Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Microsoft Patches Critical Vulnerabilities In Windows

Flaws in Windows Help and Support Center already seen in the wild, observers say

Microsoft today patched four security vulnerabilities in the Windows environment -- three of them considered critical -- and experts say one of the flaws is already being exploited.

Researchers have already reported the vulnerability in the Windows Help and Support Center feature that comes with Windows XP and Windows Server 2003. Experts say at least three exploits of this flaw have already been spotted in the wild.

"This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message," Microsoft says. "The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message."

Microsoft also issued a patch for another previously disclosed vulnerability, this one in the Canonical Display Driver (cdd.dll). "Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization," Microsoft says. "In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart."

Microsoft also revealed two previously undisclosed vulnerabilities in its Microsoft Office Access ActiveX Controls. "The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls," the software giant says. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

A fourth vulnerability, which Microsoft rated as "important," affects Outlook. The flaw "could allow remote code execution if a user opened an attachment in a specially crafted email message using an affected version of Microsoft Office Outlook," the company says. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

The Windows Support flaw drew controversy last month when it was revealed by Google researcher Tavis Ormandy before Microsoft had developed a patch.

"McAfee Labs has seen malware in the wild that exploits this zero-day vulnerability," says Dave Marcus, research and communications director for McAfee Labs. "Security researchers need to work closely with software vendors to ensure vulnerabilities are patched in the most expedient method and time line possible, without putting users at risk."

Several observers say this Patch Tuesday is significant because it marks the end of support for two older operating systems, Windows 2000 and Windows XP SP2.

"This may seem like a light patch month in the amount of effort required by administrators to protect their networks, but all administrators could have quite a workload as Windows 2000 and Windows XP SP2 have officially reached end of life support," says Jason Miller, data and security team manager at Shavlik Technologies.

Marcus agrees. "Many enterprises and consumer users still deploy and depend heavily on applications that run on this [older] Windows build," he says. "It is unclear how much risk and expense the end of support will cause users worldwide, but we expect cybercriminals to capitalize on this opportunity."

Joshua Talbot, security intelligence manager for Symantec Security Response, says Microsoft may have underrated the Outlook flaw.

"Microsoft didn't rate the Outlook SMB attachment vulnerability as critical, but we think it's likely to be exploited," he says. "It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file email attachments, such as malware, to slip past Outlook's list of unsafe file types. A user would still have to double-click on the attachment to open it, but if they do, the file would run without any warning.

"A possible scenario could involve a targeted attack against an organization," Talbot says. "A user could get a socially engineered email with a malicious attachment disguised as something innocuous. Once convinced to click on the attachment, nothing would appear to happen. The user might delete the message and move on, assuming the file to be corrupted. In reality, malware was secretly installed on their machine."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...