Microsoft Delivers July Security Patch

Microsoft, as expected, released four fixes in its July security update. Three are rated "critical," and one is deemed "important."

The four bulletins in the patch are designed to address five vulnerabilities with remote code execution security implications. They cover both Windows operating systems and Microsoft Office components.

Critical Items
The first critical item addresses issues brought up in a June security advisory. It patches a flaw in the Windows Help and Support Center feature in supported editions of Windows XP and Windows Server 2003. Microsoft warned in mid-June that hackers were exploiting the flaw after exploit code was published by a security researcher.

"Of the zero-day vulnerabilities patched in this rollout, we're only seeing one be exploited in the wild," said Joshua Talbot, security intelligence manager at Symantec Security Response. "In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms. We saw attack activity begin increasing on June 21, but it's since leveled out."

Meanwhile, the second critical bulletin is designed to resolve a publicly disclosed vulnerability in the Canonical display driver. Microsoft first alerted users and IT pros about the flaw in this May security advisory. This patch covers Windows 7 and Windows Server 2008 R2 systems.

The third and final critical security bulletin addresses two privately reported flaws in ActiveX controls used for Microsoft Office Access 2003 and 2007. According to the bulletin, the weaknesses in such ActiveX controls "could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page, instantiating Access ActiveX controls."

The patch covers these Office versions: Office XP Service Pack 3, Office 2003 SP3, 2007 Microsoft Office System SP1 and 2007 Microsoft Office System SP2.

Important Fix
The single important patch is a cumulative security update for Microsoft Outlook. The bulletin covers Microsoft Office Outlook 2002, Microsoft Office Outlook 2003, and Microsoft Office Outlook 2007.

"Microsoft didn't rate the Outlook SMB attachment vulnerability as critical, but we think it's likely to be exploited," Talbot said. "It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook's list of unsafe file types. A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning."

All of the patches may require a restart.

End of an Era in Support
The July security rollout is notable because it marks the last security updates for Windows XP Service Pack 2 and Windows 2000. Microsoft will stop issuing them after July 13. Customers are "encouraged to upgrade to [Windows XP] Service Pack 3 or to Windows 7 as soon as possible," according to Microsoft spokesman Jerry Bryant.

The light patch month may give IT pros a little time to address these aging unsupported operating systems, according to Jason Miller, data and security team manager at Shavlik Technologies.

"It is important for administrators to use this light patch month to identify these systems on their network and upgrade the machines to a supported operating system or service pack level," Miller said. "Unlike patching, deploying new operating systems or service packs can be quite an undertaking as it requires plenty of time and effort."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured