MS10-036: Vulnerability in COM validation in Microsoft Office could allow remote code execution

INTRODUCTION

Microsoft has released security bulletin MS10-036. To view the complete security bulletin, visit one of the following Microsoft websites:

How to obtain help and support for this security update


Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

Resolution

We are providing a Microsoft Fix it solution for users on Windows XP systems that have Microsoft Office XP installed. Although this is not a code fix in the Office products themselves, the Microsoft Fix it solution provides similar protections against the vulnerability that is described in this bulletin. Although the risk to application compatibility is minimized, we recommend that users test this Microsoft Fix it solution before you distribute the solution widely. To determine the download location, use the Fix it buttons in this article.

What does the Fix it solution do?

The Fix it solution provides protections that are similar to the software updates that are offered in bulletin MS10-036. To do this, it adds extra validation of COM objects in Office documents. To offer this protection, the Fix it solution uses the IE kill-bit mechanism to help provide protection from malicious documents. The Fix it solution does not require a restart, and the Fix it solution can be deployed by using standard Microsoft deployment solutions. The Fix it solution applies to Office XP on Windows XP-based systems, and the Fix it solution addresses issues in Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Visio.

Note This Fix it solution does not include the Office kill-bit override features. For more information about the Office kill-bit override features, click the following article number to view the following article in the Microsoft Knowledge Base:
983632  Security settings for ActiveX controls and OLE objects in Office 2003 and in the 2007 Office suite


Fix it for Office XP on a computer that is running Windows XP

To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.



Enable FixDisable Fix


Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

More Information

More information about this security update

New functionality

This security update lets users control if and how ActiveX controls and OLE objects load with a Microsoft Office kill-bit list. For more information about this functionality, click the following article number to view the article in the Microsoft Knowledge Base:
983632  Security settings for ActiveX controls and OLE objects in Office 2003 and in the 2007 Office suite

Known issues and additional information about this security update

  • 982311 MS10-036: Description of the security update for Office 2003: June 8, 2010
  • 982312  MS10-036: Description of the security update for the 2007 Office system: June 8, 2010
  • 982133 MS10-036 and MS10-038: Description of the security update for Excel 2003: June 8, 2010
  • 982308 MS10-038 and MS10-036: Description of the security update for Excel 2007: June 8, 2010
  • 982157 MS10-036: Description of the security update for PowerPoint 2003: June 8, 2010
  • 982158 MS10-036: Description of the security update for PowerPoint 2007: June 8, 2010
  • 982122 MS10-036: Description of the security update for Publisher 2003: June 8, 2010
  • 982124 MS10-036: Description of the security update for Publisher 2007: June 8, 2010
  • 982126 MS10-036: Description of the security update for Visio 2003: June 8, 2010
  • 982127 MS10-036: Description of the security update for Visio 2007: June 8, 2010
  • 982134 MS10-036: Description of the security update for Word 2003: June 8, 2010
  • 982135 MS10-036: Description of the security update for Word 2007: June 8, 2010
  • 983632  Security Settings for ActiveX controls and OLE objects in Office 2003 and in the 2007 Office suite

Security update replacement information

This security update replaces the following security update:
  • 973965 MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office could allow remote code execution
Properties

Article ID: 983235 - Last Review: May 8, 2012 - Revision: 1

Feedback