Microsoft's June Patch Tuesday
While Microsoft has released the scheduled ten patch packages on its June Patch Tuesday, the vendor has only closed 30 of the 34 security holes that were originally announced. It remains unclear though as to which of the flaws have not been fixed. The security fixes that have been released affect all supported versions of Windows and IE, IIS 6.0 to 7.5, SharePoint, and MS Office XP, 2003 as well as 2007.
Microsoft rates the updates for several decompression modules in DirectShow (MS10-033) and Internet Explorer (MS10-034 and MS10-035) "critical". The remaining updates for various Windows kernel drivers (MS10-032), Microsoft Office (MS10-036 and MS10-038), the OpenType Compact Format Font driver (MS10-037), SharePoint (MS10-039), IIS (MS10-040) and the .NET framework (MS10-041) have been rated at the second highest level, "important".
The developers appear to have taken extra care with Excel fixing 13 flaws in this Office component alone. Most of the holes allow attackers to inject arbitrary malicious code, for instance when opening specially crafted files or when browsing with Internet Explorer. The Windows kernel driver vulnerabilities enable attackers to elevate already existing access privileges.
While the Internet Storm Center (ISC) says that no exploits for the flaws have so far been circulated, Microsoft anticipates that reliable exploits will, for instance, appear for the vulnerabilities in Office. As the holes in the Media Decompression modules of Windows and IE have been rated critical, users are advised to update immediately. End users and administrators can install the patches via the usual update mechanism or via WSUS.
- Microsoft Security Bulletin Summary for June 2010, Advisory from Microsoft