Microsoft issued two critical bulletins on Tuesday fixing holes in its e-mail programs and the Visual Basic for Applications programming language implementation built into Office.
Bulletin MS10-030 resolves a vulnerability affecting Outlook Express, Windows Mail, and Windows Live Mail that an attacker could exploit by compromising a mail server, hosting a malicious mail server, or performing a man-in-the-middle attack to intercept communications between the client and the server.
Bulletin MS10-031 fixes a hole in Microsoft Visual Basic for Applications (VBA) that could allow an attacker to remotely run code if a host application opens and passes a malicious file to the VBA runtime environment. The update resolves the problem by changing the way VBA searches for ActiveX Controls are embedded in documents.
Successful exploits of the vulnerabilities at the heart of the bulletins could allow an attacker to take complete control of a computer, Microsoft said in its bulletins summary advisory. The bulletins affect Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Microsoft Visual Basic for Applications, and Visual Basic for Applications software development kit. However, Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, the company said in a post on the Microsoft Security Response Center blog.
Microsoft is still working on a fix for a vulnerability in SharePoint Services 3.0 and SharePoint Server 2007 that was disclosed late last month and which could lead to a cross-site scripting attack via the browser. Proof of concept exploit code has been published for that.
"I've put the Visual Basic for Applications vulnerability first on my list," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Both vulnerabilities require social engineering to exploit, but the VBA vulnerability requires less action from a user. For instance, an attacker would simply have to convince a user to open a maliciously crafted file--likely an Office document--which supports VBA, and the user's machine would be compromised. I can see this being used in targeted attacks, which are on the rise."
Meanwhile, the other vulnerability requires a user to actually open up Outlook Express or Windows Mail and connect to a malicious mail server, he said. "It's possible that an attacker could somehow convince a user to do this--for example by enticing them to sign up for a new free mail service--but the steps required to do so would probably be a red flag for most users," Talbot added.