Use this table to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates are required. If a software program or component is listed, then the impact of the vulnerability is listed and also hyperlinked to the available software update.
Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system.
See the affected software or component in the table and the appropriate security bulletin for details. Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. Security updates are also available at the Microsoft Download Center. For more information, see Microsoft Knowledge Base Article The Microsoft Baseline Security Analyzer MBSA allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations.
When MBSA 1. After this date, no new security updates will be added to the MSSecure. For more information, visit Microsoft Baseline Security Analyzer.
By using Microsoft Software Update Services SUS , administrators can quickly and reliably deploy the latest critical updates and security updates to Windows and Windows Server based servers, and to desktop systems that are running Windows Professional or Windows XP Professional. For more information about how to deploy this security update with Software Update Services, visit Software Update Services.
By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. SMS 2. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. Some security updates require administrative rights following a restart of the system. Note that this information pertains only to non-security , high-priority updates on Microsoft Update, Windows Update, Windows Server Update Services, and Software Update Services released on the same day as the security bulletin summary.
Information is not provided about non-security updates released on other days. Microsoft thanks the following for working with us to help protect customers:.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Microsoft XML Core Services is included in additional non-operating system software from Microsoft and is also available as separate downloads. Note Depending on what versions of Microsoft XML Core Services you have installed on your system, you may be offered more than one security update from this security bulletin.
I am using an older version of the software discussed in this security bulletin. What should I do? The affected software listed in this bulletin has been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your product and version, visit Microsoft Support Lifecycle. It should be a priority for customers who have older versions of the software to migrate to supported versions to prevent potential exposure to vulnerabilities.
For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site. Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.
Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site , select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. A remote code execution vulnerability exists in Microsoft XML Core Services that could allow an attacker who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:. Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update.
Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
To do this, follow these steps:. Impact of Workaround: Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly. After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone.
This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. Note Add any sites that you trust not to take malicious action on your system. These are the sites that will host the update, and it requires an ActiveX Control to install the update.
You can do this by setting your browser security to High. Note If no slider is visible, click Default Level , and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. This will allow the site to work correctly even with the security setting set to High. Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality.
For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. What is the scope of the vulnerability? If successfully exploited, this remote code execution vulnerability could allow the attacker to run arbitrary code as the logged on user.
What causes the vulnerability? What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could make changes to the system with the permissions of the logged-on user. How could an attacker exploit the vulnerability? An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site.
This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites.
These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.
It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. What systems are primarily at risk from the vulnerability? This vulnerability requires that a user is logged on and visits a Web site for any malicious action to occur.
Para averiguar la diferencia entre el horario universal coordinado y el local, utilice la ficha Zona horaria en la herramienta Fecha y hora del Panel de control. Para obtener una lista completa de los Service Packs, consulte Service Packs compatibles del ciclo de vida. Estas claves del Registro pueden no contener una lista completa de archivos instalados. Microsoft muestra su agradecimiento a todas las personas que han trabajado con nosotros para proteger a los clientes:.
Ir al contenido principal. Este explorador ya no se admite. Contenido Salir del modo de enfoque.
0コメント