For the second month in a row, the out-of-band patches were kept to a minimum, other than a pile of updates to the Best Practices Analyzer for Windows Server 2008 R2. Nicely enough, the number of security patches is quite low this time around, only two of them.

This blog post is also available in PDF format in a free TechRepublic download. The previous month’s Microsoft Patch Tuesday blog entries are also available.

Security patches

  • MS10-030/KB978542 – Critical (XP, 7, 2003, 2008, 2008 R2, Outlook Express 5.5 and 6.0 for 2000): Outlook Express, Windows Mail, and Windows Live Mail have a vulnerability that can lead to a remote code execution attack, executed by a remote e-mail server. Microsoft rates this as “critical,” but I believe that very few business users are using these applications, and I feel that it is extremely unlikely that a remote e-mail server would be compromised like this. For these reasons, I believe that this patch can wait until your next scheduled patch day, unless you use one of these e-mail applications on a regular basis. 1.1MB – 4.7MB
  • MS10-031/KB978213 – Critical (Office XP, Office 2003, Office 2007): A problem with the VBA run time can allow for an attacker to use a specially crafted document to perform remote code execution attacks. This affects Office as well as any other application that uses VBA. It is unclear if the attacks are mitigated in Office by forbidding Office from running macros. You should install this patch immediately. 1.3MB – 2.7MB

Other updates

None.

“The Usual Suspects”: Updates to the Malicious Software Removal Tool (10.1MB – 12.7MB) and Junk E-mail filters (2.2MB).

Changed, but not significantly:

None.

Updates since the last Patch Tuesday

There have been a number of minor items added and updated since the last Patch Tuesday:

Changed, but not significantly: