Microsoft to patch 20 bugs next week in month of Office updates
Single critical update will fix serious flaws in Office 2007, 2010 on Windows that hackers could use to hijack PCs
Computerworld - Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.
"It looks like an Office month," said Andrew Storms, director of security operations at nCircle Security. "Look at the 'Affected Software' column on the advance notification. Office, Office, Office."
The one update pegged critical, Microsoft's highest threat ranking, will tackle bugs in all supported versions of Office on Windows. The remaining six updates were labeled "important," the next-most-serious rating in the company's four-step scoring system.
There was no update scheduled for Internet Explorer (IE), as Microsoft took care of that last month when it rushed out an emergency patch to stymie active attacks exploiting a bug in the browser. The Sept. 21 "out-of-band" update also included patches for several additional vulnerabilities, which were originally slated to ship next week.
Security experts, not surprisingly, all tapped the critical Office update as the one to plan to deploy as soon as possible.
"It's not only the one critical [update]. It's also critical in Word 2007 and Word 2010, but only important in Office 2003," said Storms in an interview Thursday. "We haven't seen a good critical Word bug in a while, and as I've said before, the newer [versions] should be more secure. That's not the case here."
Storms speculated that the flaw -- or flaws, since Microsoft does not spell out how many patches compose each update in its advance notification -- may be in the file formats used by Office 2007 and Office 2010 on Windows.
Microsoft debuted new XML-based file formats in Office 2007 as replacements for older, proprietary binary formats.
"Maybe there's a bug in how Word opens or parses files," Storms theorized.
Others wondered the same.
"This vulnerability requires a victim to open up a malicious file or preview a malicious file in Outlook Web Access," noted Marcus Carey, security researcher with Rapid7, in an email today. "This vulnerability could result in the complete compromise of a system if exploited."
Wolfgang Kandek, CTO of Qualys, also focused his attention on the Word update, but put different spin on it than Carey. "[A critical rating] is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability," Kandek said.
The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!