Patch Tuesday, the day when Microsoft releases its regular bundle of security fixes, is looming – and now we have some details of what it is going to contain.
A Microsoft Security Bulletin pre-announces that the company will release four bulletins, two rated Critical and two rated Important in severity, on 8th April.
In a blog post, Dustin Childs of Microsoft’s Trustworthy Computing group confirmed that one of the fixes would relate to a zero-day flaw that has left users’ computers open to infection simply by previewing a boobytrapped email in Microsoft Outlook.
When discovered a couple of weeks ago, Microsoft explained that the exploit related to the handling of Rich Text Format (RTF) files:
At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Clearly it’s good news that this critical flaw, which has been apparently exploited in the wild in targeted attacks, is now being fixed.
It’s one thing to have a security hole that relies upon users visiting an infected website, or opening a dodgy attachment – but it’s quite a different level of threat when simply *previewing* a message in your email client infects your computer.
By Patch Tuesday standards though, four bulletins equals quite a light month. But, unfortunately, there are two ways of looking at this.
You could, if you’re an eternal optimist, argue that the relatively small update means that Microsoft has turned a corner, and its products are well on the road for finally turning a corner when it comes to security vulnerabilities.
Or, if you’re a grumpy old pessimist who has worked in IT security for more than 20 years and feels like they’ve seen it all before, you might fear that online criminals are holding back on their vulnerabilities and exploits until after the cut-off date for Windows XP.
After all, any exploits uncovered in Microsoft software products after April 8th aren’t going to get fixed for Windows XP users. And there’s every likelihood that come the May Patch Tuesday, malicious hackers will attempt to reverse-engineer Microsoft’s fixes for more modern versions of Windows and see if they could be used to attack vulnerable XP systems.
Is the glass half empty or half full? I guess we will all know soon enough.
Author Graham Cluley, We Live Security