A Security Advisory has been posted in regards to the upcoming Adobe Reader and Acrobat updates scheduled for June 29, 2010. The updates will address critical security issues in the products, including CVE-2010-1297 referenced in Security Advisory APSA10-01. These security updates will be made available for Windows, Macintosh and UNIX.

Note that the June 29, 2010 updates represent an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010.

We will continue to provide updates on the upcoming release via the Security Advisory section of the Adobe web site as well as the Adobe PSIRT blog.

This posting is provided "AS IS" with no warranties and confers no rights.

Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.

To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. If you use multiple browsers, checking on any one browser will verify the update for all browsers on Macintosh systems (on Windows, perform the check for each browser you have installed on your system).

This posting is provided "AS IS" with no warranties and confers no rights.

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update and Windows Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, "MS08-010"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Note Microsoft discontinued support for Office Update and the Office Update Inventory Tool as of August 1, 2009. To continue getting the latest updates for Microsoft Office products, use Microsoft Update. For more information, see About Office Update: Frequently Asked Questions.

Detection and Deployment Guidance

Microsoft provides detection and deployment guidance for security updates. This guidance contains recommendations and information that can help IT professionals understand how to use various tools for detection and deployment of security updates. For more information, see Microsoft Knowledge Base Article 961747.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA detection summary for this security update.

The latest version of MBSA has been released: Microsoft Baseline Security Analyzer 2.1.1. For more information, see Microsoft Baseline Security Analyzer 2.1.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Microsoft Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

*Internet Explorer 6 only. For more information, see Microsoft Knowledge Base Article 924178.

For SMS 2.0 and SMS 2003, the Security Update Inventory Tool (SUIT) can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. For more information about SMS scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003.

System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

What is a data tampering vulnerability?
In information security, a data tampering vulnerability could allow the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Specifically for this vulnerability, if an effective cryptographic signature is used to digitally sign data, and this data is modified after it has been signed, and the verification of the digital signature fails, this indicates tampering. If the verification of the signature succeeds despite the fact that the data has been tampered with, this also indicates tampering.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, please see Microsoft Knowledge Base Article 318785 or the MSDN article, Determining Which Version of the .NET Framework Is Installed.

Why are Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 affected on some supported operating systems?
Microsoft .NET Framework 3.5 includes Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.0 Service Pack 1 subcomponents. Microsoft .NET Framework 3.5 Service Pack 1 contains Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.0 Service Pack 2 subcomponents. On some operating systems, Microsoft .NET Framework 3.5 and Microsoft .NET Framework 3.5 Service Pack 1 may install these vulnerable subcomponents.

I have a version of Microsoft .NET Framework installed on my system that is not listed in this bulletin. Is my configuration affected by this vulnerability?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle or are not supported. Customers who have an unsupported version of the Microsoft .NET Framework installed on their system are advised to uninstall that version of the Microsoft .NET Framework and to upgrade to a newer version of the Microsoft .NET Framework.

The Microsoft .NET Framework can be uninstalled via the Add or Remove Programs tool in Control Panel. For more information about the removal of specific versions of the Microsoft .NET Framework, see Microsoft Knowledge Base Article 320122, Microsoft Knowledge Base Article 824643, and Microsoft Knowledge Base Article 908077.

Does this update contain any security-related changes to functionality?
Yes. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes a defense-in-depth change to the ASP.NET request validation feature, to address an issue that could allow an attacker to bypass a basic defense-in-depth measure that is enabled by default on ASP.NET-enabled Web sites.

The issue is caused because the request validation feature in ASP.NET does not properly check for a specific character sequence. The ASP.NET request validation feature cannot replace an effective validation layer restricting untrusted input variables. Developers wishing to learn more about the security features that ASP.NET provides to Web applications may refer to the MSDN article, Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks.

If a Web site does not have an effective validation layer in place to restrict untrusted user input, an attacker who successfully exploited this issue may be able to inject arbitrary content includingASP.NET content into the affected web site. This defense-in-depth change mitigates the issue that was privately reported.

What is ASP.NET Request Validation?
This defense-in-depth change to the ASP.NET request validation feature performs basic input validation on web sites running ASP.NET. However, the ASP.NET request validation feature cannot replace an effective validation layer that restricts untrusted input variables. Developers wishing to learn more about the security features that ASP.NET provides to Web applications may refer to the MSDN articles, Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks and .

How do I know if my ASP.NET Web application is affected by this defense-in-depth change?
ASP.NET-developed Web applications that restrict all untrusted input variables to a range of expected values or characters would not be affected. For more information on hardening ASP.NET Web applications, see Microsoft Knowledge Base Article 815155.

What is ASP.NET?
ASP.NET is a collection of technologies within the Microsoft .NET Framework that enable developers to build Web applications and XML Web Services.

Unlike traditional Web pages, which use a combination of static HTML and scripting, ASP.NET uses compiled, event-driven pages. Because ASP.NET is a Web-based application environment, requiring an underlying Web server to provide basic HTTP functionality, ASP.NET runs on top of Internet Information Services (IIS). For more information, see The Official Microsoft ASP.NET Site.

Why is this issue addressed as a defense-in-depth measure?
ASP.NET request validation is being addressed as a defense-in-depth change, which can be used as an extra precautionary measure in addition to the developer's own input validation. Only the developer can define what constitutes good input for a specific application. Defense-in-depth features are not designed to be relied upon, even though multiple such layers can substantially help prevent attackers from compromising the security of the system in question. Therefore, if ASP.NET request validation misses a specific character sequence, the maximum security impact of this issue cannot be higher than if this feature were disabled altogether.

What is defense-in-depth?
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.