Skip the navigation

Microsoft quashes critical bugs in IE10, Windows 8, Word

December 11, 2012 04:20 PM ET

"RTF documents are very relevant in the enterprise, and [MS12-079] should concern me if I'm using Outlook 2007 or 2010. That's a lot of people," said Miller.

Hackers can trigger a successful exploit by sending a maliciously-crafted email to Outlook 2007 and 2010 users who simply preview it. In that way, an exploit would be very similar to a browser "drive-by" attack.

Outlook 2003 users are at risk if they open, rather than preview, a malformed RTF attachment. The newest version of the suite, Office 2013, was not affected by the bug.

Other updates patched three vulnerabilities in Exchange, Microsoft's widely-used mail server; two critical bugs in Windows' font-parsing; a flaw in Windows' file handling; an important bug in DirectPlay; and another in the IP-HTTPS protocol that's used to create a VPN-like secure connection between Windows clients and servers.

The font-parsing update (MS12-078) contained two critical patches for Windows 8 and Windows RT, and the DirectPlay bulletin included a fix for an important Windows 8 vulnerability.

This was the second month running that Microsoft has patched its newest desktop and tablet operating systems.

Microsoft also re-released four older bulletins this month, a continuation of a project it kicked off in October, when it said it had uncovered "a clerical error made in code-signing" in updates issued as far back as June 2012.

Both Storms and Miller believed that today's re-releases would be the last from Microsoft. Previously, Microsoft said it would wrap up the project before the affected bulletins' certificates expired in early 2013.

December's seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS (Windows Server Update Services), the de facto patching mechanism for businesses.

covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed Keizer RSS. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.



Our Commenting Policies