Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Releases Critical IE, Word Fixes on Year’s Final Patch Tuesday

    By
    Brian Prince
    -
    December 11, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft issued seven security bulletins today as part of its final Patch Tuesday release for the year.

      In all, the update fixes 12 vulnerabilities affecting Internet Explorer, Windows, Microsoft Word and Windows Server. According to Microsoft officials, the most pressing fixes are included in MS12-077 and MS12-079, which deal with issues in Internet Explorer and Microsoft Word, respectively. Neither vulnerability is known to be under attack, the company said.

      “The Microsoft Internet Explorer code maintains three different use-after-freevulnerabilities that are being patched this month,” blogged Kaspersky Lab Expert Kurt Baumgartner. “This ‘use-after-free’ category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark.”

      The Word vulnerability rests in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) data. According to Microsoft, the vulnerability can be exploited to enable remote code execution if a user opens a specially crafted RTF file using a vulnerable version of Microsoft Office.

      “This one is interesting from an attacker perspective as a victim can be compromised if they preview or open an email message in Outlook while using Microsoft Word as the email viewer,” said Marcus Carey, security researcher at Rapid7. “Since it involves Outlook, which is a primary business tool in many organizations, this would be number two on my to-do list.”

      The remaining “critical” bulletins are MS12-078, affecting Windows; MS12-080, impacting Microsoft Exchange Server; and MS12-081 in Windows. Each of the bulletins address issues that, if exploited, allow attackers to remotely execute code on the compromised machine.

      A recurring vulnerability tucked into the Patch Tuesday update is the TrueType font-parsing issue addressed by MS12-078, said Marc Maiffret, CTO of BeyondTrust.

      “We’ve continually seen TrueType and other font-parsing bugs get patched over the past year, since the arrival of state-sponsored malware targeting these types of bugs,” he said. “This is the most important patch to get rolled out this month, since malicious TrueType fonts can be embedded in documents as well as other mediums. This has been shown to be an effective method of exploitation, so be sure to patch this one immediately.”

      Rounding out the list of patches are two bulletins rated “important” that address issues in Windows. MS12-082 resolves a vulnerability in the way DirectPlay handles specially crafted content. If an attacker gets a user to view a malicious Office document with embedded content, the vulnerability could potentially be exploited to allow remote code execution. The final vulnerability, MS12-083, could be exploited to permit an attacker to bypass a security feature in Windows due to Windows’ failure to properly check the validity of certificates.

      Barring an emergency update, the December Patch Tuesday brings the year’s final tally of security bulletins to 83. This is down from 100 in 2011 and 106 in 2010.

      “Maybe even more important than the raw numbers is the more regular release rhythm that Microsoft set this year,” blogged Wolfgang Kandek, CTO of Qualys. “We see this as a clear sign of a more mature process.”

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×