Microsoft Fixes Critical Visual Basic and Outlook Express Flaws
Microsoft, the software giant based in Redmond (USA), released two critical security updates on May 11, 2010, patching vulnerabilities within its e-mail applications as well as the Visual Basic for Applications designed to implement software programming language built into Microsoft Office.
One of the updates, MS10-030, fixes a flaw in Windows Live Mail, Windows Mail and Outlook Express executing on Windows Vista, XP, 2000 and Windows Server 2008 and 2003. For executing the attack, an attacker will have to get an end-user to access a malevolent server hosting the e-mail client. Moreover, by transmitting malware, the e-mail can be compelled not to ask for authentication. Further, when the attacker manages to effectively abuse the flaw, he can acquire the same privileges that the local user enjoys.
Meanwhile, Microsoft's other update, MS10-130, addresses another critical flaw within Windows Live Mail, Windows Mail and Outlook Express. If exploited, this flaw can let attackers execute malware onto the vulnerable computer through e-mail.
Incidentally, Microsoft has rated this flaw as "critical" for Windows Vista, XP, 2000 and Windows Server 2008 and 2003, and "important," a less severe ranking, for Windows Server 2008R2 and Windows 7.
Remarking about the newly-fixed security flaws, Security Intelligence Manager Joshua Talbot for Symantec Security Response stated that these flaws could be exploited essentially through social engineering. However, much less user-interaction was needed to exploit the VBA flaw. For example, to compromise a VBA-affected computer, an attacker just need to persuade the end-user to view an Office file that's maliciously crafted and which powers VBA. According to Talbot, he was observing the vulnerability being utilized within increasing numbers of targeted attacks. CNet.com published this on May 11, 2010.
Eventually, Microsoft advises that computer users must install the patches at the earliest. Meanwhile, the release of the bulletin has come in at a time when Microsoft is developing a patch to repair a flaw within SharePoint Server 2007 and SharePoint Services 3.0. The flaw, which was revealed during April 2010, can result in an XSS (cross-site scripting) attack through Internet Explorer. Additionally, proof-of-concept too has been announced, which abuses the zero-day flaw, noted Microsoft.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 21-05-2010