Establishing Digital Trust: Don't Sacrifice Security for Convenience
May looks to be a little less hectic than usual for IT managers when it comes to patching Microsoft security vulnerabilities.
That's because Microsoft (NASDAQ: MSFT) released only two patches this month -- one for most versions of Windows, and one for Visual Basic for Applications (VBA), which affects Microsoft Office.
That should lighten the workload a bit for IT managers compared to last month, when Microsoft engineers released 11 patches, five of them rated as "critical" -- the highest level of severity on Microsoft's four-tiered threat rating scale.
Both of today's patches are also ranked as critical updates.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The Windows patch fixes a security vulnerability in Outlook Express, Windows Mail and Windows Live Mail. However, its severity rating is critical only for a number of versions of Windows predating Windows 7 and Windows Server 2008 Release 2 (R2): Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, and Windows Vista SP1 and SP2.
For Windows 7 and Windows Server 2008 R2, the most recent versions of the operating system, the patch is classified only as "important" -- the second-highest of Microsoft's threat levels.
In any event, it wouldn't be especially easy for a hacker to take advantage of the flaw.
"To successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server. Or an attacker could perform a man-in-the-middle attack and attempt to alter responses to the client," Jerry Bryant, Microsoft group manager for response communications, said in a post to the Microsoft Security Response Center (MSRC) blog Tuesday.
Joshua Talbot, security intelligence manager at Symantec Security Response, agreed.
"In most cases, the Windows Mail vulnerability would require a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server," Talbot said in an e-mail to InternetNews.com.
Meanwhile, the VBA flaw, while rated critical, also takes some social engineering -- a.k.a. "trickery" -- in order for a malicious attacker to take advantage of it.
"This security update is rated Critical for Microsoft VBA SDK [software development kit] 6.0 and third-party applications that use Microsoft VBA. For all supported versions of Office XP, Office 2003 and Office 2007, it [MS10-031] is rated Important due to the user interaction required in order to successfully exploit this issue," Bryant said in his post.
The patch modifies how VBA searches for ActiveX Controls embedded in documents, he added.
"An attacker would simply have to convince a user to open a maliciously crafted file -- likely an Office document -- which supports VBA, and the user's machine would be compromised. I can see this being used in targeted attacks, which are on the rise," Symantec's Talbot said.
One vulnerability that May's Patch Tuesday drop did not fix, however, is a zero-day flaw in SharePoint Server 2007 and SharePoint Services 3 that Microsoft warned users about last month. Although the company is working on a fix for that security vulnerability, officials said last week in Microsoft's advance notice for the May Patch Tuesday drop that it would not be ready in time for today's release.
Instead, Microsoft may patch the SharePoint security flaw by going outside of the regular Patch Tuesday cycle -- a so-called "out-of-band" patch. The company has not yet given any hint as to whether it will issue an out-of-band patch or wait until June's Patch Tuesday updates.