Microsoft plugs five security holes with four bulletins for July's Patch Tuesday. Among the patches is a fix for the bug uncovered by a Google engineer that was at the center of a debate regarding responsible disclosure.
Microsoft addressed five
July 13 in a relatively small Patch Tuesday
The most notable was a vulnerability in the Windows Help and Support
Center feature included in Windows
XP and Windows Server 2003 that has come under attack. The bug was reported to
Microsoft by Google engineer Tavis Ormandy June 5, and became the center of a
debate about responsible
after he published details of the flaw five days later.
Shortly thereafter, attackers
were seen exploiting
"In just the few weeks since the Help and Support Center issue came to light,
three public exploits have surfaced, all using different attack
mechanisms," said Joshua Talbot, security intelligence manager for
Symantec Security Response. "We saw attack activity begin increasing on
June 21, but it's since leveled out."
If the vulnerability is successfully exploited, an attacker could remotely
execute code. So far, no attack vector has been found on Server 2003, making
the threat level for that system low, Microsoft said. Still, the company is
urging Windows XP customers to install the update as soon as possible.
Among the other patches is a fix for a vulnerability in the Canonical
Display Driver (cdd.dll) on 64-bit versions of Windows 7 and Windows Server
2008 R2 with Windows Aero enabled.
"Although it is possible that the vulnerability could allow code
execution, successful code execution is unlikely due to memory randomization,"
Jerry Bryant, group manager of Microsoft Response Communications, wrote on the Microsoft Security Response Center blog.
"In most scenarios, it is much more likely that an attacker who
successfully exploited this vulnerability could cause a Denial of Service
(DoS)," Bryant wrote, adding Microsoft is "not aware of any active
attacks against this issue."
The final critical bulletin addresses two vulnerabilities affecting Office
ActiveX controls that could be exploited to execute remote code. The remaining security
bulletin is rated important, and fixes a vulnerability in the way Office Outlook verifies attachments
a specially crafted e-mail message. Though Microsoft rated the bulletin
important instead of critical, Talbot predicted that the bug is likely to
"It appears fairly simple for an attacker to figure out and create an
exploit for, which could cause executable file e-mail attachments, such as
malware, to slip past Outlook's list of unsafe file types," Talbot said.
"A user would still have to double-click on the attachment to open it, but
if they do the file would run without any warning."