Microsoft has patches planned next week for 11 security vulnerabilities in Microsoft Office and Forefront Unified Access Gateway.
November’s Patch Tuesday release is much smaller than the 16-bulletin, 49 vulnerability-strong update released last month. This time, there are just three bulletins, two of which are rated “Important” and a third is rated “Critical.”
The critical bulletin affects a number of versions of Microsoft Office, including Office 2007 Service Pack 2 and Office 2010, and is targeted at thwarting the threat of remote code execution. One of two bulletins rated Important impacts Office as well, while the remaining bulletin is aimed at (UAG).
The pre-Patch Tuesday notification comes a day after Microsoft warned users about a zero-day affecting Internet Explorer. That vulnerability is not listed among the bugs slated to be fixed on Patch Tuesday Nov. 9, and exists due to an invalid flag reference within IE.
“It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted,” Microsoft said in advisory. “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of targeted attacks attempting to use this vulnerability.”
Once the investigation into the IE bug is complete, Microsoft “will take the appropriate action to protect [its] customers,” the company said.