take control of, or install malware on, the customer’s system but could cause the affected system to stop responding until manually restarted. It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue,” Dave Forstrom, group manager, public relations, Microsoft Trustworthy Computing, revealed. “The company is not aware of attacks to exploit the reported vulnerability at this time.” More »

Microsoft released no less than eight security bulletins for the various supported releases of Windows client and server operating systems, including for the latest service packs of Windows Vista and Windows XP. Out of the total of patch packages impacting Windows, half feature a maximum severity rating of Critical, with the remaining four being rated as Important. The security updates are available through Windows Update since August 11, 2009, and customers are advised to deploy the patches as soon as possible in order to bulletproof their systems against attacks.

“Of note, Microsoft released MS09-043 to help protect customers from attacks on the Office Web Components vulnerability previously addressed by Security Advisory 973472. I also wanted to let you know that MS09-037 addresses five privately reported vulnerabilities in Microsoft Active Template Library (ATL). Security Advisory 973882 has been updated with a reference to MS09-037. Additionally, Microsoft has released Security Advisory 973811 to include a non-security update that enables new protection technology on the Windows platform,” revealed Christopher Budd, security response communications lead for Microsoft. More »