Microsoft released an update to patch 11 vulnerabilities this month, including a critical bug affecting Microsoft Outlook users.
A month after breaking its record for the largest Patch Tuesday
update in history, Microsoft released a much smaller round of fixes
Nov. 9 with just three security bulletins.
The bulletins cover a total of 11 vulnerabilities across Microsoft
Office and Forefront Unified Access Gateway (UAG). Just one of the
bulletins is rated "Critical" - MS10-087, which addresses five
vulnerabilities in Microsoft Office. Among those five is a rich text
format stack buffer overflow vulnerability Microsoft considers likely
to be exploited.
"The bulletin is rated Critical
for Office 2007 and Office 2010 due to a preview pane vector in Outlook
that could trigger the vulnerability when a customer views a specially
crafted malicious RTF (Rich Text Format) file," explained Jerry Bryant,
group manager of response communications for Microsoft Security
Response Center, in a blog post. "The update also addresses an Office
vector for the vulnerability described in Security Advisory 2269637, which has been referred to as 'DLL Preloading' and 'Binary planting'."
A second bulletin affecting Microsoft Office deals with two
vulnerabilities in PowerPoint that could allow remote code execution if
a user opens a malicious PowerPoint file, according to Microsoft. The
bulletin is rated "Important" because user interaction is required to
open the malicious file, Bryant blogged.
The final bulletin, also rated Important, plugs four vulnerabilities
in UAG, which is part of Microsoft Forefront. The most significant of
these bugs could allow elevation of privilege if a user clicks on a
malicious link on a Website, Bryant noted, adding the update is only
being offered through the Microsoft Download Center at the moment.
Josh Abraham, security researcher from Rapid7, said the critical
bulletin should be at the top of enterprise patch lists this month.
"Based on the huge amount of patches from last month, some customers
might be up to speed while others are still struggling to catch up -
this would depend on the unique customer and the strength of their
vulnerability management program," Abraham said. "Another thing that is
interesting is that Microsoft has been breaking their own records with
the number of bulletins they are releasing in a given month. To help
everyone overall, a better approach would be to keep a semi-constant
rate of patches every month so that system administrators are not over
burdened during specific months."
He added that administrators should also remain vigilant for attacks targeting the recently disclosed zero-day in Internet Explorer as well. That vulnerability has not been patched.
So far, Microsoft said, none of the vulnerabilities addressed in today's update have been targeted by attackers.