Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft fixes critical Word flaw in patch for 20 vulnerabilities

Windows, SharePoint Server, SQL Server and other products get a fix

Article comments

Microsoft has patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug used to attack the company's own online services.

Of Patch Tuesday's seven security updates, one was labeled "critical," Microsoft's most-severe threat ranking, while the others were pegged as "important," the next-most-serious rating.

The critical update for Word affected all versions of Microsoft's word processor on Windows, including Word 2003, 2007 and 2010; Word Viewer, the add-on that lets users who don't own Word view and print documents; and Office Web Apps, the free online editions of Word, Excel, PowerPoint and OneNote.

All the security researchers we contacted yesterday urged users to install MS12-064, the critical Word update, as soon as possible.

Of special note, they said, was that one of the two bugs in Word could be exploited if users simply viewed a malformed RTF (rich text file) document in Outlook 2007 or Outlook 2010, which rely on Word as their default editing engine.

"Word is set as the editor for Outlook, so if you preview a malicious RTF document, boom ... you've been hacked," said Andrew Storms, director of security operations at nCircle Security.

Document preview was once a widely-used hacker tactic, but it has fallen out of favour. "We haven't seen any for a while, so it's interesting when something like this resurfaces," Storms said.

Jason Miller, manager of research and development at VMware, also tapped MS12-064 as the update that needed immediate attention, as did others, including Wolfgang Kandek, CTO of Qualys, and Marcus Carey, a security researcher at Rapid7.

"RTF documents are typically not blocked by company email servers," observed Miller. "Also, RTF documents, like PDF documents, are commonly used for sharing documents between different companies."

Although the remaining half-dozen bulletins - Microsoft's term for its Patch Tuesday updates - were all rated as only important, some researchers spotted intriguing characteristics that they said deserve users' attention.

"I'd pick MS12-066 next, after the Word update," said Storms, referring to the one-patch update that patches a bug allowing attackers to bypass SafeHTML's protection.

SafeHTML, which Microsoft calls "HTML sanitisation," is a defence designed to protect users from cross-site scripting browser attacks.

Storms based his opinion about MS12-066 on Microsoft's admission that it had been targeted by attacks exploiting the vulnerability.

"We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services," said Microsoft in a note on its Security Research & Defense blog. The company did not elaborate on what online services had been attacked.

"So there are already attacks in the wild, and Microsoft itself has seen limited attacks," said Storms.

He and Miller also noted MS12-067, a 13-bug update for FAST Search Server 2010, a component of the popular SharePoint Server 2010 software.

The bugs were not in Microsoft's code, but in Oracle's Outside In libraries, which Microsoft licenses to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. The vulnerabilities were within code that parses those attachments.

In July, Microsoft warned customers that Exchange, its widely-used email server software, contained Outside In vulnerabilities. It patched the bugs in Exchange two months ago with MS12-058.

Storms and Miller pointed out that because the Outside In vulnerabilities have been exploited by hackers for months, enterprises running SharePoint 2010 should apply MS12-067 as soon as possible.

Other bulletins issued addressed vulnerabilities in Windows XP, Vista and Windows 7, as well as Server 2003, Server 2008 and Server 2008 RS; and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped just six months ago.

Windows 8, which has not yet officially launched, and Server 2012, which has, were not affected by any of Tuesday's updates. An update to Internet Explorer 10 (IE10) in Windows 8 and Server 2012, however, shipped earlier this week to patch 25 critical bugs in the browser's baked-in Flash Player.

Also on Tuesday, Microsoft began pushing a long-planned update that invalidates all certificates with keys less than 1,024 bits long.

Microsoft first told users in June that it was going to disable those certificates, saying then that it would issue an update in August. Microsoft did ship the update that month, but made it an optional download. As of today, Microsoft is forcing it on everyone.

The update to kill certificates with shorter, more vulnerable keys, was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by throwing the kill switch on three of its own certificates.

"Last chance," said Storms about users' opportunities to apply the update earlier, or block it from arriving on machines via WSUS (Windows Server Update Services). "While we have known for some time that the key update was going out, it's being officially released today," Storms added. "It will applied unless you stop it."

October's seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *