Microsoft Patch Tuesday is here again. For May, Microsoft only has two new security bulletins, both rated as Critical by Microsoft. MS10-030 addresses a vulnerability affecting Outlook Express and Windows Mail, and MS10-031 resolves an issue with Visual Basic for Applications (VBA) impacting Microsoft Office.
While rated Critical, neither seems overly urgent at this time. Tyler Reguly, lead security researcher for nCircle says "It seems highly unlikely that we'll ever see effective exploit code for MS10-031. It's still important to patch it, and with that in mind, enterprises should also consider any third party software they have that may make use of Visual Basic for Applications. If the third party didn't follow best practices, those applications may still contain the vulnerability, even after applying the provided Microsoft patch."
However, Joshua Talbot, security intelligence manager for Symantec Security Response, commented via e-mail to say "I've put the Visual Basic for Applications vulnerability first on my list. Both vulnerabilities require social engineering to exploit, but the VBA vulnerability requires less action from a user. For instance, an attacker would simply have to convince a user to open a maliciously crafted file--likely an Office document--which supports VBA and the user's machine would be compromised. I can see this being used in targeted attacks, which are on the rise."
Talbot added "Contrary to this, in most cases the Windows Mail vulnerability would require a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server. It's possible that an attacker could somehow convince a user to do this-for example by enticing them to sign up for a new free mail service-but the steps required to do so would probably be a red flag for most users."
Qualys CTO Wolfgang Kandek agreed, explaining in a blog post "MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don't see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected."
Kandek also mentions the SharePoint vulnerability which Microsoft did not patch today. "Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint."
Reguly also discussed the unpatched issue with Microsoft SharePoint. "I wasn't expecting Microsoft to release a patch for the XSS in SharePoint just yet, but I suspect that people who think patches should just be rushed out will be asking where it is anyway."
"Lately, Microsoft seems to be alternating between lightly patching one month and then heavy the next," concluded Symantec's Talbot. "So, one has to wonder what next month holds in store. I also wouldn't be surprised to see an update in June for the SharePoint cross-site scripting vulnerability that recently came to light. Though we haven't seen any exploits for it in the wild yet, it appears fairly trivial to take advantage of."
As an aside, IT administrators should also be aware that support for Windows 2000, and Windows XP with Service Pack 2 or earlier will no longer be supported as of July 13, 2010. Microsoft recommends customers upgrade to Windows 7, or at least apply Windows XP Service Pack 3 before this date.