Microsoft To Fix Critical Help Center Flaw In July Patch


Microsoft plans to issue four security bulletins addressing five security vulnerabilities for its July Patch Tuesday release, including a critical Help and Support Center vulnerability that is already being used in active malicious attacks.

Three of the four impending patches are considered "critical," addressing vulnerabilities in Windows and Microsoft Office that could open the door for hackers to launch remote code execution attacks.

"Bulletin 2 will have a huge impact as it affects Windows 7 desktop users and Windows 2008 R2 servers, which are Microsoft's most current and widely deployed desktop and server solutions," said Don Leatham, senior director of solutions and strategy for security company Lumension, in an e-mail. "IT departments with Windows 7 and/or Windows 2008 R2 should be ready to prioritize this bulletin."

Microsoft's fourth security update, given the slightly less severe ranking of "important," will also address a Microsoft Office bug, which could enable hackers to launch malware remotely in certain circumstances, according to the Microsoft Advanced Notification, released Thursday.

Security experts maintained that while rated "important," the patch repaired a serious vulnerability in Microsoft Outlook, which will inevitably have a significant impact on its user base.

"Bulletin 4 is only rated important, but we do want to strongly encourage users to pay attention to this since it addresses a vulnerability in Microsoft Outlook, Microsoft's hugely popular e-mail client," Leatham said. "Vulnerabilities in e-mail clients are always a concern."

Included in the July patch load is a fix for a critical security vulnerability in the Windows Help and Support Center, affecting Windows XP and Windows Server 2003, which has already been exploited by hackers in what Microsoft calls "limited, targeted active attacks."

The Help Center flaw received copious media play in June when Google engineer Tavis Ormandy, publicly disclosed the flaw and published proof of concept exploit code only a few days after reporting it to Microsoft, fueling the already heated debate in the security community regarding responsible disclosure practices.

If exploited, the Help Center bug could enable hackers to launch attacks on users by creating a malicious Web page or infecting a link embedded in an e-mail. Hackers would then entice a user to visit the infected page or link, usually through some social engineering scheme.

In addition, Microsoft plans to address a vulnerability in the Canonical Display Driver function, first reported in a security advisory in May, which could enable an attacker to launch a denial of service attack that would completely shut down a user's computer with an automatic restart.

Microsoft said in its May advisory that the chances of hackers exploiting the vulnerability in remote code execution attacks were slim. Thus far, there doesn't appear to be active attacks leveraging the flaw in the wild, Microsoft said.

"Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization," Microsoft said.

Meanwhile, Jerry Bryant, Microsoft group manager for response communications, reminded users that Microsoft would phase out its support for Windows 2000 and Windows XP SP2 platforms in July.

"Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates," Bryant said.