Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft to Patch Word Vulnerability Targeted in Attacks

Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.

Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.

According to Microsoft, the Word vulnerability has been observed being exploited in attacks against Word 2010 users and can be leveraged to remotely execute code if the user opens a specially-crafted RTF file or previews that file in Microsoft Outlook using Word as the email viewer.

“The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010.”

The update will fix all affected versions, according to Childs.

The other ‘critical’ update will address Microsoft Windows and Internet Explorer. The remaining two bulletins have been classified as ‘important’ and are aimed at issues in Windows and Microsoft Office.

Tuesday’s patches will offer the last security updates for Windows XP and Office 2003, which both face end-of-life on April 8.

“Once support ends, computers still on Windows XP will become a very juicy target for Internet criminals and attackers,” blogged Patrick Thomas, security consultant Neohapsis.

“For those who really don’t want to or can’t upgrade, the situation isn’t pretty,” he continued. “Your computer will continue to work as it always has, but the security of your system and your data is entirely in your hands. These systems have been low-hanging fruit for attackers for a long time, but after April 8th they will have a giant neon bull’s-eye on them.”

“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough, administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in,” explained Russ Ernst, director product management at Lumension. “With security updates coming from so many sources this month, IT will be challenged to effectively prioritize their roll outs. The best thing to do is to maintain your patch process, and consider consolidating to a single allowed browser as part of your migration plan to the latest OS.”

Related: New Microsoft Word Zero-Day Used in Targeted Attacks

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.