Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Fixes Critical Word Flaw in Patch Tuesday Update

Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.

Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.

The fix was bundled in with seven security bulletins affecting Microsoft Office, Microsoft Server Software, Lync and SQL Server. The Word bulletin however, MS12-064, is the only one with a ranking above ‘Important.’ According to Microsoft, MS12-064 resolves two issues that could be used by attackers to remotely execute code. Only of the two issues affected the bulletin is rated ‘Critical’ – however in that case, an attacker could run code with the privileges of the logged-on user.

“A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF (rich text format) files,” the company explained in an advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The RTF bug warrants special attention because users can be exploited simply by previewing a malicious RTF file in Outlook, noted Andrew Storms, director of security operations for nCircle.

“Security teams should prioritize, distribute and install this fix as soon as possible,” he said.

While MS12-067 is only rated ‘Important’, Marcus Carey, security researcher at Rapid7, said the bulletin could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint.

“The interesting thing about this vulnerability is that the vulnerable component is Oracle’s Outside In file format conversion library,” he said. “This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. “

 In addition to the bulletins, Microsoft went forward with plans to make an update designed to strengthen certificates via Windows Update instead of just making it available through the Download Center. Microsoft also released an update to fix potential compatibility issues related to a signature timestamp expiring before it should.

Advertisement. Scroll to continue reading.

“This error will cause the digital signature to expire and become invalid prematurely – not a security flaw, but an issue that will impair users’ overall security profile,” blogged Dustin Ingalls and Jonathan Ness of Microsoft. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.