ID: IRCNE2012101640
Date: 2012-10-13
According to “Computerworld”, Microsoft patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug in the company's popular Word program and another already used to attack the company's own online services.
Of Tuesday's seven security updates, one was labeled "critical," Microsoft's most-severe threat ranking, while the others were pegged as "important," the next-most-serious rating.
The critical update for Word affected all versions of Microsoft's word processor on Windows, including Word 2003, 2007 and 2010; Word Viewer, the add-on that lets users who don't own Word view and print documents; and Office Web Apps, the free online editions of Word, Excel, PowerPoint and OneNote.
Of special note, they said, was that one of the two bugs in Word could be exploited if users simply viewed a malformed RTF (rich text file) document in Outlook 2007 or Outlook 2010, which rely on Word as their default editing engine.
Although the remaining half-dozen bulletins -- Microsoft's term for its Patch Tuesday updates -- were all rated as only important, some researchers spotted intriguing characteristics that they said deserve users' attention.
"I'd pick MS12-066 next, after the Word update," said Storms, referring to the one-patch update that patches a bug allowing attackers to bypass SafeHTML's protection.
SafeHTML, which Microsoft calls "HTML sanitization," is a defense designed to protect users from cross-site scripting browser attacks.
"We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services," said Microsoft in a note on its Security Research & Defense blog. The company did not elaborate on what online services had been attacked.
He and Miller also noted MS12-067, a 13-bug update for FAST Search Server 2010, a component of the popular SharePoint Server 2010 software.
The bugs were not in Microsoft's code, but in Oracle's Outside In libraries, which Microsoft licenses to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. The vulnerabilities were within code that parses those attachments.
In July, Microsoft warned customers that Exchange, its widely-used email server software, contained Outside In vulnerabilities. The Redmond, Wash. developer patched the same 13 bugs in Exchange two months ago with MS12-058.
Storms and Miller pointed out that because the Outside In vulnerabilities have been exploited by hackers for months, enterprises running SharePoint 2010 should apply MS12-067 as soon as possible.
Other bulletins issued today addressed vulnerabilities in Windows XP, Vista and Windows 7, as well as Server 2003, Server 2008 and Server 2008 RS; and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped just six months ago.
Windows 8, which has not yet officially launched, and Server 2012, which has, were not affected by any of Tuesday's updates. An update to Internet Explorer 10 (IE10) in Windows 8 and Server 2012, however, shipped Monday to patch 25 critical bugs in the browser's baked-in Flash Player.
October's seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.
Related Posts:
Microsoft October Patch is coming
- 2