Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft to Patch Word Vulnerability Targeted in Attacks

Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.

Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.

According to Microsoft, the Word vulnerability has been observed being exploited in attacks against Word 2010 users and can be leveraged to remotely execute code if the user opens a specially-crafted RTF file or previews that file in Microsoft Outlook using Word as the email viewer.

“The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010.”

The update will fix all affected versions, according to Childs.

The other ‘critical’ update will address Microsoft Windows and Internet Explorer. The remaining two bulletins have been classified as ‘important’ and are aimed at issues in Windows and Microsoft Office.

Tuesday’s patches will offer the last security updates for Windows XP and Office 2003, which both face end-of-life on April 8.

“Once support ends, computers still on Windows XP will become a very juicy target for Internet criminals and attackers,” blogged Patrick Thomas, security consultant Neohapsis.

“For those who really don’t want to or can’t upgrade, the situation isn’t pretty,” he continued. “Your computer will continue to work as it always has, but the security of your system and your data is entirely in your hands. These systems have been low-hanging fruit for attackers for a long time, but after April 8th they will have a giant neon bull’s-eye on them.”

Advertisement. Scroll to continue reading.

“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough, administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in,” explained Russ Ernst, director product management at Lumension. “With security updates coming from so many sources this month, IT will be challenged to effectively prioritize their roll outs. The best thing to do is to maintain your patch process, and consider consolidating to a single allowed browser as part of your migration plan to the latest OS.”

Related: New Microsoft Word Zero-Day Used in Targeted Attacks

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.