Microsoft to patch 20 bugs next week in month of Office updates
Single critical update will fix serious flaws in Office 2007, 2010 on Windows that hackers could use to hijack PCs
Computerworld - Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.
"It looks like an Office month," said Andrew Storms, director of security operations at nCircle Security. "Look at the 'Affected Software' column on the advance notification. Office, Office, Office."
The one update pegged critical, Microsoft's highest threat ranking, will tackle bugs in all supported versions of Office on Windows. The remaining six updates were labeled "important," the next-most-serious rating in the company's four-step scoring system.
There was no update scheduled for Internet Explorer (IE), as Microsoft took care of that last month when it rushed out an emergency patch to stymie active attacks exploiting a bug in the browser. The Sept. 21 "out-of-band" update also included patches for several additional vulnerabilities, which were originally slated to ship next week.
Security experts, not surprisingly, all tapped the critical Office update as the one to plan to deploy as soon as possible.
"It's not only the one critical [update]. It's also critical in Word 2007 and Word 2010, but only important in Office 2003," said Storms in an interview Thursday. "We haven't seen a good critical Word bug in a while, and as I've said before, the newer [versions] should be more secure. That's not the case here."
Storms speculated that the flaw -- or flaws, since Microsoft does not spell out how many patches compose each update in its advance notification -- may be in the file formats used by Office 2007 and Office 2010 on Windows.
Microsoft debuted new XML-based file formats in Office 2007 as replacements for older, proprietary binary formats.
"Maybe there's a bug in how Word opens or parses files," Storms theorized.
Others wondered the same.
"This vulnerability requires a victim to open up a malicious file or preview a malicious file in Outlook Web Access," noted Marcus Carey, security researcher with Rapid7, in an email today. "This vulnerability could result in the complete compromise of a system if exploited."
Wolfgang Kandek, CTO of Qualys, also focused his attention on the Word update, but put different spin on it than Carey. "[A critical rating] is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability," Kandek said.
The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts