May 2010 Patch Tuesday Overview

Microsoft has released 2 new security bulletins for the May 2010 Patch Tuesday.  This month’s security bulletins primarily affect workstations and each has a special case associated to it.

MS10-031 affects Microsoft Visual Basic for Applications.  This bulletin can cause confusion as it affects Microsoft products as well as non-Microsoft products.  On the Microsoft products side, this patch will cover all supported versions of Microsoft Office.  For non-Microsoft products, Microsoft Visual Basic for Applications and Microsoft Visual Basic for Applications SDK are potentially used by third party software vendors for their own applications.  The vulnerable code could be on your system through one of these programs.  It is important to note that Microsoft can only patch the Microsoft Office suite for this vulnerability.

To find out if you have third-party software that is vulnerable, Microsoft has provided a knowledge base article (KB978213) with steps to identify these products.  If you do find one of these products, you should contact the software vendor and ask for their patch to address the vulnerability.  Like the ATL issue last July, we could see many vendors supplying their own patches to address this vulnerability.  This is just another important reminder that patching is not just a Microsoft issue when it comes to software vulnerabilities.

MS10-030 affects Microsoft’s email clients and addresses one vulnerability.  Like MS10-031, there is a special case with this bulletin.  This bulletin affects every supported Microsoft operating system.  However the Microsoft email clients, Windows Live Mail and Windows Mail, are not installed by default on some of the affected operating systems and will require a user to install the client.

The primary attack vector for this vulnerability is to intercept mail client network traffic through a man-in-the-middle attack.  A common scenario for this type of an attack is free Wi-Fi host spots such as Universities or libraries because they are not secured.  An attacker could perform a man-in-the-middle attack and gain remote code execution.

The attack vector for this vulnerability seems a bit unlikely.  An attacker would need to entice a user to connect to a malicious email server in order to gain remote code execution.  We all see spam emails ranging from luxury watches and “special” pharmaceutical drugs at outrageously cheap prices to phishing attempts aimed at gaining private and confidential information.  But, a phishing attempt to entice a user to connect to a malicious email server is very uncommon.

On the re-release and security advisory front, there are no new updates for this month.  We are also not seeing any other vendors, at this point, joining in on the Patch Tuesday activities.

– Jason Miller