Security 10809 Published by

Microsoft updated the following two security bulletins:

- MS10-056 - Critical: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638) - Version:1.3
- MS10-049 - Critical: Vulnerabilities in SChannel could allow Remote Code Execution (980436) - Version:1.1



MS10-056 - Critical: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638) - Version:1.3
Severity Rating: Critical - Revision Note: V1.3 (September 1, 2010): Added note to the affected software table to inform customers using Word 2007 that in addition to security update package KB2251419, they also need to install the security update package KB2277947 to be protected from the vulnerabilities described in this bulletin.

Summary: This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Read more

MS10-049 - Critical: Vulnerabilities in SChannel could allow Remote Code Execution (980436) - Version:1.1
Severity Rating: Critical - Revision Note: V1.1 (September 1, 2010): Corrected the bulletin replacement information for this update. This is an informational change only. There were no changes to the detection logic or the update files.

Summary: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.
Read more