IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security News

Microsoft Patches Windows, Office Bugs


By: Brian Prince
2010-07-13
Article Rating:starstarstarstarstar / 1


There are  user comments on this IT Security & Network Security News & Reviews story.


Microsoft plugs five security holes with four bulletins for July's Patch Tuesday. Among the patches is a fix for the bug uncovered by a Google engineer that was at the center of a debate regarding responsible disclosure.

Microsoft addressed five security vulnerabilities July 13 in a relatively small Patch Tuesday update.

The most notable was a vulnerability in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003 that has come under attack. The bug was reported to Microsoft by Google engineer Tavis Ormandy June 5, and became the center of a debate about responsible disclosure after he published details of the flaw five days later.

Shortly thereafter, attackers were seen exploiting the vulnerability.

"In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms," said Joshua Talbot, security intelligence manager for Symantec Security Response. "We saw attack activity begin increasing on June 21, but it's since leveled out."

If the vulnerability is successfully exploited, an attacker could remotely execute code. So far, no attack vector has been found on Server 2003, making the threat level for that system low, Microsoft said. Still, the company is urging Windows XP customers to install the update as soon as possible.

Among the other patches is a fix for a vulnerability in the Canonical Display Driver (cdd.dll) on 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled.

"Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization," Jerry Bryant, group manager of Microsoft Response Communications, wrote on the Microsoft Security Response Center blog.

"In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS)," Bryant wrote, adding Microsoft is "not aware of any active attacks against this issue."

The final critical bulletin addresses two vulnerabilities affecting Office ActiveX controls that could be exploited to execute remote code. The remaining security bulletin is rated important, and fixes a vulnerability in the way Office Outlook verifies attachments in a specially crafted e-mail message. Though Microsoft rated the bulletin important instead of critical, Talbot predicted that the bug is likely to be exploited.

"It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook's list of unsafe file types," Talbot said. "A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning."







 
 
>>> More IT Security & Network Security News & Reviews Articles          >>> More By Brian Prince
 


FEATURED SPONSOR VIDEOS

Benefits of Workload Optimization

What Smart Companies MUST Learn from Gaming

Advances in Authentication

Vertical Markets Benefit from Workload Optimization

View More Videos

Brought to you by
Advertisement

FEATURED SPONSOR MESSAGE

Microsoft Sponsored Resource Center

Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

Watch the video >>

Brought to you by

Suggested Related Content:

Articles Labs/How-To Multimedia


Advertisement
Contact Us | About | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Networking
Network Security
Infrastructure Security
How To: Data
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows 7
Managed Print Services
Computer Reviews
Microsoft Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Apps & Development:
Application Development
Enterprise Apps
Search Engines
Database Software
Web 2.0
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Videos
Magazine Subscriptions
Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Web Buyers Guide
Developer Websites:
DevSource C# and .Net
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Windows Migration
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
ZDE Cluster 11
 
Close this advertisement