Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Response > CCIRC > Analytical releases 2010 > AV10-008: Microsoft Security Bulletin for the Month of March

Institutional links

Microsoft Security Bulletin for the Month of March

Number: AV10-008
Date: 9 March 2010

Purpose

The purpose of this advisory is to bring attention to the two security bulletins, rated as Important, for March which address 8 vulnerabilities.

Assessment

Microsoft has released the following security bulletins:

MS10-016 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)

Details: This security update addresses a privately reported vulnerability in Windows Movie Maker and Microsoft Producer 2003. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Maximum Exploitability Index: 2 - Consistent exploit code likely
Affected Products: Movie Maker 2.1 on Windows XP Service Pack 2 & 3, Windows XP Professional X64 Service Pack 2. Movie Maker 2.6 on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2, Windows 7 for 32-bit & x64-bit Systems. Movie Maker 6.0 on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2. Movie Maker 6.0 on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2. And Microsoft Producer 2003.
CVE reference: CVE-2010-0265
http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx

 

MS10-017 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)

Details: This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Maximum Exploitability Index: Consistent exploit code likely
Affected Products: Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System Service Pack 1, 2007 Microsoft Office System Service Pack 2, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2, Microsoft Office SharePoint Server 2007 Service Pack 1 & 2 (32-bit & 64-bit editions).
CVE reference: CVE-2010-0257, CVE-2010-0258, CVE-2010-0260, CVE-2010-0261, CVE-2010-0262, CVE-2010-0263, CVE-2010-0264
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

Suggested action

CCIRC recommends that administrators test and deploy these updates at the earliest opportunity. Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:
http://blogs.technet.com/msrc/archive/2010/03/09/march-2010-security-bulletin-release.aspx

References:
http://www.microsoft.com/technet/security/bulletin/MS10-mar.mspx

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-03-09
Top of Page
Top of Page
Important Notices