Vulnerability in Windows Shell Could Allow Remote Code Execution
This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on August 02, 2010.
New Security Bulletin Overview
Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:
| Bulletin ID | Bulletin Title | Maximum Severity Rating | Vulnerability Impact | Restart Requirement | Affected Software |
| MS10-046 | Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) | Critical | Remote Code Execution | Requires restart | Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
| Affected software listed above is an abstract. Please see the bulletin at the link in the left column for complete details. |
Executive Summary
This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported editions of Microsoft Windows. The security update addresses the vulnerability by correcting validation of shortcut icon references.
This security update addresses the vulnerability first described in Microsoft Security Advisory 2286198.
Public Bulletin Webcast
Microsoft will host a webcast to address customer questions on this bulletin:
Title: Information About Microsoft’s August 2010 (Out-of-Band) Security Bulletin Release
Date: Monday, August 02, 2010, at 1:00 P.M. Pacific Time (U.S. & Canada).
URL: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032456779
Public Resources related to this alert
- Security Bulletin MS10-046 – Vulnerability in Windows Shell Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx/
- Security Advisory 2286198 – Vulnerability in Windows Shell Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/2286198.mspx
- Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
- Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
- Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
- Microsoft Security Development Lifecycle (SDL) Blog: http://blogs.msdn.com/sdl/
New Security Bulletin Technical Details
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle website at http://support.microsoft.com/lifecycle/.
| Bulletin Identifier | Microsoft Security Bulletin MS10-046 | |
| Bulletin Title | Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) | |
| Executive Summary | This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. The security update addresses the vulnerability by correcting validation of shortcut icon references. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2286198. | |
| Affected Software | This security update is rated Critical for all supported editions of Microsoft Windows. | |
| CVE, Exploitability Index Rating |
|
|
| Attack Vectors |
|
|
| Mitigating Factors |
|
|
| Restart Requirement | The update will require a restart. | |
| Bulletins Replaced by This Update | None |
| Publicly Disclosed? Exploited? |
Yes – this vulnerability was publicly disclosed prior to release. More information is contained in Microsoft Security Advisory 2286198.Yes – this vulnerability has been exploited in the wild at release. |
| Full Details | http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx |
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you,
Microsoft CSS Security Team
Alliance Technology Partners is a Microsoft Partner in St. Louis, MO