Microsoft to patch 20 bugs next week in month of Office updates
Single critical update will fix serious flaws in Office 2007, 2010 on Windows that hackers could use to hijack PCs
Computerworld - Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.
"It looks like an Office month," said Andrew Storms, director of security operations at nCircle Security. "Look at the 'Affected Software' column on the advance notification. Office, Office, Office."
The one update pegged critical, Microsoft's highest threat ranking, will tackle bugs in all supported versions of Office on Windows. The remaining six updates were labeled "important," the next-most-serious rating in the company's four-step scoring system.
There was no update scheduled for Internet Explorer (IE), as Microsoft took care of that last month when it rushed out an emergency patch to stymie active attacks exploiting a bug in the browser. The Sept. 21 "out-of-band" update also included patches for several additional vulnerabilities, which were originally slated to ship next week.
Security experts, not surprisingly, all tapped the critical Office update as the one to plan to deploy as soon as possible.
"It's not only the one critical [update]. It's also critical in Word 2007 and Word 2010, but only important in Office 2003," said Storms in an interview Thursday. "We haven't seen a good critical Word bug in a while, and as I've said before, the newer [versions] should be more secure. That's not the case here."
Storms speculated that the flaw -- or flaws, since Microsoft does not spell out how many patches compose each update in its advance notification -- may be in the file formats used by Office 2007 and Office 2010 on Windows.
Microsoft debuted new XML-based file formats in Office 2007 as replacements for older, proprietary binary formats.
"Maybe there's a bug in how Word opens or parses files," Storms theorized.
Others wondered the same.
"This vulnerability requires a victim to open up a malicious file or preview a malicious file in Outlook Web Access," noted Marcus Carey, security researcher with Rapid7, in an email today. "This vulnerability could result in the complete compromise of a system if exploited."
Wolfgang Kandek, CTO of Qualys, also focused his attention on the Word update, but put different spin on it than Carey. "[A critical rating] is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability," Kandek said.
The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts