Microsoft has patched a critical vulnerability in Microsoft Word in today’s Patch Tuesday.
The fix was bundled in with seven security bulletins affecting Microsoft Office, Microsoft Server Software, Lync and SQL Server. The Word bulletin however, MS12-064, is the only one with a ranking above ‘Important.’ According to Microsoft, MS12-064 resolves two issues that could be used by attackers to remotely execute code. Only of the two issues affected the bulletin is rated ‘Critical’ – however in that case, an attacker could run code with the privileges of the logged-on user.
“A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF (rich text format) files,” the company explained in an advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The RTF bug warrants special attention because users can be exploited simply by previewing a malicious RTF file in Outlook, noted Andrew Storms, director of security operations for nCircle.
“Security teams should prioritize, distribute and install this fix as soon as possible,” he said.
While MS12-067 is only rated ‘Important’, Marcus Carey, security researcher at Rapid7, said the bulletin could be a concern for organizations running Microsoft FAST Search Server 2010 for SharePoint.
“The interesting thing about this vulnerability is that the vulnerable component is Oracle’s Outside In file format conversion library,” he said. “This library is heavily used in the enterprise application space and is embedded into many file search and indexing applications, including mobile gateways such as Blackberry Enterprise Server. I would expect to see a rash of related security updates become available for all enterprise products using this library. “
In addition to the bulletins, Microsoft went forward with plans to make an update designed to strengthen certificates via Windows Update instead of just making it available through the Download Center. Microsoft also released an update to fix potential compatibility issues related to a signature timestamp expiring before it should.
“This error will cause the digital signature to expire and become invalid prematurely – not a security flaw, but an issue that will impair users’ overall security profile,” blogged Dustin Ingalls and Jonathan Ness of Microsoft.