Microsoft Issues Four Security Bulletins

Microsoft on Tuesday released four Security Bulletins to address five vulnerabilities in its Office and Windows software.

Three of the bulletins are designated "critical" and one is designated "important."

Microsoft is advising customers to deploy all the security updates but to prioritize MS10-042 and MS10-045.

MS10-042 addresses a "critical" vulnerability in the Windows Help and Support Center feature in Windows XP and Windows Server 2003. Acknowledged in a Security Advisory in June, this vulnerability is publicly known and actively being exploited.

MS10-045 fixes an "important" vulnerability in Microsoft Outlook that affects Outlook 2002, Office Outlook 2003 and Office Outlook 2007. MS10-045 was privately reported.

Joshua Talbot, security intelligence manager for Symantec Security Response, said in an e-mailed statement that only the Windows Help and Support Center vulnerability is being actively exploited.

"In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms," he said. "We saw attack activity begin increasing on June 21, but it's since leveled out."

He notes that while the Outlook SMB attachment vulnerability is not rated "critical," it's nonetheless likely to be exploited.

Characterizing the July patches as mundane, Oliver Lavery, director of security research and development for nCircle, says the Outlook patch is the most interesting of the lot. Enterprises, he said in an e-mailed statement, should pay attention to this vulnerability, which could be exploited to bypass Outlook's warning about potentially malicious attachments.

"This is significant because Operation Aurora and other high profile e-mail based attacks over the last year have proven to be highly successful," he said.

Microsoft also offered a reminder that support for Windows XP Service Pack 2 ends today. Extended support for Windows 2000 has also come to an end.

Josh Abraham, security researcher at Rapid7, in an e-mail statement urged enterprises to make sure that they have migrated to Windows XP SP3, at least.