Microsoft Pushes "Bottom of the Barrel" Patches
Microsoft this week patched two critical vulnerabilities in Office, the Visual Basic for Applications development tool and its Windows e-mail clients.
Neither of the two security updates Microsoft released really grabbed researchers. "It's the month of insignificant patches," said Tyler Reguly, a lead security research engineer at nCircle Security.
"Sort of the bottom of the barrel," added Jason Miller, data and security team manager for Shavlik Technologies.
Of the two updates, Reguly put MS10-030 at the top of his to-patch list. According to Microsoft, a bug in Outlook Express, the free e-mail program bundled with Windows XP; Windows Mail, which was included with Vista; and its follow-on, the optional download Windows Live Mail, could be used by attackers to compromise a PC by tricking users into visiting a malicious mail server.
More likely, said Reguly, was a classic "man-in-the-middle" attack at a public WiFi hotspot, like those operated by McDonalds or Starbucks, where a hacker intercepts traffic, including mail, and could shunt it to his own malware-spewing server.
Microsoft said much the same in a post to its "Security Research & Defense" blog when it noted that users face a "significant risk" when checking mail at a public hotspot if they haven't enabled SSL (Secure Socket Layer), the Web's default security protocol.
Wolfgang Kandek, the chief technology officer of Qualys, disagreed with Reguly. "I think MS10-031 is the more interesting of the two. MS10-030 is pretty difficult to exploit."
Kandek's top pick affects Office XP, Office 2003 and Office 2007, as well as Visual Basic for Applications and that product's SDK (software developers toolkit). Hackers can exploit the vulnerability -- rated "important" for Office but "critical" for Visual Basic -- by duping users into opening rigged Office documents.
That's the key to Kandek's decision to put MS10-031 ahead of its rival. "The attack vector through Office makes this much more likely," he said. "It's a normal attack vector these days."
Other researchers thought both updates were interesting. "There may be some third-party vendors whose code is going to be vulnerable," said Shavlik's Miller, referring to MS10-031. "If they wrote their applications using the Visual Basic SDK, they may have to recompile their programs. I'd expect to see some non-Microsoft updates on this from third-parties."
The Visual Basic bug reminded Miller of Microsoft's emergency patch last summer that fixed a flaw in Active Template Library (ATL), a code library used by both Microsoft and third-party developers to build software. After Microsoft admitted that the ATL bug had been caused by an extraneous "&" character introduced by one of its engineers, several vendors were forced to release updates of their software.
Miller also called attention to MS10-030, saying that man-in-the-middle attacks were possible at universities and public places, such as libraries, as well as at coffee shops, restaurants and airports. What struck him about the update, however, was that it was another instance where Microsoft patched systems that are not actually vulnerable to attack. "They're calling that 'defense-in-depth,' but what they're doing is closing all the doors, just in case," said Miller.
Even those Windows 7 users who haven't downloaded and installed Windows Live Mail -- that operating system doesn't include a bundled mail client -- will be offered MS10-030, Microsoft said in its accompanying advisory. As a precaution, Microsoft is patching the vulnerable .dll file -- inetcomm.dll -- on Windows 7.
"I applaud that," said Miller. "Better safer than sorry."
Microsoft's practice of alternating large- and small-sized Patch Tuesdays continued this month, all the researchers interviewed today noted. Last month, for instance, Microsoft issued 11 updates that patched 25 vulnerabilities . "This is what we expect now," said Miller.
"That means we should expect another big month next month," added Reguly. Microsoft's next scheduled patch day is June 8.
As promised last week , Microsoft did not patch a cross-site scripting vulnerability in SharePoint 2007. It did leave open the option of issuing a rush fix if attacks were spotted, then surged. "We are not aware of any active attacks at this time and we will continue to monitor the threat landscape and post an updated security advisory should it be needed," said Jerry Bryant, a group security manager in an entry on the Microsoft Security Response Center (MSRC) blog today.
This month's Microsoft security update can be downloaded and installed via the Windows Update and Microsoft Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Knowledge Center.