News Stay informed about the latest enterprise technology news and product updates.

Microsoft issues 10 security patches, including three 'critical' ones

Microsoft's latest Patch Tuesday security bulletins affect all of its operating systems, Internet Explorer, Microsoft Office and more. Three are rated "critical."

Microsoft released 10 security bulletins today -- three rated "critical," and the remainder rated "important" on the company's severity rating scale. Six of the bulletins address vulnerabilities that Microsoft says could be reliably exploited, including two of the three critical bulletins.

Today's release affects all of Microsoft's Windows operating systems, Internet Explorer, Microsoft Office, Internet Information Services (IIS) and the .NET Framework.

Eight of the 10 bulletins address client-side vulnerabilities, which can be exploited only if a user initiates an action such as visiting a malicious website or opening a malformed document. The other two vulnerabilities can be exploited against Web servers or client applications without any interaction with the end user. More details are below.

Bulletin: MS10-032
Severity: Important
Affected software: All operating systems
Issue: This is a fix for a privilege-escalation attack. If users executes special piece of code on their systems, they can take any actions on their computers, including granting themselves administrative privileges on the local system.

Bulletin: MS10-033
Severity: Critical
Affected software: All operating systems
Issue: If you open a malicious media file or view an evil media stream, an attacker can execute code on your computer. You are safer if you're logged on as a non-administrator (see MS10-032 for ways that an attacker could then run code to become an administrator).

Bulletin: MS10-034
Severity: Critical
Affected software: All operating systems
Issue: If a user visits a malicious website, that site can execute code on his system if one of six ActiveX controls are on his computer. Two of the controls were issued by Microsoft, while the other four were released by third-party vendors including CA, Danske Bank, Kodak and Avaya.

Bulletin: MS10-035
Severity: Critical
Affected software: All versions of Internet Explorer
Issue: If you visit an evil website using Internet Explorer, that site can execute code on your system and read data on your computer or recently visited websites.

Bulletin: MS10-036
Severity: Important
Affected software: All versions of Microsoft Office (prior to Office 2010)
Issue: Opening a malicious document in Word, Excel, PowerPoint, Visio or Publisher could allow an attacker to run code on your system.

Bulletin: MS10-037
Severity: Important
Affected Software: All operating systems
Issue: Similar to MS10-032, users could run a special app that would grant themselves administrative access to their own machines.

Bulletin: MS10-038
Severity: Important
Affected software: All versions of Microsoft Excel prior to Excel 2010
Issue: A long list of vulnerabilities in Excel were fixed by this patch -- any of which could allow an attacker to run code on your system once you open or view a malicious Excel file. Yet another reason not to open files from people you don't know.

Bulletin: MS10-039
Severity: Important
Affected software: Microsoft SharePoint
Issue: If a SharePoint user clicks on a malicious URL, it could allow an attacker (who created the link) to take certain actions on the SharePoint server. Proof-of-concept code for this exploit has been released to the Internet.

Bulletin: MS10-040
Severity: Important
Affected software: IIS 6 and later versions
Issue: IIS Web servers have had very few vulnerabilities over the past few years -- until now. This issue could allow a remote attacker to take over a Web server if that server had installed and enabled the Extended Protection for Authentication feature. One could say this is a security vulnerability introduced by a security feature. Microsoft calls this "important," so if you're running a server with information important enough to protect with Extended Protection, then you should consider this a critical issue.

Bulletin: MS10-041
Severity: Important
Affected software: .NET Framework (all clients)
Issue: Attackers can modify XML-signed files without breaking the signature. This could lead various third-party applications to accept hacked data files as legitimate, especially security applications that use XML signatures to protect their data feeds.

Recommendations for order of installation this month:


  • MS10-033

  • MS10-034

  • MS10-035

  • MS10-040 (if running Extended Protection)

Followed by:

  • MS10-036

  • MS10-038

  • MS10-041


  • MS10-032

  • MS10-037

  • MS10-039

About the author:
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.