Microsoft Issues Four Patches, Fixes Critical Help Center Flaw


Microsoft released a mild bulletin for its July Patch Tuesday, repairing a total of five vulnerabilities with four security updates in Windows and Office, including a critical Help and Support Center flaw already exploited in the wild.

Of the four patches Microsoft released, three are considered critical, indicating that they can enable hackers to launch malicious attacks via remote code execution. The three critical flaws occur in both Microsoft Windows and Office, which included flaws in the Microsoft Help and Support Center, ActiveX and Canonical Display Driver. The fourth patch, ranked with the slightly less severe rating of "important," occurs in Microsoft Outlook.

Hands down, security experts recommend that users apply a patch repairing a critical Help and Support Center flaw in Windows XP and supported editions of Windows Server 2003, which is currently being exploited in active attacks.

Microsoft researchers, however, emphasized they have yet to find an attack vector for the Help Center flaw on the Server 2003 platform, prompting them to give the vulnerability a "low" severity rating on that platform.

The Help Center flaw, MS10-042, received media attention in June when Google engineer Tavis Ormandy publicly disclosed the flaw and published proof of concept exploit code just days after first reporting it to Microsoft, fueling the heated debate regarding responsible vulnerability disclosure practices.

Josh Talbot, security intelligence manager for Symantec Security Response, said that he's already seen three public exploits leveraging the Help Center flaw, all using different attack mechanisms.

Hackers could exploit the flaw by injecting malicious content on an existing Web page, which would automatically download malware onto users' computers. Attacks could also be launched by enticing users to click on an infected link embedded in an e-mail message.

"Microsoft knows (the Help Center flaw) has been actively exploited. Anything that's exploited needs your immediate attention," said Jason Miller, data and security team manager at Shavlik Technologies.

Both Microsoft and other security experts contend that users should also prioritize MS10-045, addressing a vulnerability rated "important" in all supported versions of Microsoft Outlook, including Outlook 2002, Office Outlook 2003, and Office Outlook 2007. The Outlook flaw could enable remote code execution, but was ranked "important" due to the fact that it would require some kind of user intervention in downloading attachments, to launch the attack, experts say.

"One of the differences is it does require user interaction for an attack to be successful. A victim would have to be convinced to open an attachment," Talbot said, adding that despite its ranking, the Outlook bug could easily be exploited in attacks by hackers aiming at the low hanging fruit. "We have seen many attacks in the past, especially targeted attack designed to make user click a link or open an attachment and those have been quite successful."

Microsoft's July patch load also included an update, MS10-044, which repaired two critical flaws in Microsoft Office Access ActiveX Controls that could feasibly allow remote code execution if a user opened a malicious Office file or viewed an infected Web page that instantiated Access ActiveX controls.

The patch also repaired a critical vulnerability in the Canonical Display Driver, which could likely lead to a denial of service attack that could shut down a user's system and lead to an automatic restart. Microsoft, which issued a security advisory warning about the vulnerability in May, said that while possible, it was unlikely that the flaw could lead to remote code execution.

Meanwhile, Microsoft reiterated that July 13 marked the day in which the company discontinued support for Windows XP Service Pack 2, while encouraging users to upgrade to XP Service Pack 3 or Windows 7. The company also plans to cut off support for all Windows 2000 products following the July 13 Patch Tuesday release.

"The biggest thing today though is that Windows 2000 and Windows XP SP2 are end of life. This is kind of a big deal," Miller said. "If I was a bad guy, I'd be targeting Windows XP. This could present a false sense of security. (Users) think that they're okay, but it's a breeding ground for viruses right now."