Microsoft patches 20 bugs, including critical Word flaw
Company admits another vulnerability has been used by hackers in attacks against its own online services
Computerworld - Microsoft today patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug in the company's popular Word program and another already used to attack the company's own online services.
Of Tuesday's seven security updates, one was labeled "critical," Microsoft's most-severe threat ranking, while the others were pegged as "important," the next-most-serious rating.
The critical update for Word affected all versions of Microsoft's word processor on Windows, including Word 2003, 2007 and 2010; Word Viewer, the add-on that lets users who don't own Word view and print documents; and Office Web Apps, the free online editions of Word, Excel, PowerPoint and OneNote.
All the security researchers Computerworld contacted Tuesday urged users to install MS12-064, the critical Word update, as soon as possible.
Of special note, they said, was that one of the two bugs in Word could be exploited if users simply viewed a malformed RTF (rich text file) document in Outlook 2007 or Outlook 2010, which rely on Word as their default editing engine.
"Word is set as the editor for Outlook, so if you preview [a malicious RTF document], boom ... you've been hacked," said Andrew Storms, director of security operations at nCircle Security.
Document preview was once a widely-used hacker tactic, but it has fallen out of favor. "We haven't seen any for a while, so it's interesting when something like this resurfaces," Storms said.
Jason Miller, manager of research and development at VMware, also tapped MS12-064 as the update that needed immediate attention, as did others, including Wolfgang Kandek, CTO of Qualys, and Marcus Carey, a security researcher at Rapid7.
"RTF documents are typically not blocked by company email servers," observed Miller. "Also, RTF documents, like PDF documents, are commonly used for sharing documents between different companies."
Although the remaining half-dozen bulletins -- Microsoft's term for its Patch Tuesday updates -- were all rated as only important, some researchers spotted intriguing characteristics that they said deserve users' attention.
"I'd pick MS12-066 next, after the Word update," said Storms, referring to the one-patch update that patches a bug allowing attackers to bypass SafeHTML's protection.
SafeHTML, which Microsoft calls "HTML sanitization," is a defense designed to protect users from cross-site scripting browser attacks.
Storms based his opinion about MS12-066 on Microsoft's admission that it had been targeted by attacks exploiting the vulnerability.
"We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services," said Microsoft in a note on its Security Research & Defense blog. The company did not elaborate on what online services had been attacked.
"So there are already attacks in the wild, and Microsoft itself has seen limited attacks," said Storms.
He and Miller also noted MS12-067, a 13-bug update for FAST Search Server 2010, a component of the popular SharePoint Server 2010 software.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts