May 11, 2010

Microsoft pushes fixes for two bugs in light Patch Tuesday

IT administrators were treated to a light security update from Microsoft on Tuesday when the software giant pushed out two patches for previously unknown issues, but remained working on a fix for a zero-day SharePoint vulnerability.

Each of this month's patches addresses one "critical" vulnerability, but neither of the patches were delivered with much urgency from Microsoft. The company said chances of exploitation were low.

Bulletin MS10-030 addresses a single flaw affecting Outlook Express, Windows Mail and Windows Live Mail. The vulnerability is rated critical in Windows 2000, XP, Server 2003, Server 2008 and Vista, while Windows 7 and Server 2008 R2 carry "important" ratings if a mail client is installed.

Joshua Talbot, security intelligence manager for Symantec Security Response, said widespread exploits are unlikely because the flaw requires a user to open up a mail client and connect to a malicious mail server.

"It's possible that an attacker could somehow convince a user to do this — for example, by enticing them to sign up for a new free mail service — but the steps required to do so would probably be a red flag for most users," Talbot said.

MS10-031, meanwhile, repairs a single bug in the Visual Basic for Applications (VBA) programming language. The vulnerability is critical in all supported versions of VBA SDK (Software Development Kit) 6.0 and third-party programs that use VBA.

Experts disagreed whether the flaw could lead to future attacks. Tyler Reguly, lead security engineer at vulnerability management firm nCircle, said it was "highly unlikely" that effective exploit code would be manifested. However, Talbot said he wouldn't be surprised to see targeted attacks emerge.

"[A]n attacker would simply have to convince a user to open a maliciously crafted file — likely an Office document —which supports VBA, and the user's machine would be compromised," Talbot said.

Missing from Tuesday's patch batch was a fix for a publicly known SharePoint vulnerability, which could allow hackers to elevate privileges and steal sensitive data. The bug was disclosed at the end of April.

"An update related to the advisory is not available at this time," a spokeswoman said. "Microsoft is not aware of any active attacks but encourages customers to review the advisory and apply the suggested workarounds until an update is available."

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.