Microsoft Security Bulletin MS10-018 - Critical

<http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx> Cumulative Security Update for Internet Explorer (980182) Published: March 30, 2010 This security update resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. For Internet Explorer 6 on Windows servers, this update is rated Important. And for Internet Explorer 8 on Windows servers, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.

"Wintrolls Lie" <wintrolls.lie@gmail.com> wrote in message news:zY2dnRA34-YN4i7WnZ2dnUVZ_gSdnZ2d@supernews.com... > <http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx> > > Cumulative Security Update for Internet Explorer (980182) > Published: March 30, 2010 > > This security update resolves nine privately reported vulnerabilities > and one publicly disclosed vulnerability in Internet Explorer. The > most severe vulnerabilities could allow remote code execution if a > user views a specially crafted Web page using Internet Explorer. Users > whose accounts are configured to have fewer user rights on the system > could be less impacted than users who operate with administrative user > rights. Cool. Should I install this update before or after these critical Firefox updates that were announced the same day? Title: Remote code execution with use-after-free in nsTreeSelection Impact: Critical Announced: March 30, 2010 Reporter: regenrecht (via TippingPoint's Zero Day Initiative) Products: Firefox, Thunderbird, SeaMonkey Title: Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) Impact: Critical Announced: March 30, 2010 Reporter: Mozilla developers and community Products: Firefox, Thunderbird, SeaMonkey Title: Arbitrary code execution with Firebug XMLHttpRequestSpy Impact: High Announced: March 30, 2010 Reporter: moz_bug_r_a4 Products: Firefox, SeaMonkey Title: Dangling pointer vulnerability in nsTreeContentView Impact: Critical Announced: March 30, 2010 Reporter: regenrecht (via TippingPoint's Zero Day Initiative) Products: Firefox, Thunderbird, SeaMonkey

"Ezekiel" <Me@Not-there.com> writes: > "Wintrolls Lie" <wintrolls.lie@gmail.com> wrote in message > news:zY2dnRA34-YN4i7WnZ2dnUVZ_gSdnZ2d@supernews.com... >> <http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx> >> >> Cumulative Security Update for Internet Explorer (980182) >> Published: March 30, 2010 >> >> This security update resolves nine privately reported vulnerabilities >> and one publicly disclosed vulnerability in Internet Explorer. The >> most severe vulnerabilities could allow remote code execution if a >> user views a specially crafted Web page using Internet Explorer. Users >> whose accounts are configured to have fewer user rights on the system >> could be less impacted than users who operate with administrative user >> rights. > > Cool. Should I install this update before or after these critical Firefox > updates that were announced the same day? > > Title: Remote code execution with use-after-free in nsTreeSelection > Impact: Critical > Announced: March 30, 2010 > Reporter: regenrecht (via TippingPoint's Zero Day Initiative) > Products: Firefox, Thunderbird, SeaMonkey > > Title: Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ > 1.9.0.19) > Impact: Critical > Announced: March 30, 2010 > Reporter: Mozilla developers and community > Products: Firefox, Thunderbird, SeaMonkey > > Title: Arbitrary code execution with Firebug XMLHttpRequestSpy > Impact: High > Announced: March 30, 2010 > Reporter: moz_bug_r_a4 > Products: Firefox, SeaMonkey > > Title: Dangling pointer vulnerability in nsTreeContentView > Impact: Critical > Announced: March 30, 2010 > Reporter: regenrecht (via TippingPoint's Zero Day Initiative) > Products: Firefox, Thunderbird, SeaMonkey Or in march these were serious enough for debian issue vulnerability warnings 31 Mar 2010] DSA-2025 icedove several vulnerabilities [31 Mar 2010] DSA-2024 moin insufficient input sanitising [28 Mar 2010] DSA-2023 curl buffer overflow [23 Mar 2010] DSA-2022 mediawiki several vulnerabilities [22 Mar 2010] DSA-2021 spamass-milter missing input sanitization [20 Mar 2010] DSA-2020 ikiwiki insufficient input sanitization [20 Mar 2010] DSA-2019 pango1.0 missing input sanitization [18 Mar 2010] DSA-2018 php5 DoS (crash) [15 Mar 2010] DSA-2017 pulseaudio insecure temporary directory [15 Mar 2010] DSA-2015 drbd8 privilege escalation [13 Mar 2010] DSA-2016 drupal6 several vulnerabilities [12 Mar 2010] DSA-2014 moin several vulnerabilities [11 Mar 2010] DSA-2013 egroupware several vulnerabilities [11 Mar 2010] DSA-2012 linux-2.6 privilege escalation/denial of service [10 Mar 2010] DSA-2011 dpkg path traversal [10 Mar 2010] DSA-2010 kvm privilege escalation/denial of service [09 Mar 2010] DSA-2009 tdiary insufficient input sanitising [08 Mar 2010] DSA-2008 typo3-src several vulnerabilities [03 Mar 2010] DSA-2007 cups format string vulnerability [02 Mar 2010] DSA-2006 sudo several vulnerabilities

On Wed, 31 Mar 2010 19:16:15 +0200, Hadron wrote: > "Ezekiel" <Me@Not-there.com> writes: > >> "Wintrolls Lie" <wintrolls.lie@gmail.com> wrote in message >> news:zY2dnRA34-YN4i7WnZ2dnUVZ_gSdnZ2d@supernews.com... >>> <http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx> >>> >>> Cumulative Security Update for Internet Explorer (980182) >>> Published: March 30, 2010 >>> >>> This security update resolves nine privately reported vulnerabilities >>> and one publicly disclosed vulnerability in Internet Explorer. The >>> most severe vulnerabilities could allow remote code execution if a >>> user views a specially crafted Web page using Internet Explorer. Users >>> whose accounts are configured to have fewer user rights on the system >>> could be less impacted than users who operate with administrative user >>> rights. >> >> Cool. Should I install this update before or after these critical Firefox >> updates that were announced the same day? >> >> Title: Remote code execution with use-after-free in nsTreeSelection >> Impact: Critical >> Announced: March 30, 2010 >> Reporter: regenrecht (via TippingPoint's Zero Day Initiative) >> Products: Firefox, Thunderbird, SeaMonkey >> >> Title: Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ >> 1.9.0.19) >> Impact: Critical >> Announced: March 30, 2010 >> Reporter: Mozilla developers and community >> Products: Firefox, Thunderbird, SeaMonkey >> >> Title: Arbitrary code execution with Firebug XMLHttpRequestSpy >> Impact: High >> Announced: March 30, 2010 >> Reporter: moz_bug_r_a4 >> Products: Firefox, SeaMonkey >> >> Title: Dangling pointer vulnerability in nsTreeContentView >> Impact: Critical >> Announced: March 30, 2010 >> Reporter: regenrecht (via TippingPoint's Zero Day Initiative) >> Products: Firefox, Thunderbird, SeaMonkey > > Or in march these were serious enough for debian issue vulnerability warnings > > 31 Mar 2010] DSA-2025 icedove > several vulnerabilities > [31 Mar 2010] DSA-2024 moin > insufficient input sanitising > [28 Mar 2010] DSA-2023 curl > buffer overflow > [23 Mar 2010] DSA-2022 mediawiki > several vulnerabilities > [22 Mar 2010] DSA-2021 spamass-milter > missing input sanitization > [20 Mar 2010] DSA-2020 ikiwiki > insufficient input sanitization > [20 Mar 2010] DSA-2019 pango1.0 > missing input sanitization > [18 Mar 2010] DSA-2018 php5 > DoS (crash) > [15 Mar 2010] DSA-2017 pulseaudio > insecure temporary directory > [15 Mar 2010] DSA-2015 drbd8 > privilege escalation > [13 Mar 2010] DSA-2016 drupal6 > several vulnerabilities > [12 Mar 2010] DSA-2014 moin > several vulnerabilities > [11 Mar 2010] DSA-2013 egroupware > several vulnerabilities > [11 Mar 2010] DSA-2012 linux-2.6 > privilege escalation/denial of service > [10 Mar 2010] DSA-2011 dpkg > path traversal > [10 Mar 2010] DSA-2010 kvm > privilege escalation/denial of service > [09 Mar 2010] DSA-2009 tdiary > insufficient input sanitising > [08 Mar 2010] DSA-2008 typo3-src > several vulnerabilities > [03 Mar 2010] DSA-2007 cups > format string vulnerability > [02 Mar 2010] DSA-2006 sudo > several vulnerabilities I think Roy Culley has too much time on his hands if he is researching Microsoft patches.

"Moshe" <goldee_loxnbagels@gmail.com> schreef in bericht news:1rxaq8s0mvm42$.vwyxxih2589f.dlg@40tude.net... > On Wed, 31 Mar 2010 19:16:15 +0200, Hadron wrote: > >> "Ezekiel" <Me@Not-there.com> writes: >> >>> "Wintrolls Lie" <wintrolls.lie@gmail.com> wrote in message >>> news:zY2dnRA34-YN4i7WnZ2dnUVZ_gSdnZ2d@supernews.com... >>>> <http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx> >>>> >>>> Cumulative Security Update for Internet Explorer (980182) >>>> Published: March 30, 2010 >>>> >>>> This security update resolves nine privately reported vulnerabilities >>>> and one publicly disclosed vulnerability in Internet Explorer. The >>>> most severe vulnerabilities could allow remote code execution if a >>>> user views a specially crafted Web page using Internet Explorer. Users >>>> whose accounts are configured to have fewer user rights on the system >>>> could be less impacted than users who operate with administrative user >>>> rights. >>> >>> Cool. Should I install this update before or after these critical >>> Firefox >>> updates that were announced the same day? >>> >>> Title: Remote code execution with use-after-free in nsTreeSelection >>> Impact: Critical >>> Announced: March 30, 2010 >>> Reporter: regenrecht (via TippingPoint's Zero Day Initiative) >>> Products: Firefox, Thunderbird, SeaMonkey >>> >>> Title: Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ >>> 1.9.0.19) >>> Impact: Critical >>> Announced: March 30, 2010 >>> Reporter: Mozilla developers and community >>> Products: Firefox, Thunderbird, SeaMonkey >>> >>> Title: Arbitrary code execution with Firebug XMLHttpRequestSpy >>> Impact: High >>> Announced: March 30, 2010 >>> Reporter: moz_bug_r_a4 >>> Products: Firefox, SeaMonkey >>> >>> Title: Dangling pointer vulnerability in nsTreeContentView >>> Impact: Critical >>> Announced: March 30, 2010 >>> Reporter: regenrecht (via TippingPoint's Zero Day Initiative) >>> Products: Firefox, Thunderbird, SeaMonkey >> >> Or in march these were serious enough for debian issue vulnerability >> warnings >> >> 31 Mar 2010] DSA-2025 icedove >> several vulnerabilities >> [31 Mar 2010] DSA-2024 moin >> insufficient input sanitising >> [28 Mar 2010] DSA-2023 curl >> buffer overflow >> [23 Mar 2010] DSA-2022 mediawiki >> several vulnerabilities >> [22 Mar 2010] DSA-2021 spamass-milter >> missing input sanitization >> [20 Mar 2010] DSA-2020 ikiwiki >> insufficient input sanitization >> [20 Mar 2010] DSA-2019 pango1.0 >> missing input sanitization >> [18 Mar 2010] DSA-2018 php5 >> DoS (crash) >> [15 Mar 2010] DSA-2017 pulseaudio >> insecure temporary directory >> [15 Mar 2010] DSA-2015 drbd8 >> privilege escalation >> [13 Mar 2010] DSA-2016 drupal6 >> several vulnerabilities >> [12 Mar 2010] DSA-2014 moin >> several vulnerabilities >> [11 Mar 2010] DSA-2013 egroupware >> several vulnerabilities >> [11 Mar 2010] DSA-2012 linux-2.6 >> privilege escalation/denial of service >> [10 Mar 2010] DSA-2011 dpkg >> path traversal >> [10 Mar 2010] DSA-2010 kvm >> privilege escalation/denial of service >> [09 Mar 2010] DSA-2009 tdiary >> insufficient input sanitising >> [08 Mar 2010] DSA-2008 typo3-src >> several vulnerabilities >> [03 Mar 2010] DSA-2007 cups >> format string vulnerability >> [02 Mar 2010] DSA-2006 sudo >> several vulnerabilities > > I think Roy Culley has too much time on his hands if he is > researching Microsoft patches. Published: March 30, 2010 Glad to know that Microsoft provides these patches very fast, although I use Opera momentarily!