Microsoft Releases Critical IE, Word Fixes on Year's Final Patch Tuesday
Five of the seven bulletins issued this month are rated "critical," Microsoft's most severe rating.Microsoft issued seven security bulletins today as part of its final Patch Tuesday release for the year. In all, the update fixes 12 vulnerabilities affecting Internet Explorer, Windows, Microsoft Word and Windows Server. According to Microsoft officials, the most pressing fixes are included in MS12-077 and MS12-079, which deal with issues in Internet Explorer and Microsoft Word, respectively. Neither vulnerability is known to be under attack, the company said. "The Microsoft Internet Explorer code maintains three different use-after-freevulnerabilities that are being patched this month," blogged Kaspersky Lab Expert Kurt Baumgartner. "This 'use-after-free' category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark." The Word vulnerability rests in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) data. According to Microsoft, the vulnerability can be exploited to enable remote code execution if a user opens a specially crafted RTF file using a vulnerable version of Microsoft Office.
"This one is interesting from an attacker perspective as a victim can be compromised if they preview or open an email message in Outlook while using Microsoft Word as the email viewer," said Marcus Carey, security researcher at Rapid7. "Since it involves Outlook, which is a primary business tool in many organizations, this would be number two on my to-do list."