MS10-083: Vulnerability in COM Validation in Windows Shell and WordPad could allow remote code execution

<html><body><p>Resolves a vulnerability in Microsoft Windows that could allow remote code execution if a user opened a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share.</p><h2></h2><div><span>Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you’re running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: <a href=“http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs” target=“_self”>Support is ending for some versions of Windows</a></span>.</div><h2>INTRODUCTION</h2><div>Microsoft has released security bulletin MS10-083. To view the complete security bulletin, visit one of the following Microsoft websites: <ul><li>Home users:<br /><div><a href=“http://www.microsoft.com/security/updates/bulletins/201010.aspx” target=“_self”>http://www.microsoft.com/security/updates/bulletins/201010.aspx</a></div><span>Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now: <div><a href=“http://update.microsoft.com/microsoftupdate/” target=“_self”>http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals:<br /><div><a href=“http://www.microsoft.com/technet/security/bulletin/ms10-083.mspx” target=“_self”>http://www.microsoft.com/technet/security/bulletin/MS10-083.mspx</a></div></li></ul><span><h3>How to obtain help and support for this security update</h3> <br />Help installing updates: <br /><a href=“https://support.microsoft.com/ph/6527” target=“_self”>Support for Microsoft Update</a><br /><br />Security solutions for IT professionals: <br /><a href=“http://technet.microsoft.com/security/bb980617.aspx” target=“_self”>TechNet Security Troubleshooting and Support</a><br /><br />Help protect your computer that is running Windows from viruses and malware:<br /><a href=“https://support.microsoft.com/contactus/cu_sc_virsec_master” target=“_self”>Virus Solution and Security Center</a><br /><br />Local support according to your country: <br /><a href=“https://support.microsoft.com/common/international.aspx” target=“_self”>International Support</a><br /><br /></span></div><h2>More Information</h2><div><h3>Known issues and additional information about this security update</h3><h3>Update links for Windows Vista SP1 or for Windows Server 2008</h3><span>Update for systems that have Windows Search 4.0 installed</span><br /><br />Systems that have Windows Search 4.0 (update <a href=“https://support.microsoft.com/help/940157” target=“_self”>940157</a>) installed on Windows Vista or Windows Server 2008 must install the following update instead of the update that is provided in the security bulletin MS10-083. This is because, by default, update 940157 for Windows Search 4.0 installs a higher binary version than the binaries that are on the system. The updates that are offered by security bulletin MS10-083 will not overwrite the binary versions that are installed by update 940157. <br /><br />Systems that have automatic update turned on or that use detection and deployment tools such as Microsoft Windows Server Update Services (WSUS) server will be offered the update automatically. If you have to manually install this update on Windows Vista SP1, Windows Vista SP2, Windows Server 2008, or Windows Server 2008 SP2 with Windows Search 4.0 installed, visit the following Microsoft Download Center webpages. <br /><br /><br /><span>The following files are available for download from the Microsoft Download Center:<br /></span><br /><br /><span>For Windows Vista SP1 with Windows Search 4.0 installed<br /></span><br /><span><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://download.microsoft.com/download/f/2/f/f2f21a75-5b06-4f0c-8217-9ac953a6694f/windows6.0-kb979688-v2-x86.msu” target=“_self”>Download the Windows6.0-KB979688-v2-x86.msu package now.</a></span><br /><br /><span>For Windows Vista SP1 x64 edition with Windows Search 4.0 installed<br /></span><br /><span><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://download.microsoft.com/download/d/0/2/d02dc331-54f3-48ab-8262-59f8a76fe454/windows6.0-kb979688-v2-x64.msu” target=“_self”>Download the Windows6.0-KB979688-v2-x64.msu package now.</a></span><br /><br /><span>For Windows Server 2008 with Windows Search 4.0 installed<br /></span><br /><span><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://download.microsoft.com/download/0/6/3/063afb94-05c5-4fb7-a6ac-fe2e980dd855/windows6.0-kb979688-v2-x86.msu” target=“_self”>Download the Windows6.0-KB979688-v2-x86.msu package now.</a></span><br /><br /><span>For Windows Server 2008 x64 edition with Windows Search 4.0 installed<br /></span><br /><span><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://download.microsoft.com/download/d/6/2/d623477f-b83e-48ab-bc5b-8b03e177c93d/windows6.0-kb979688-v2-x64.msu” target=“_self”>Download the Windows6.0-KB979688-v2-x64.msu package now.</a></span><br /><br /><span>Release Date: October 12, 2010<br /><br />For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:<br /><div><a href=“https://support.microsoft.com/en-us/help/119591”>119591 </a> How to obtain Microsoft support files from online services<br /></div>Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.<br /></span><h3>Update links for Windows Vista SP2 or for Windows Server 2008 SP2</h3> <br /><br /><br /><br />The following updates are being offered to customers who have systems that were updated in the following order: <br /><br /><ol><li>Windows Vista SP1 or Windows Server 2008 is installed.</li><li>Windows Desktop Search 4.0 is installed.</li><li>The updates offered previously in this article are installed.</li><li>The system is migrated to Windows Vista SP2 or to Windows Server 2008 SP2.</li></ol><br /><span> For Windows Vista SP2 with Windows Search 4.0 installed<br /></span><br /><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://www.microsoft.com/download/details.aspx?familyid=15701fbe-75d8-42fb-aebd-7ad0dc495ef5” target=“_self”>Download the Security Update for Windows Vista Service Pack 2 package now.</a><br /><br /><span>For Windows Vista SP2 x64 edition with Windows Search 4.0 installed<br /></span><br /><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://www.microsoft.com/download/details.aspx?familyid=d22b793b-279f-4401-a5a0-77e52bdca033” target=“_self”>Download the Security Update for Windows Vista for x64-based Systems Service Pack 2 package now.</a><br /><br /><span>For Windows Server 2008 SP2 with Windows Search 4.0 installed<br /><br /></span><br /><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://www.microsoft.com/download/details.aspx?familyid=0d2f42fc-8869-432f-961d-7da90f00da0a” target=“_self”>Download the Security Update for Windows Server 2008 Service Pack 2 package now.</a><br /><br /><span>For Windows Server 2008 x64 edition SP2 with Windows Search 4.0 installed<br /></span><br /><img alt=“Download” src=“/library/images/support/kbgraphics/public/en-us/download.gif” title=“Download” /><a href=“http://www.microsoft.com/download/details.aspx?familyid=f4d27858-2211-4b6a-b09d-8ff19ed0ee08” target=“_self”>Download the Security Update for Windows Server 2008 x64 Edition Service Pack 2 package now.</a><br /><br /><span>Release Date: December 14, 2010<br /><br />For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:<br /><div><a href=“https://support.microsoft.com/en-us/help/119591”>119591 </a> How to obtain Microsoft support files from online services<br /></div>Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.<br /></span><br /><br />The following articles contain more information about this security update as it relates to individual product versions. The articles may contain information about known issues. When this is the case, the known issue is listed below each article link. <ul><li><a href=“https://support.microsoft.com/en-us/help/979687”>979687 </a> MS10-083: Description of the security update for WordPad: October 12, 2010<br /> <br /></li><li><a href=“https://support.microsoft.com/en-us/help/979688”>979688 </a> MS10-083: Description of the security update for Windows Shell: October 12, 2010<br /><br /> <br /></li></ul></div><h2>FILE INFORMATION</h2><div> <br />The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.<br /> <br /><br /> <br /><h3>Windows Vista and Windows Server 2008 file information</h3><ul><li>The files that apply to a specific product, milestone (RTM, SP<strong>n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br /><br /><br /><br /><div><table><tr><td><span>Version</span></td><td><span>Product</span></td><td><span>Milestone</span></td><td><span>Service branch</span></td></tr><tr><td>6.0.600<span>0</span>.<span>16</span><strong>xxx</strong></td><td>Windows Vista</td><td>RTM</td><td>GDR</td></tr><tr><td>6.0.600<span>0</span>.<span>20</span><strong>xxx</strong></td><td>Windows Vista</td><td>RTM</td><td>LDR</td></tr><tr><td>6.0.600<span>1</span>.<span>18</span><strong>xxx</strong></td><td>Windows Vista SP1 and Windows Server 2008 SP1</td><td>SP1</td><td>GDR</td></tr><tr><td>6.0.600<span>1</span>.<span>22</span><strong>xxx</strong></td><td>Windows Vista SP1 and Windows Server 2008 SP1</td><td>SP1</td><td>LDR</td></tr><tr><td>6.0.600<span>2</span>.<span>18</span><strong>xxx</strong></td><td>Windows Vista SP2 and Windows Server 2008 SP2</td><td>SP2</td><td>GDR</td></tr><tr><td>6.0.600<span>2</span>.<span>22</span><strong>xxx</strong></td><td>Windows Vista SP2 and Windows Server 2008 SP2</td><td>SP2</td><td>LDR</td></tr></table></div></li><li>Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. <strong>xxxxxx</strong> version number.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li><li>The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are <a href=“#manifests” target>listed separately</a>. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.</li></ul><h4>For all supported x86-based versions of Windows Vista and of Windows Server 2008</h4><div><table><tr><th>File name </th><th>File version </th><th>Date </th><th>Time</th><th>File Size</th></tr><tr><td>msshsq.dll </td><td>7.0.6001.18528 </td><td>2010/09/20 </td><td>18:25:01 </td><td>231,936</td></tr></table></div><h4>For all supported x64-based versions of Windows Vista and of Windows Server 2008</h4><div><table><tr><th>File name </th><th>File version </th><th>Date </th><th>Time</th><th>File Size</th><th>Platform</th></tr><tr><td>msshsq.dll </td><td>7.0.6001.18528 </td><td>2010/09/20 </td><td>18:25:01 </td><td>231,936</td><td>x86</td></tr><tr><td>msshsq.dll </td><td>7.0.6001.18528 </td><td>2010/09/20 </td><td>21:14:32 </td><td>316,416</td><td>x64</td></tr></table></div><h4>For all supported IA-64-based versions of Windows Server 2008</h4><div><table><tr><th>File name </th><th>File version </th><th>Date </th><th>Time</th><th>File Size</th><th>Platform</th></tr><tr><td>msshsq.dll </td><td>7.0.6001.18528 </td><td>2010/09/20 </td><td>18:25:01 </td><td>231,936</td><td>x86</td></tr><tr><td>msshsq.dll </td><td>7.0.6001.18528 </td><td>2010/09/20 </td><td>21:14:32 </td><td>316,416</td><td>x64</td></tr></table></div></div></body></html>