Microsoft patches critical Outlook drive-by bug
Also ships first fix for 'DLL load hijacking' flaw in Office 2007/2010 as part of 11-patch security update
Computerworld - Microsoft today patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, said security experts.
As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are currently using to hijack Windows PCs.
Of the 11 flaws addressed in three separate updates, only one was pegged as "critical," Microsoft's top ranking in its four-step scoring system. The remaining 10 were all marked "important," the second-highest rating.
"The one that gives me the heebie-jeebies this month is the Office update," said Andrew Storms, director of security operations at nCircle Security. "The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over."
Storms was referring to MS10-087, a five-patch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.
The only critical bug this month is in the RTF (rich text format) parser within Outlook, the e-mail client packaged with Office. "The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook," Microsoft's advisory stated.
"That's a classic drive-by," echoed Amol Sarwate, manager of Qualys' vulnerabilities research lab.
Both Office 2007 and Office 2010, Microsoft's two newest suites, can be exploited using drive-by attacks launched against Outlook. Today's patch was the first critical update for Office 2010, which launched only in June.
Other researchers, including Microsoft's own security team, said that the RTF flaw was the most serious of the month's bugs, and urged users to patch pronto.
"This is one that requires no user interaction," said Jason Miller, the data and security team manager for Shavlik Technologies. "RTF is a common document format like PDF that's not blocked by firewalls or at the e-mail gateway. Once a [malformed] message hits the Outlook preview pane, remote code can be executed. You should patch this right away."
Because the RTF vulnerability doesn't require the user to do anything other than to preview a message, it will probably be exploited almost immediately by attackers, said Miller.
Microsoft patched a similar vulnerability in RTF document parsing in August with MS10-056. In that bulletin, the company labeled one of two RTF-related bugs as critical in Office 2007.
The MS10-087 update also included the first fix by Microsoft for the "DLL load hijacking" or "binary planting" vulnerability class that researchers disclosed last summer. Office 2007 and Office 2010 were both patched to protect users from DLL load hijacking attacks.
In mid-August, noted vulnerability researcher HD Moore announced that he'd uncovered scores of Windows applications that didn't call code libraries -- dubbed "dynamic-link library," or "DLL" -- using the full path name, but instead used only the file name, giving hackers an attack window if they were able to trick an application into loading a malicious file with the same name as a required DLL.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts