Microsoft Issues Two Critical Fixes For Windows, Office
Specifically, the first bulletin, MS10-31, resolves one critical vulnerability in Outlook Express, Windows Mail and Windows Live Mail, which could open up a security hole allowing attackers to launch malicious code onto users' PCs via e-mail.
The vulnerability was given a severity rating of critical for Windows 2000, XP, Vista, Server 2003 and Server 2008, while the flaw was given the less severe ranking of "important" in Windows 7 and Windows Server 2008 R2.
In order to successfully exploit the Outlook vulnerability, an attacker would have to host a malicious mail server or compromise a mail server with malicious code. A malicious hacker could also launch an attack on a victim by performing a "man-in-the-middle" attack which would infect the communications once it was intercepted.
Jerry Bryant, Microsoft group manager for response communications, said in a company blog post that "Heap mitigations built into Windows Vista and newer operating systems make exploitations of this vulnerability unlikely."
And security experts concur that the likelihood of widespread exploits via Outlook are relatively small.
"We call them legacy e-mail clients. We don't think they are in use at many sites at enterprises. Maybe smaller companies still use them," said Wolfgang Kandek, chief technology officer for security firm Qualys.
In addition, Microsoft also issued MS10-31, which repaired a critical vulnerability in Microsoft Office, and Microsoft Visual Basic for Applications (VBA) occurring in the way the VBA searches for ActiveX controls embedded in documents.
Users' PCs could become infected if they opened and passed a malicious file to the Visual Basic for Applications runtime, which would enable an attacker to take complete control of a their system or access and steal sensitive data and files.
Altogether, the vulnerability was ranked critical for Microsoft VBA SKD 6.0, as well as other third-party applications relying on Microsoft VBA, and 'important" for supported versions of Office XP, Office 2003, and Office 2007, due to extensive user interaction required to launch the attack, Microsoft said.
Thus far, neither vulnerability has been exploited in a malicious attack. And while Microsoft recommends that users apply the patches as soon as possible, security experts contend that it isn't necessarily crucial that users patch the vulnerabilities today.
"What we see here is that people patch Office very slowly anyway," said Richie Lai, Qualys director of vulnerabilities research. "We would rather have people patch all the Office as quickly as possible, but that's not the reality."
Kandek said that while Office was ubiquitous in the enterprise, the chance of a widespread attack exploiting the recent vulnerability was mitigated in light of the fact that existing Office exploits are prevalent. Kandek added that attackers bent on exploiting legacy Office installations would likely rely on previous exploits.
"The Office installations are so old, really the old vulnerabilities still work," he said.