Microsoft issued five security bulletins Tuesday, repairing two zero-day vulnerabilities, including a serious flaw in Windows Help and Support Center that was being targeted by attackers in the wild.
MS10-042 addresses a critical Help and Support Center vulnerability that was disclosed June 5 by Google engineer Tavis Ormandy. Since then, malicious exploits began to emerge attempting to target the vulnerability. The remote code execution vulnerability affects users of Windows XP and Windows Server 2003. Microsoft said the component doesn't properly validate malicious URLs, enabling an attacker to take control of a victim's machine after they visit a malicious website or click on a malicious link in an email message.
While two other bulletins are rated critical, vulnerability experts said a bulletin that addresses a flaw Microsoft Office Outlook should also be a high priority. Microsoft rated the MS10-045 bulletin important because there is no automated attack vector, but the vulnerability could make executable files look like benign attachments, said Richie Lai, director of vulnerability research at at Redwood Shores, Calif.-based Qualys Inc. Lai said he wouldn't be surprised if attackers attempt to exploit the vulnerability in large-scale spam attacks.
"It undermines a lot of the built-in security protections around attachments in Microsoft Outlook," Lai said. "It comes down to a social engineering attack; An exe can be easily executed by just double clicking on the icon."
Microsoft also repaired a two month old zero-day vulnerability in the Windows Canonical Display Driver. MS10-043 is rated critical for x64-based editions of Windows 7 and important for Windows Server 2008. The repair corrects the way the driver parses information copied from user mode to kernel mode. Microsoft said code execution is unlikely due to memory randomization, a security feature in Windows 7. If an attacker successfully exploits the issue, the vulnerability could cause the affected system to stop responding and automatically restart.
In addition, Microsoft addressed a critical vulnerability in Microsoft Office Access, a database management system in Microsoft's Office suite. MS10-044 repairs two vulnerabilities in Microsoft Office Access ActiveX Controls. An attacker could execute code remotely by tricking a victim into opening a malicious Office file or viewing a web page that targeted the ActiveX controls. The vulnerabilities affect Microsoft Office 2003 and Microsoft Office 2007.
Windows XP SP2 support ends
The July release was the last Microsoft update supporting users running the Windows 2000 and Windows XP SP2 platforms. Qualys CTO Wolfgang Kandek said an analysis conducted by the firm found a high number of enterprises that continue to run Windows XP SP2. Kandek said the platform is stable, but continued vulnerabilities --at least one flaw every month since January 2009 -- poses an increased threat if users decide to continue to use the platform with no support.
"We're seeing roughly half of the XP machines we scanned as being on SP2," Kandek said. "It's really stable and it does what people need it to do; in terms of security, it was revolutionary at the time so the degree of satisfaction is really high."
Kandek said the easiest, least costly move for enterprises is to upgrade to Windows XP SP3.