Only two patches released by Microsoft for May, as main talking point surrounds SharePoint vulnerability

News by Dan Raywood

Microsoft released two bulletins for critical vulnerabilities on yesterday's patch Tuesday.

Microsoft released two bulletins for critical vulnerabilities on yesterday's patch Tuesday.

Security bulletin MS10-030 is a Windows-based update resolving a vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail. Microsoft claimed that to successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server or they could perform a man-in-the-middle attack and attempt to alter responses to the client.

Jason Miller, data and security team manager for Shavlik Technologies, claimed that this bulletin affects every supported Microsoft operating system, however the Microsoft email clients - Windows Live Mail and Windows Mail - are not installed by default on some of the affected operating systems and will require a user to install the client.

He said: “The attack vector for this vulnerability seems a bit unlikely. An attacker would need to entice a user to connect to a malicious email server in order to gain remote code execution. We all see spam emails ranging from luxury watches and ‘special' pharmaceutical drugs at outrageously cheap prices to phishing attempts aimed at gaining private and confidential information. But a phishing attempt to entice a user to connect to a malicious email server is very uncommon.”

Joshua Talbot, security intelligence manager at Symantec Security Response, was equally dismissive of the threat level, claiming the Windows Mail vulnerability would require a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server, and that the steps required to do so would probably be a red flag for most users.

Wolfgang Kandek, CTO at Qualys, commented that successful exploitation is unlikely, and he did not see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.

He also commented that Microsoft did not address the recent SharePoint vulnerability (KB983438), and recommended looking into the advisory and implementing the suggested workaround restricts the access to the help functionality in SharePoint.

Further comments were also made on the lack of a patch for the SharePoint vulnerability. Alan Bentley, VP international for Lumension said that Microsoft is directing users to Security Advisory 983438 as a workaround, pending release of a patch.

Tyler Reguly, lead security engineer for nCircle, said: “I wasn't expecting Microsoft to release a patch for the XSS in SharePoint just yet, but I suspect that people who think patches should just be rushed out will be asking where it is anyway.”

The other bulletin, MS10-031 addresses one vulnerability in Microsoft Visual Basic for Applications (VBA). The update addresses the vulnerability by modifying the way VBA searches for ActiveX controls embedded in documents.

Talbot claimed that this was the most important of the two patches as the vulnerability requires less action from a user. He said: “For instance, an attacker would simply have to convince a user to open a maliciously crafted file—likely an Office document—which supports VBA and the user's machine would be compromised. I can see this being used in targeted attacks, which are on the rise.”

Miller said: “This bulletin can cause confusion as it affects Microsoft products as well as non-Microsoft products. On the Microsoft products side, this patch will cover all supported versions of Microsoft Office. For non-Microsoft products, Microsoft Visual Basic for Applications and Microsoft Visual Basic for Applications SDK are potentially used by third party software vendors for their own applications. The vulnerable code could be on your system through one of these programs. It is important to note that Microsoft can only patch the Microsoft Office suite for this vulnerability.“

Kandek commented that its exploitability index is two, so exploit code within the next 30 days is unlikely. He said: “While the bulletin only carries a severity of ‘important', we consider it to be the more urgent of today's release.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews