Microsoft has patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug in the company’s popular Word programme and another already used to attack the company’s own online services.
Of Tuesday’s seven security updates, one was labelled “critical,” Microsoft’s most-severe threat ranking, while the others were pegged as “important,” the next-most-serious rating.
The critical update for Word affected all versions of Microsoft’s word processor on Windows, including Word 2003, 2007 and 2010; Word Viewer, the add-on that lets users who don’t own Word view and print documents; and Office Web Apps, the free online editions of Word, Excel, PowerPoint and OneNote.
All the security researchers Computerworld contacted Tuesday urged users to install MS12-064, the critical Word update, as soon as possible.
Of special note, they said, was that one of the two bugs in Word could be exploited if users simply viewed a malformed RTF (rich text file) document in Outlook 2007 or Outlook 2010, which rely on Word as their default editing engine.
“Word is set as the editor for Outlook, so if you preview [a malicious RTF document], boom … you’ve been hacked,” said Andrew Storms, Director of Security Operations at nCircle Security.
Document preview was once a widely-used hacker tactic, but it has fallen out of favour. “We haven’t seen any for a while, so it’s interesting when something like this resurfaces,” Storms said.
Jason Miller, manager of research and development at VMware, also tapped MS12-064 as the update that needed immediate attention, as did others, including Wolfgang Kandek, CTO of Qualys, and Marcus Carey, a security researcher at Rapid7.
“RTF documents are typically not blocked by company email servers,” observed Miller. “Also, RTF documents, like PDF documents, are commonly used for sharing documents between different companies.”
Although the remaining half-dozen bulletins — Microsoft’s term for its Patch Tuesday updates — were all rated as only important, some researchers spotted intriguing characteristics that they said deserve users’ attention.
“I’d pick MS12-066 next, after the Word update,” said Storms, referring to the one-patch update that patches a bug allowing attackers to bypass SafeHTML’s protection.
SafeHTML, which Microsoft calls “HTML sanitisation,” is a defence designed to protect users from cross-site scripting browser attacks.
Storms based his opinion about MS12-066 on Microsoft’s admission that it had been targeted by attacks exploiting the vulnerability.
“We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services,” said Microsoft in a note on its Security Research & Defence blog. The company did not elaborate on what online services had been attacked.
“So there are already attacks in the wild, and Microsoft itself has seen limited attacks,” said Storms.
He and Miller also noted MS12-067, a 13-bug update for FAST Search Server 2010, a component of the popular SharePoint Server 2010 software.
The bugs were not in Microsoft’s code, but in Oracle’s Outside In libraries, which Microsoft licenses to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. The vulnerabilities were within code that parses those attachments.
In July, Microsoft warned customers that Exchange, its widely-used email server software, contained Outside In vulnerabilities. The Redmond, Wash. developer patched the same 13 bugs in Exchange two months ago with MS12-058.
Storms and Miller pointed out that because the Outside In vulnerabilities have been exploited by hackers for months, enterprises running SharePoint 2010 should apply MS12-067 as soon as possible.
Other bulletins issued today addressed vulnerabilities in Windows XP, Vista and Windows 7, as well as Server 2003, Server 2008 and Server 2008 RS; and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped just six months ago.
Windows 8, which has not yet officially launched, and Server 2012, which has, were not affected by any of Tuesday’s updates. An update to Internet Explorer 10 (IE10) in Windows 8 and Server 2012, however, shipped Monday to patch 25 critical bugs in the browser’s baked-in Flash Player.
Also on Tuesday, Microsoft began pushing a long-planned update that invalidates all certificates with keys less than 1,024 bits long.
Microsoft first told users in June that it was going to disable those certificates, saying then that it would issue an update in August. Microsoft did ship the update that month, but made it an optional download. As of today, Microsoft is forcing it on everyone.
The update to kill certificates with shorter, more vulnerable keys, was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape and used a variety of modules to pilfer information. Among its tricks was one called the “Holy Grail” by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.
Microsoft reacted by throwing the kill switch on three of its own certificates.
“Last chance,” said Storms about users’ opportunities to apply the update earlier, or block it from arriving on machines via WSUS (Windows Server Update Services). “While we have known for some time that the key update was going out, it’s being officially released today,” Storms added. “It will applied unless you stop it.”
October’s seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.