Express patch for Windows Help Center
Yesterday's most important patch concerns a critical security hole in Windows XP Help Center that is already actively being exploited to infect systems with malicious code. Microsoft had said it wouldn't be possible to fix the hole within 60 days, after Tavis Ormandy, who found the hole, had disclosed the vulnerability and published a demo exploit. As it turns out Microsoft has been considerably faster and only 33 days later, update MS10-042 has provided a patch to close the hole.
When asked by The H's associates at heise Security why the problem was addressed so quickly, Microsoft remained silent. After the disclosure, the company had strenuously objected, calling for a form of disclosure they referred to as "responsible". The "responsible disclosure" approach leaves it entirely up to vendors to decide how much time will be taken for patching a security hole they have been informed about; cases where a patch took more than a year are not unusual with this approach. Those who advocate the opposite concept, "full disclosure", are now proclaiming that Ormandy ensured that a security hole which could otherwise have been exploited, for instance, for targeted attacks, was patched relatively quickly.
Microsoft has also released a patch to fix the 64-bit versions of the Canonical Display Driver (
cdd.dll) for Windows 7 and Windows Server 2008 (MS10-043). This flaw in the Aero desktop was also rated "critical", which means that it can be exploited remotely in a largely automated way. However, Microsoft says that it is difficult to develop reliable exploits for this hole.
This isn't so for the two flaws in Microsoft Office Access 2003 and 2007 described in MS10-044: Attackers can use the included ActiveX controls to exploit these holes via Internet Explorer, even without user interaction. The exploitability index of 1 indicates that web pages which secretly exploit these holes to install malware are likely to appear sooner rather than later.
A security hole in Outlook in Office XP, 2003 and 2007 was the only one to be rated "important", which usually means that users have to actively participate in an attack, for instance by opening an email attachment. Microsoft has also released a summary of the security updates released on the 13th.