July's 'Patch Tuesday' brings a relatively light load of fixes.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 13, 2010

2 Min Read

Microsoft on Tuesday released four Security Bulletins to address five vulnerabilities in its Office and Windows software.

Three of the bulletins are designated "critical" and one is designated "important."

Microsoft is advising customers to deploy all the security updates but to prioritize MS10-042 and MS10-045.

MS10-042 addresses a "critical" vulnerability in the Windows Help and Support Center feature in Windows XP and Windows Server 2003. Acknowledged in a Security Advisory in June, this vulnerability is publicly known and actively being exploited.

MS10-045 fixes an "important" vulnerability in Microsoft Outlook that affects Outlook 2002, Office Outlook 2003 and Office Outlook 2007. MS10-045 was privately reported.

Joshua Talbot, security intelligence manager for Symantec Security Response, said in an e-mailed statement that only the Windows Help and Support Center vulnerability is being actively exploited.

"In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms," he said. "We saw attack activity begin increasing on June 21, but it's since leveled out."

He notes that while the Outlook SMB attachment vulnerability is not rated "critical," it's nonetheless likely to be exploited.

Characterizing the July patches as mundane, Oliver Lavery, director of security research and development for nCircle, says the Outlook patch is the most interesting of the lot. Enterprises, he said in an e-mailed statement, should pay attention to this vulnerability, which could be exploited to bypass Outlook's warning about potentially malicious attachments.

"This is significant because Operation Aurora and other high profile e-mail based attacks over the last year have proven to be highly successful," he said.

Microsoft also offered a reminder that support for Windows XP Service Pack 2 ends today. Extended support for Windows 2000 has also come to an end.

Josh Abraham, security researcher at Rapid7, in an e-mail statement urged enterprises to make sure that they have migrated to Windows XP SP3, at least.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights