WatchGuard Wire
Improve Your Security IQ
Microsoft Black Tuesday: Microsoft patches Outlook Express, Windows
Mail, and VBA
11 May 2010 -- Microsoft's Black Tuesday security
bulletins are hot of the press. The bulletins fix two critical flaws -
an Outlook Express and Windows Mail integer overflow vulnerability and
a Visual Basic for Applications (VBA) code execution vulnerability. You
can read more about these two flaws in Microsoft's Bulletin
Summary for May. In short, both flaws allow remote attackers to
execute code on your Windows PC, with your privileges. Attackers can
trigger one flaw with a specially crafted POP or IMAP email reply, and
the other with a specially crafted Office document (Word, PowerPoint,
Excel, etc.).
Both updates are critical, so you should apply each of them as
quickly as you can. However, I think the VBA vulnerability potentially
affects more of your users, since an attacker leverages the flaw
using Office documents, which your users probably receive and open
regularly. I would apply that patch first. The Outlook Express and
Windows Mail vulnerability, though still Critical, seems a bit harder
for an attacker to exploit in the real world. You can probably patch it
second.
You can learn more about this security bulletin in the table
provided in Microsoft's
Bulletin Summary for May. Microsoft's tables (arranged in
order of severity) link directly to this month's bulletins and patches.
Expand the "Affected Software and Download Location" section of the
Summary to find a valuable table that will help you develop your own
deployment strategy.
LiveSecurity and LiveSecurity Informer subscribers will
receive more detailed information about these flaws, and how to
fix them, in alerts
we're working on right now. -- Corey Nachreiner,
CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
