Microsoft pushes 'bottom of the barrel' patches

Fixes just two flaws in light Patch Tuesday, but expect a whopper in June, say researchers

Microsoft today patched two critical vulnerabilities in Office, the Visual Basic for Applications development tool and its Windows e-mail clients.

Neither of the two security updates Microsoft released today really grabbed researchers. "It's the month of insignificant patches," said Tyler Reguly, a lead security research engineer at nCircle Security.

"Sort of the bottom of the barrel," added Jason Miller, data and security team manager for Shavlik Technologies.

Of the two updates, Reguly put MS10-030 at the top of his to-patch list. According to Microsoft, a bug in Outlook Express, the free e-mail program bundled with Windows XP; Windows Mail, which was included with Vista; and its follow-on, the optional download Windows Live Mail, could be used by attackers to compromise a PC by tricking users into visiting a malicious mail server.

More likely, said Reguly, was a classic "man-in-the-middle" attack at a public WiFi hotspot, like those operated by McDonalds or Starbucks, where a hacker intercepts traffic, including mail, and could shunt it to his own malware-spewing server.

Microsoft said much the same in a post to its "Security Research & Defense" blog when it noted that users face a "significant risk" when checking mail at a public hotspot if they haven't enabled SSL (Secure Socket Layer), the Web's default security protocol.

Wolfgang Kandek, the chief technology officer of Qualys, disagreed with Reguly. "I think MS10-031 is the more interesting of the two. MS10-030 is pretty difficult to exploit."

Kandek's top pick affects Office XP, Office 2003 and Office 2007, as well as Visual Basic for Applications and that product's SDK (software developers toolkit). Hackers can exploit the vulnerability -- rated "important" for Office but "critical" for Visual Basic -- by duping users into opening rigged Office documents.

That's the key to Kandek's decision to put MS10-031 ahead of its rival. "The attack vector through Office makes this much more likely," he said. "It's a normal attack vector these days."

Other researchers thought both updates were interesting. "There may be some third-party vendors whose code is going to be vulnerable," said Shavlik's Miller, referring to MS10-031. "If they wrote their applications using the Visual Basic SDK, they may have to recompile their programs. I'd expect to see some non-Microsoft updates on this from third-parties."

The Visual Basic bug reminded Miller of Microsoft's emergency patch last summer that fixed a flaw in Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software. After Microsoft admitted that the ATL bug had been caused by an extraneous "&" character introduced by one of its engineers, several vendors were forced to release updates of their software.

Miller also called attention to MS10-030, saying that man-in-the-middle attacks were possible at universities and public places, such as libraries, as well as at coffee shops, restaurants and airports. What struck him about the update, however, was that it was another instance where Microsoft patched systems that are not actually vulnerable to attack. "They're calling that 'defense-in-depth,' but what they're doing is closing all the doors, just in case," said Miller.

Even those Windows 7 users who haven't downloaded and installed Windows Live Mail -- that operating system doesn't include a bundled mail client -- will be offered MS10-030, Microsoft said in its accompanying advisory. As a precaution, Microsoft is patching the vulnerable .dll file -- inetcomm.dll -- on Windows 7.

"I applaud that," said Miller. "Better safer than sorry."

Microsoft's practice of alternating large- and small-sized Patch Tuesdays continued this month, all the researchers interviewed today noted. Last month, for instance, Microsoft issued 11 updates that patched 25 vulnerabilities . "This is what we expect now," said Miller.

"That means we should expect another big month next month," added Reguly. Microsoft's next scheduled patch day is June 8.

As promised last week , Microsoft did not patch a cross-site scripting vulnerability in SharePoint 2007. It did leave open the option of issuing a rush fix if attacks were spotted, then surged. "We are not aware of any active attacks at this time and we will continue to monitor the threat landscape and post an updated security advisory should it be needed," said Jerry Bryant, a group security manager in an entry on the Microsoft Security Response Center (MSRC) blog today.

This month's Microsoft security update can be downloaded and installed via the Windows Update and Microsoft Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityMicrosoft

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?