Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Fixes Critical Word Flaw in Patch Tuesday Update

Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.

Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.

The fix was bundled in with seven security bulletins affecting Microsoft Office, Microsoft Server Software, Lync and SQL Server. The Word bulletin however, MS12-064, is the only one with a ranking above ‘Important.’ According to Microsoft, MS12-064 resolves two issues that could be used by attackers to remotely execute code. Only of the two issues affected the bulletin is rated ‘Critical’ – however in that case, an attacker could run code with the privileges of the logged-on user.

“A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF (rich text format) files,” the company explained in an advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The RTF bug warrants special attention because users can be exploited simply by previewing a malicious RTF file in Outlook, noted Andrew Storms, director of security operations for nCircle.

“Security teams should prioritize, distribute and install this fix as soon as possible,” he said.

While MS12-067 is only rated ‘Important’, Marcus Carey, security researcher at Rapid7, said the bulletin could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint.

“The interesting thing about this vulnerability is that the vulnerable component is Oracle’s Outside In file format conversion library,” he said. “This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. “

 In addition to the bulletins, Microsoft went forward with plans to make an update designed to strengthen certificates via Windows Update instead of just making it available through the Download Center. Microsoft also released an update to fix potential compatibility issues related to a signature timestamp expiring before it should.

“This error will cause the digital signature to expire and become invalid prematurely – not a security flaw, but an issue that will impair users’ overall security profile,” blogged Dustin Ingalls and Jonathan Ness of Microsoft. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.