Microsoft pushes 'bottom of the barrel' patches

Fixes just two flaws in light Patch Tuesday, but expect a whopper in June, say researchers

Microsoft today patched two critical vulnerabilities in Office, the Visual Basic for Applications development tool and its Windows e-mail clients.

Neither of the two security updates Microsoft released today really grabbed researchers. "It's the month of insignificant patches," said Tyler Reguly, a lead security research engineer at nCircle Security.

"Sort of the bottom of the barrel," added Jason Miller, data and security team manager for Shavlik Technologies.

Of the two updates, Reguly put MS10-030 at the top of his to-patch list. According to Microsoft, a bug in Outlook Express, the free e-mail program bundled with Windows XP; Windows Mail, which was included with Vista; and its follow-on, the optional download Windows Live Mail, could be used by attackers to compromise a PC by tricking users into visiting a malicious mail server.

More likely, said Reguly, was a classic "man-in-the-middle" attack at a public WiFi hotspot, like those operated by McDonalds or Starbucks, where a hacker intercepts traffic, including mail, and could shunt it to his own malware-spewing server.

Microsoft said much the same in a post to its "Security Research & Defense" blog when it noted that users face a "significant risk" when checking mail at a public hotspot if they haven't enabled SSL (Secure Socket Layer), the Web's default security protocol.

Wolfgang Kandek, the chief technology officer of Qualys, disagreed with Reguly. "I think MS10-031 is the more interesting of the two. MS10-030 is pretty difficult to exploit."

Kandek's top pick affects Office XP, Office 2003 and Office 2007, as well as Visual Basic for Applications and that product's SDK (software developers toolkit). Hackers can exploit the vulnerability -- rated "important" for Office but "critical" for Visual Basic -- by duping users into opening rigged Office documents.

That's the key to Kandek's decision to put MS10-031 ahead of its rival. "The attack vector through Office makes this much more likely," he said. "It's a normal attack vector these days."

Other researchers thought both updates were interesting. "There may be some third-party vendors whose code is going to be vulnerable," said Shavlik's Miller, referring to MS10-031. "If they wrote their applications using the Visual Basic SDK, they may have to recompile their programs. I'd expect to see some non-Microsoft updates on this from third-parties."

The Visual Basic bug reminded Miller of Microsoft's emergency patch last summer that fixed a flaw in Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software. After Microsoft admitted that the ATL bug had been caused by an extraneous "&" character introduced by one of its engineers, several vendors were forced to release updates of their software.

Miller also called attention to MS10-030, saying that man-in-the-middle attacks were possible at universities and public places, such as libraries, as well as at coffee shops, restaurants and airports. What struck him about the update, however, was that it was another instance where Microsoft patched systems that are not actually vulnerable to attack. "They're calling that 'defense-in-depth,' but what they're doing is closing all the doors, just in case," said Miller.

Even those Windows 7 users who haven't downloaded and installed Windows Live Mail -- that operating system doesn't include a bundled mail client -- will be offered MS10-030, Microsoft said in its accompanying advisory. As a precaution, Microsoft is patching the vulnerable .dll file -- inetcomm.dll -- on Windows 7.

"I applaud that," said Miller. "Better safer than sorry."

Microsoft's practice of alternating large- and small-sized Patch Tuesdays continued this month, all the researchers interviewed today noted. Last month, for instance, Microsoft issued 11 updates that patched 25 vulnerabilities . "This is what we expect now," said Miller.

"That means we should expect another big month next month," added Reguly. Microsoft's next scheduled patch day is June 8.

As promised last week , Microsoft did not patch a cross-site scripting vulnerability in SharePoint 2007. It did leave open the option of issuing a rush fix if attacks were spotted, then surged. "We are not aware of any active attacks at this time and we will continue to monitor the threat landscape and post an updated security advisory should it be needed," said Jerry Bryant, a group security manager in an entry on the Microsoft Security Response Center (MSRC) blog today.

This month's Microsoft security update can be downloaded and installed via the Windows Update and Microsoft Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?