Categories: PCSecurityWorkspace

Microsoft Patch Tuesday Update Plugs 11 Vulnerabilities

Microsoft has released a much smaller Patch Tuesday update this month, one month after breaking its record for the largest Patch Tuesday update in history.

The three bulletins cover a total of 11 vulnerabilities across Microsoft Office and Forefront Unified Access Gateway (UAG). Just one of the bulletins is rated “Critical” – MS10-087, which addresses five vulnerabilities in Microsoft Office.

Among those five is a rich text format stack buffer overflow vulnerability Microsoft considers likely to be exploited.

Critical Fix

“The bulletin is rated Critical for Office 2007 and Office 2010 due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file,” explained Jerry Bryant, group manager of response communications for Microsoft Security Response Center, in a blog post. “The update also addresses an Office vector for the vulnerability described in Security Advisory 2269637, which has been referred to as ‘DLL Preloading’ and ‘Binary planting’.”

A second bulletin affecting Microsoft Office deals with two vulnerabilities in PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file, according to Microsoft. The bulletin is rated “Important” because user interaction is required to open the malicious file, Bryant blogged.

The final bulletin, also rated Important, plugs four vulnerabilities in UAG, which is part of Microsoft Forefront. The most significant of these bugs could allow elevation of privilege if a user clicks on a malicious link on a website, Bryant noted, adding the update is only being offered through the Microsoft Download Center at the moment.

More Frequent Patches?

Josh Abraham, security researcher from Rapid7, said the critical bulletin should be at the top of enterprise patch lists this month.

“Based on the huge amount of patches from last month, some customers might be up to speed while others are still struggling to catch up – this would depend on the unique customer and the strength of their vulnerability management program,” Abraham said. “Another thing that is interesting is that Microsoft has been breaking their own records with the number of bulletins they are releasing in a given month. To help everyone overall, a better approach would be to keep a semi-constant rate of patches every month so that system administrators are not over burdened during specific months.”

He added that administrators should also remain vigilant for attacks targeting the recently disclosed zero-day in Internet Explorer as well. That vulnerability has not been patched.

So far, Microsoft said, none of the vulnerabilities addressed in today’s update have been targeted by attackers.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

18 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

19 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

19 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

20 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

20 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

21 hours ago