IT administrators were treated to a light security update from Microsoft on Tuesday when the software giant pushed out two patches for previously unknown issues, but remained working on a fix for a zero-day SharePoint vulnerability.
Each of this month’s patches addresses one “critical” vulnerability, but neither of the patches were delivered with much urgency from Microsoft. The company said chances of exploitation were low.
Bulletin MS10-030 addresses a single flaw affecting Outlook Express, Windows Mail and Windows Live Mail. The vulnerability is rated critical in Windows 2000, XP, Server 2003, Server 2008 and Vista, while Windows 7 and Server 2008 R2 carry “important” ratings if a mail client is installed.
Joshua Talbot, security intelligence manager for Symantec Security Response, said widespread exploits are unlikely because the flaw requires a user to open up a mail client and connect to a malicious mail server.
“It’s possible that an attacker could somehow convince a user to do this — for example, by enticing them to sign up for a new free mail service — but the steps required to do so would probably be a red flag for most users,” Talbot said.
MS10-031, meanwhile, repairs a single bug in the Visual Basic for Applications (VBA) programming language. The vulnerability is critical in all supported versions of VBA SDK (Software Development Kit) 6.0 and third-party programs that use VBA.
Experts disagreed whether the flaw could lead to future attacks. Tyler Reguly, lead security engineer at vulnerability management firm nCircle, said it was “highly unlikely” that effective exploit code would be manifested. However, Talbot said he wouldn’t be surprised to see targeted attacks emerge.
“[A]n attacker would simply have to convince a user to open a maliciously crafted file — likely an Office document —which supports VBA, and the user’s machine would be compromised,” Talbot said.
Missing from Tuesday’s patch batch was a fix for a publicly known SharePoint vulnerability, which could allow hackers to elevate privileges and steal sensitive data. The bug was disclosed at the end of April.
“An update related to the advisory is not available at this time,” a spokeswoman said. “Microsoft is not aware of any active attacks but encourages customers to review the advisory and apply the suggested workarounds until an update is available.”