Microsoft security patches include fixes for Word, Office, Windows
In its May "Patch Tuesday," Microsoft released seven bulletins covering 23 vulnerabilities
IDG News Service - Microsoft has fixed 23 vulnerabilities in its software products, including several considered critical, the company said Tuesday in its monthly security patch report.
The security holes, included in seven bulletins, affect Office, Windows, .Net Framework and Silverlight, and in the worst-case scenarios could give attackers control of affected systems, including the ability to run malicious code remotely on them.
The first critical bulletin covers a vulnerability in Microsoft Office that could allow attackers to execute remote code on compromised systems. For that to happen, users would have to open an infected rich-text format (RTF) file. If successful, the exploit would give attackers the same usage rights as the current user.
The issue is labeled critical for all supported editions of Microsoft Word 2007. It is rated "important" -- the second highest severity level in Microsoft's four-level scale -- for all supported editions of Word 2003, Office 2008 for Mac and Office for Mac 2011, as well as all supported versions of Office Compatibility Pack. The security hole was privately reported to Microsoft.
The second critical bulletin involves 10 vulnerabilities in Office, Windows, .NET Framework, and Silverlight, seven of which were privately reported to the company. The most dangerous vulnerability would let attackers run code remotely on an affected user's machine if the user opens an infected document or is tricked into visiting a malware-laden webpage with embedded TrueType font files.
The problem is rated critical for all supported editions of Windows, .Net Framework 4 (except when installed on Windows editions for Itanium chips); and Silverlight 4 and 5. It's considered important for Office 2003, Office 2007 and Office 2010.
Commenting on this bulletin in a separate blog post, Jonathan Ness, from the Microsoft Security Response Center Engineering team, said that since fixing a vulnerability five months ago that was being exploited by the Duqu malware through malicious Office documents, Microsoft found that the problematic Microsoft code, win32k.sys, was in other products as well.
Fixing the vulnerabilty, an insufficient bounds check within the font parsing subsystem of win32k.sys, in the newly-discovered places led Microsoft to include several products in this bulletin and consolidate a variety of other fixes in it, according to Ness.
The third critical bulletin covers two privately-reported vulnerabilities in .Net Framework that could open the door for attackers to execute code remotely on the infected machine with the same level of rights as the affected user. For the exploit to be successful, users would need to visit an infected webpage using a browser that can run XAML Browser Applications (XBAPs).
This security update is considered critical for all supported editions of the Microsoft .NET Framework on all supported editions of Microsoft Windows.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts