Microsoft fixes Ormandy zero-day, four other bugsMicrosoft on Tuesday pushed out four patches to address five vulnerabilities in Windows and Office as part of its July security update.
This month's update closes a “critical” Windows Help and Support Center vulnerability that is being widely exploited. The update also closes another publicly disclosed critical vulnerability affecting Windows, in addition to three flaws in Office, two of which are rated critical and the other rated "important."
“We all focus on numbers, but even though there are only four [fixes], there are very critical security bulletins inside this batch,” Jason Miller, data and security team manager at Shavlik Technologies, told SCMagazineUS.com on Tuesday.
Bulletin MS10-042 addresses the Help and Support Center flaw, which affects XP and Server 2003 machines, and can result in remote code execution if a user visits a specially crafted web page. The flaw was disclosed last month in a controversial fashion by Google researcher Tavis Ormandy, who notified Microsoft but then went public with the disclosure shortly the software giant would not agree to a deadline, he has said.
Microsoft engineers began spotting in-the-wild exploits targeting the flaw on June 15, five days after Ormandy's Full Disclosure post and Microsoft's confirmation.
“In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms,” Joshua Talbot, security intelligence manager at Symantec Security Response, said Tuesday. “We saw attack activity begin increasing on June 21, but it's since leveled out.”
Microsoft is recommending that customers prioritize the deployment of MS10-042 and MS10-045, Jerry Bryant, croup manager, response communications at Microsoft said in a post on the Security Response Center blog.
Bulletin MS10-045 addresses a vulnerability, rated important, in Microsoft Outlook. The flaw can be exploited by an attacker to execute remote code if a user is tricked into opening an attachment in a specially-crafted malicious email message using an affected version of Outlook. The vulnerability affects all supported versions of Outlook 2002, Office Outlook 2003 and 2007.
Even though Microsoft did not rate the flaw critical, it is likely to be exploited, said Symantec's Talbot.
“It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file email attachments, such as malware, to slip past Outlook's list of unsafe file types,” he said. “A user would still have to double click on the attachment to open it, but if they do, the file would run without any warning.”
Bulletin MS10-043 resolves another critical vulnerability in Windows that was disclosed in May. The flaw affects the Canonical Display Driver, which is used by the Windows desktop composition feature to blend drawings created in Graphics Device Interface and DirectX.
The vulnerability may allow an attacker to execute remote code. However, Microsoft security experts have said creating a reliable exploit would be difficult and, in most scenarios, it is much more likely that an attacker who exploits the vulnerability would cause an affected system to stop responding and automatically restart.
Bulletin MS10-044 addresses two critical, Office Access ActiveX Control vulnerabilities, which could allow remote code execution. The bugs, which affect Office 2003 and 2007, can be exploited if a user opens a specially crafted Office file or web page.
Meanwhile, Tuesday, as planned, marks the last day Microsoft will provide support for Windows 2000 and Windows XP (Service Pack) SP 2. As a result, there will be no more security patches provided for these operating systems going forward, Shavlik's Miller said.
“It's a big thing for anyone who has a computer out there running these operating systems,” Miller said. “It's challenging to upgrade an entire OS or deploy a service pack because the time and effort involved is a lot more than patching a system.”