Microsoft issued its customary monthly security bulletin yesterday. This month's Patch Tuesday aims to fix two vulnerabilities that could allow for remote code execution.
Microsoft security bulletin MS10-030 fixes vulnerabilities in Outlook Express, Windows Mail, and Windows Live Mail that permit remote code execution if a user visits a malicious e-mail server, especially for users logged in with administrative rights.
The second vulnerability, Microsoft noted, “could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime”, according to bulletin MS10-031. The security advisory added that malicious hackers who seek to exploit this vulnerability can take complete control of a system if the user account is logged in with administrative rights. Microsoft advised that “an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights”.
“I’ve put the Visual Basic for Applications vulnerability first on my list,” said Joshua Talbot, security intelligence manager with Symantec. Commenting on the two patches, Talbot said that each vulnerability requires “social engineering to exploit, but the VBA vulnerability requires less action from a user”.
“For instance, an attacker would simply have to convince a user to open a maliciously crafted file – likely an Office document which supports VBA and the user’s machine would be compromised”, Talbot continued, adding that this method could be used in a targeted attacks, which are on the rise according to the Symantec intelligence manager.
“Contrary to this, in most cases the Windows Mail vulnerability would require a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server,” Talbot added. “It’s possible that an attacker could somehow convince a user to do this – for example by enticing them to sign up for a new free mail service – but the steps required to do so would probably be a red flag for most users.”
Jason Miller, data and security team manager for patch management specialist Shavlik Technologies, says that although few in number, the vulnerabilities highlighted in the latest Microsoft bulletins are serious. “While many are dismissing this month’s patches, this is not the time to relax your patch management policies and these bulletins must be addressed”, Miller warned.
“[One] bulletin [MS10-031] can cause confusion as it affects Microsoft products as well as non-Microsoft products”, he told Infosecurity via e-mail. Miller asserted that this patch will service Microsoft products, but not necessarily third-party applications that employ VBA. On the Microsoft products side, this patch will cover all supported versions of Microsoft Office.
“The vulnerable code could be on your system through one of these programs”, Miller said. “ It is important to note that Microsoft can only patch the Microsoft Office suite for this vulnerability.”
Miller implores the security-conscious to consult the Microsoft knowledge base article (KB978213) for the bulletin to determine which third-party applications may be vulnerable, in addition to contacting the software vendor to see if it has a patch for the VBA vulnerability.