Microsoft has been welcomed for patching the Help and Support Center vulnerability as part of its monthly Patch Tuesday update.
Microsoft announced last week that it would release four bulletins to cover five vulnerabilities and among them was the vulnerability that affected the Windows Help and Support Center that could allow remote code execution. This was disclosed by Tavis Ormandy in mid-June, with security commentators criticising his decision to announce it before allowing Microsoft to release a patch.
Jason Miller, data and security team manager at Shavlik Technologies, said that this is the security bulletin (MS10-042) that administrators should address first on their machines, and said for any zero-day exploit; administrators should deploy the patch as soon as possible.
Dave Marcus, research and communications director for McAfee Labs, said: “Among the fixes is a patch for a critical vulnerability in the Windows Help and Support Center, a feature designed to provide assistance to users. This vulnerability was irresponsibly disclosed to the public by Google employee Tavis Ormandy prior to Microsoft providing a fix. Cyber criminals have already taken advantage of the vulnerability and exploited it to attack Windows users.
“McAfee Labs has seen malware in the wild that exploits this zero-day vulnerability. Security researchers need to work closely with software vendors to ensure vulnerabilities are patched in the most expedient method and timeline possible, without putting users at risk.”
Alan Bentley, SVP international for Lumension, commented that MS10-042 addresses a critical vulnerability, but also looked at MS10-043 that requires a reboot and affects Windows Server 2008 64-bit machines, which could be disruptive to some environments.
He said: “MS10-043 could impact a large swath of Microsoft customers as it affects Windows 7 desktop users and Windows 2008 R2 servers, which are Microsoft's most current desktop and server solutions. Given the active exploit code that has been circulated, MS10-043 should be prioritised in testing and deployments.”
Wolfgang Kandek, CTO at Qualys, said that MS10-043 was critical but said that there are a number of mitigating factors as it is only applicable to 64-bit versions and requires a fairly high display resolution, so the priority of the update depends on a user's environment.
He chose to look at MS10-045 as being more crucial as it undermines the security model of attachments in Microsoft Outlook. He said: “Microsoft classified the vulnerability only as ‘important', but it allows an attacker to camouflage malicious files as a safe file type.
“An example would be to pass off an executable as a simple text file. All versions of Outlook are affected, excluding the newest Outlook 2010. The second Microsoft Office update, MS10-044 is a vulnerability in a Microsoft Access ActiveX component, is ranked critical and should be treated as a priority as well.“
Oliver Lavery, director of security research and development at nCircle, called MS10-045 ‘the most interesting vulnerability for the enterprise', as it allows an attacker to use a specially-crafted universal naming convention (UNC) path in an Outlook attachment to bypass Outlook's warning about opening potentially malicious attachments.
He said: “This is significant because Operation Aurora and other high profile email-based attacks over the last year have proven to be highly successful. The only startling advisory is MS10-044, which involves remote code execution via a MS Access ActiveX control. ActiveX vulnerabilities have been an ongoing problem for the last decade, and it's troubling that even though the technology is largely obsolete, we're still seeing an ongoing negative impact on security.”
Bentley said: “While MS10-044 is rated critical, fortunately its impact will be limited to those organisations that have built or utilise applications and processes based on Microsoft Access. Although MS10-045 is only rated important, users are strongly encouraged to pay it attention as it addresses a vulnerability in Microsoft Outlook and remote-code-execution vulnerabilities in email clients should always be a concern for IT administrators.”