Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.
The fix was bundled in with seven security bulletins affecting Microsoft Office, Microsoft Server Software, Lync and SQL Server. The Word bulletin however, MS12-064, is the only one with a ranking above ‘Important.’ According to Microsoft, MS12-064 resolves two issues that could be used by attackers to remotely execute code. Only of the two issues affected the bulletin is rated ‘Critical’ – however in that case, an attacker could run code with the privileges of the logged-on user.
“A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF (rich text format) files,” the company explained in an advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The RTF bug warrants special attention because users can be exploited simply by previewing a malicious RTF file in Outlook, noted Andrew Storms, director of security operations for nCircle.
“Security teams should prioritize, distribute and install this fix as soon as possible,” he said.
While MS12-067 is only rated ‘Important’, Marcus Carey, security researcher at Rapid7, said the bulletin could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint.
“The interesting thing about this vulnerability is that the vulnerable component is Oracle’s Outside In file format conversion library,” he said. “This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. “
In addition to the bulletins, Microsoft went forward with plans to make an update designed to strengthen certificates via Windows Update instead of just making it available through the Download Center. Microsoft also released an update to fix potential compatibility issues related to a signature timestamp expiring before it should.
“This error will cause the digital signature to expire and become invalid prematurely – not a security flaw, but an issue that will impair users’ overall security profile,” blogged Dustin Ingalls and Jonathan Ness of Microsoft.
Marketing professional with a background in journalism and a focus on IT security.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
