Microsoft released four security bulletins this Patch Tuesday -- three of which were rated "critical." The announcements affect Windows XP, Windows Server 2003, Windows 7 x64, Windows Server 2008 R2 x64 and all flavors of Microsoft Office -- except Office 2010. (Windows Vista received a break this month.) At least two of the issues were publicly known before the bulletins were released, and one vulnerability is currently being exploited in the wild. To secure your desktops, apply patches for each of these issues as soon as possible.
Security Bulletin MS10-042 addresses a vulnerability in Windows XP Service Pack 3 (SP3) systems that is being actively exploited. The flaw resides on the Help and Support Center function and could allow a remote attacker to execute code on a computer if the user visits an evil Web page or clicks on a link in a malicious email.
Microsoft released a security advisory about this flaw in June, and the MS10-042 patch aims to close that security hole both on Windows XP and Windows Server 2003 systems. Microsoft didn't say how many systems have been compromised to date.
Recommendation: Patch this issue right away on Windows XP systems. Apply the patch to Windows Server 2003 systems during the next scheduled maintenance window. Microsoft says Windows Server 2003 is vulnerable, but it hasn't seen any method to remotely initiate code via this flaw on this platform.
Microsoft's newest high-end operating systems, 64bit versions of Windows 7 and Windows Server 2008 R2, are subject to kernel-level exploitation via a flaw in the Canonical Display Driver. Users running these OSes who also have the Windows Aero desktop theme enabled are vulnerable to attack if they visit an evil website or view a malicious graphic image or website banner ad. MS10-043 claims that the memory randomization features of these OSes will likely protect the computers from code execution, but a system restart may occur. Microsoft said that although this vulnerability was publically reported, it hasn't received any reports of customer machines being exploited via this flaw.
Security Bulletin MS10-044 discusses a "critical" flaw in Microsoft Office 2003 and 2007 that could allow attackers to execute code on a remote computer should the user visit a malicious website or open an evil Office document. The vulnerable component is an ActiveX control for Microsoft Access. The security bulletin discusses several workarounds to protect computers from this vulnerability, including disabling the ActiveX control in question. The bulletin recommends applying the patch as soon as possible, however. Microsoft has not seen any evidence that this vulnerability is being actively exploited.
MS10-045 is an important security bulletin that addresses a flaw in Microsoft Outlook XP, 2003 and 2007 that could allow an attacker to take over a user's computer. Exploits that allow attackers to take over a user's system are typically rated "critical," but in this instance, Microsoft downgraded the severity because the exploit is successful only if a user opens a malicious file attachment in Outlook. The attack scenario appears to involve a flaw in Server Message Block (SMB) communication that can be remotely exploited via Web Distributed Authoring and Versioning (WebDAV) requests. In other words -- open an evil attachment, and your computer is no longer your computer.
Since you can't predict user behavior when it comes to opening email attachments, consider this a critical issue and apply the patch as soon as possible.
About the author:
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.