News Stay informed about the latest enterprise technology news and product updates.

Microsoft repairs critical Outlook Express, Visual Basic vulnerabilities

Two flaws can be executed remotely to take control of a victims machine or gain access to sensitive data.

Microsoft issued two critical bulletins Tuesday, correcting two serious vulnerabilities in Outlook Express and Visual Basic that could be exploited remotely to gain accesss to sensitive data.

The software giant issued the patches as part of its regular monthly patch schedule.

MS10-031 repairs a critical vulnerability in Microsoft Visual Basic for Applications (VBA). The tool is used by developers to build third-party tools into processes that run various Microsoft Office applications. The flaw is crticial for VBA SDK 6.0 and third-party applications that use Microsoft VBA.

Microsoft updates:
Apr. - Microsoft fixes critical drive-by media handling flaws An error in Windows Media Player and flaw in the way Windows handles streaming audio could be exploited by attackers if a user visits a website hosting malicious content.

Mar. - Microsoft repairs Excel flaws, warns of new IE vulnerability: Two bulletins address eight vulnerabilities in Microsoft Windows and Office. Internet Explorer advisory warns of new zero-day vulnerability being used in targeted attacks. 

The memory corruption vulnerability enables an attacker to execute code remotely and could result in taking full control of a victim's machine. An attacker would need to get a user to open a file that forces the application to send malicious code to VBA at runtime. Microsoft gave it an important rating for versions of Office XP, Office 2003 and Office 2007.

Patch management experts agreed that the Visual Basic vulnerability had the biggest impact, affecting all versions of Microsoft Office, although writing exploit code targeting the flaw will be difficult for attackers.

"While the bulletin only carries a severity of "important" [for versions of Office XP, Office 2003 and Office 2007] we consider it to be the more urgent of today's release," said Wofgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc, based in Redwood Shores, Calif.

Microsoft also addressed a critical vulnerability that affects the way the Windows Mail Client authenticates mail responses. MS10-030 addresses a vulnerability in Outlook Express, Windows Mail and Windows Live Mail running on Windows 2000, XP, Vista and Windows Server 2003 and 2008. An attacker would need to trick a user into visiting a malicious email server to pull off the attack. Sending malicious code could force the mail client to not require authentication. If successfully exploited, the vulnerability could enable the attacker to gain the same user rights as the local user.

"To successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server. Or, an attacker could perform a man-in-the-middle attack and attempt to alter responses to the client," Jerry Bryant, group manager of response communications for the Micrososft Security Response Center, wrote in the MSRC blog. "Heap mitigations built into Windows Vista and newer operating systems make exploitation of this vulnerability unlikely."

Microsoft SharePoint remains vulnerable
A cross-site scripting (XSS) vulnerability affecting SharePoint Server 2007 and SharePoint Services 3.0 remains vulnerable to remote attacks. Proof-of-concept code is publicly available targeting the zero-day vulnerability. Bryant said Microsoft engineers are still developing and thoroughly testing a fix.

The vulnerability can be exploited in a browser-based attack and enable an attacker to execute JavaScript code within the vulnerable application.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.