Microsoft plugs critical Windows, Office holes

Patch Tuesday includes a patch for a hole in Windows Help and Support Center disclosed by a Google researcher and targeted in attacks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read


Microsoft issued four security bulletins on Tuesday to fix five holes in Windows and Office, including a critical vulnerability in a Windows Help and Support Center feature that has been targeted by attacks.

The vulnerability in the online help feature, which is delivered with supported editions of Windows XP and Windows Server 2003, could allow an attacker to take control of a computer by luring a computer user to a malicious Web site. The bulletin has a severity rating of "critical" for Windows XP and "low" for Windows Server 2003, according to the advisory.

Microsoft and others criticized Google researcher Tavis Ormandy for publicly disclosing the hole before the software giant had a chance to develop a fix and releasing a proof-of-concept exploit. Ormandy defended his actions, saying he needed to get Microsoft's attention to fix the problem, and other researchers supported him. Within days of the disclosure, there were attacks discovered that exploited the hole.

"Of the zero-day vulnerabilities patched today, we're only seeing one be exploited in the wild," said Joshua Talbot, security intelligence manager at Symantec Security Response. "In just the few weeks since the Help and Support Center issue came to light, three public exploits have surfaced, all using different attack mechanisms. We saw attack activity begin increasing on June 21, but it's since leveled out."

Microsoft's Patch Tuesday releases also include two critical security bulletins fixing a vulnerability in the Canonical Display Driver and two vulnerabilities in Microsoft Office Access ActiveX Controls, both of which could allow an attacker to take control of a computer. The canonical display driver bulletin is rated "critical" for the 64-bit version of Windows 7 and "important" for Windows Server 2008 R2 with Windows Aero enabled. The Access ActiveX Controls bulletin is rated "critical" for Office 2003 and 2007.

In addition, Microsoft released a bulletin rated "important" that resolves a remote code execution vulnerability in Microsoft Office Outlook 2002, 2003, and 2007.

Microsoft is also ending support for Windows XP Service Pack 2 and Windows 2000 on Tuesday, Jerry Bryant group manager for Microsoft's Response Communications, wrote in a blog post.

"Since Windows XP is still the most popular OS version for Windows, I believe we're dealing with hundreds of millions of Windows XP SP2 systems that need to be upgraded," said Wolfgang Kandek, chief technology officer at Qualys. "Our own monitoring shows that roughly 50 percent of all XP machines still run on the SP2 version."

"I was disappointed to see that a number of privately reported flaws were not patched in this final update to Windows XP SP2," said H.D.Moore, chief security officer at Rapid7. "This effectively leaves XP SP2 unprotected against a number of serious vulnerabilities that will be fixed for SP3 later this year. One of these is an issue I reported to Microsoft in December of 2006, which has a serious impact on most rich-text aware applications."

Still pending is a fix for a new Windows flaw that could compromise the security of machines running Windows XP and 2000 that was disclosed by Secunia last week.

Updated 11:40 a.m. PDT with comment from Moore.