Microsoft Security – One out-of-band update (Aug-2010)

As we announced on Friday, today we released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. As our colleagues over in the MMPC have noted, several families of malware have been attempting to attack this vulnerability. The security update protects against attempts to exploit this issue. [1]

Bulletin	KB number	Description	Severity	Impact	Software
MS10-046	2286198	Vulnerability in Windows Shell Could Allow Remote Code Execution	Remote Code Execution	Critical	Microsoft Windows

PATCH NOW:
NOW: MS10-046 actively being expolited

LINKS:
[1.] MS10-046 Released Out-of-Band Today (2010-Aug-02) [MS: MSRC]
[2.] Microsoft Out-of-Band bulletin addresses LNK/Shortcut vulnerability (2010-Aug-02) [SANS]

Microsoft Security – One out-of-band update (Mar-2010)

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.
MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. [1]

Out of Band Patch

Bulletin	KB number	Description	Severity	Impact	Software
MS10-018	980182	Cumulative Security Update for Internet Explorer	Remote Code Execution	Critical	Microsoft Windows, Internet Explorer

PATCH NOW:
NOW: MS10-018

We recommend that customers install the update as soon as it is available. Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. [2]

This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. [3]

This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. [4]

LINKS:
[1] Security Bulletin MS10-018 Released (2010-Mar-30) [MSRC]
[2] Internet Explorer Cumulative Update Releasing Out-of-Band (2010-Mar-29) [MSRC]
[3] OOB Update for Internet Explorer MS10-018 (2010-Mar-29) [SANS]
[4] Microsoft Security Bulletin Summary for March 2010 (2010-Mar-30) [MS]

CRP10-020

Firefox 2.x users to be pushed 3.01 Update

Fx 2->3 Major Update / Fx 2.0.0.17 / Fx 3.0.2 [1]
Refocusing efforts on delivering a Firefox 2->3 major update within the next week. This will be from Firefox 2.0.0.16 to 3.0.1. We’re tracking some issues that might block the release but otherwise are looking good.

Mozilla will push out an update to all Firefox 2 users that will prompt them to update to version 3.0.1.

… Those continuing to live in blissful ignorance of Firefox 3 will soon be getting an upgrade notification — Mozilla plans to issue automatic upgrade notices to Firefox 2 users, perhaps as soon as next week.
The message will prompt you to install Firefox 3, but of course, if really don’t want to, you can always ignore the notice. … [2]

This may have negative affects for some users as there are reports of bookmark/rss feeds damaged in the upgrade process. There is also the issue of extensions being unavailable for v3.x that still work in 2.16.

Firefox 2.0.0.17/3.0.2 is schedules for final release on September 11 [1], so there is still at least one more upgrade available in the 2.x series. That said we are looking at and end of support in mid-December;

Note: Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are encouraged to upgrade to Firefox 3. – [Mozilla]

This allows a quarter to complete testing for any key systems/admin systems that have not yet been approved for support with Firefox 3.x

[1] Fx 2->3 Major Update / Fx 2.0.0.17 / Fx 3.0.2 (2008-Aug-18.) [Mozilla Wiki]
[2] Mozilla getting ready to push Firefox 3.0.1 on 2.0 users (2008-Aug-20) [ZDnet]
[3] Mozilla to Push Firefox 3 With Upgrade Notices (2008-Aug-21) [webmonkey]
[4] Mozilla preparing to push Firefox 3 update on all Firefox 2 users (2008-Aug-20) [DownloadSquad]