Security Watch

New Zero-Day Issue Hits Microsoft's Help and Support Center

• By Jabulani Leffall
• 06/14/2010

After yet another historic Patch Tuesday for Microsoft's June rollout, not even a week has passed and we see a new vulnerability issue that recently surfaced in Windows XP and Windows 2003. Ironically, it appears that Windows Help and Support Center is the culprit.

Redmond said it is investigating "new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003."

The advisory, released late last week, indicates that this vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message.

Andrew Storms, director of security for nCircle said it doesn't look good.

"Microsoft has had a zero day every month this year, and in their position as the industry leader in enterprise security standards, this has got to be disheartening for them," he said. "It's also not doing their reputation in the security community any good."

 Storms added that if Adobe weren't the poster child for lousy security right now, the negative press for Microsoft on this would probably be much worse.

 "The bad news on this zero-day is that all users of Windows XP are affected, and the vulnerability makes drive by attacks possible," said Storms. "The installed base for XP is huge because both consumers and enterprise customers have been very reluctant to upgrade to Vista and are just now starting to move to Windows 7."

XP SP2 Support, Related Security Updates Expire Next Month
Speaking of XP, the end of comprehensive support draws nigh -- less than a month from now. The race is on to upgrade or adjust going into July as users running Windows XP Service Pack 2 will see their last security updates for Internet Explorer on this OS version.

Redmond has time and again warned Windows XP SP2 that it will retire the 2004 operating system on July 13, but this also means that support for most related applications on that OS stack -- the most prominent of which is IE -- will dissipate thereafter too.

Some security and infrastructure experts such as Wolfgang Kandek, chief technology officer of Qualys say enterprise users may not realize the full gravity of the situation and for that reason Microsoft should offer a grace period.

"Home users should be better off, as XP SP3 is being pushed down automatically to machines that participate in Windows or Microsoft updates," Kandek told me in a recent e-mail. "On the enterprise side, however, it seems that two years of burn-in time is not enough, and it would be helpful if Microsoft could extend support for one more year."

For enterprises with a more complex and wide-reaching infrastructure, it's important to note that support for Windows Embedded XP SP2, an OS quite frequently used for ATMs and point of sales systems, is extended to Jan 2011. But everyone else should take heed.

Still, Kandek offers words of caution for those using embedded XP systems: "Frequently these embedded systems represent an even bigger challenge to keep up-to-date," he added. "They are often managed by a third party and sometimes not even properly recognized as Windows computer systems."

Adobe's Latest Patch Comes Amid Massive Attacks
Adobe also issued a massive patch rollout of its own last week, containing a jaw-dropping 32 bugs -- just two shy of Microsoft's June patch count. nCircle's Andrew Storms and others have been vocal in asserting that Adobe is the new kid on the block getting bullied by hackers and researchers who love to find new bugs, glitches and quirks in a product that now seems to be surpassing Windows Office software as the most vulnerable yet widely used suite of enterprise applications that can most frequently be found on a Windows stack.

Most recently, Adobe Systems patched its 10.1 Flash update, fixing a vulnerability that was first spotted via a small number of targeted attacks late last week.

According to Symantec, these Flash attacks are not widely prevalent in the wild, but should still be updated given Adobe's recent problems.

"We have been seeing a small but steady rise in detections of related malicious PDFs and we expect to continue to see these numbers increase over the coming hours and days," Symantec said in a statement.