Microsoft Fixes Google Engineer Flaw In Patch Tuesday

Microsoft addressed five security vulnerabilities on 13 July in a relatively small Patch Tuesday update.

The most notable was a vulnerability in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003 that has come under attack. The bug was reported to Microsoft by Google engineer Tavis Ormandy on 5 June, and became the center of a debate about responsible disclosure after he published details of the flaw five days later.

Shortly thereafter, attackers were seen exploiting the vulnerability. “In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “We saw attack activity begin increasing on 21 June, but it’s since leveled out.”

Remote Execute Code

If the vulnerability is successfully exploited, an attacker could remotely execute code. So far, no attack vector has been found on Server 2003, making the threat level for that system low, Microsoft said. Still, the company is urging Windows XP customers to install the update as soon as possible.

Among the other patches is a fix for a vulnerability in the Canonical Display Driver (cdd.dll) on 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled.

“Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization,” Jerry Bryant, group manager of Microsoft Response Communications, wrote on the Microsoft Security Response Center blog.

“In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS),” Bryant wrote, adding Microsoft is “not aware of any active attacks against this issue.”

Exploited Bug

The final critical bulletin addresses two vulnerabilities affecting Office ActiveX controls that could be exploited to execute remote code. The remaining security bulletin is rated important, and fixes a vulnerability in the way Office Outlook verifies attachments in a specially crafted e-mail message. Though Microsoft rated the bulletin important instead of critical, Talbot predicted that the bug is likely to be exploited.

“It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook’s list of unsafe file types,” Talbot said. “A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning.”