In today’s Patch Tuesday, Microsoft delivers four bulletins that close five vulnerabilities in Windows and Office.
Wolfgang Kandek, Qualys CTO, comments: “Microsoft’s July update is a small step for security updates, but a huge leap for enterprise security. Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore.”
Vulnerability in Help and SupportCenter Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Executio
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The monthly technical webcast that will discuss July 2010 security bulletins is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.