Microsoft Patch Tuesday for November covers 11 vulnerabilities, but no Internet Explorer fix leaves the zero-day flaw unpatched for over a week

News by Dan Raywood

Microsoft released three security bulletins on November's Patch Tuesday yesterday, addressing 11 vulnerabilities.

Microsoft released three security bulletins on November's Patch Tuesday yesterday, addressing 11 vulnerabilities.

As revealed by SC Magazine last week, the patches include one critical issue and one important issue in Microsoft Office and one important vulnerability in its Unified Access Gateway (UAG). However there is no patch for the zero-day flaw in Internet Explorer.

Jerry Bryant, group manager of response communications at Microsoft, said that it was not aware of any active attacks seeking to exploit the vulnerabilities addressed in this month's release and recommended customers deploy all security updates as soon as possible.

Commentators unanimously agreed that MS10-087 should be the priority patch for administrators. The bulletin is rated critical for Office 2007 and Office 2010 due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file.

Jason Miller, data and security team manager at Shavlik Technologies, said: “This bulletin addresses five vulnerabilities and is rated as critical. If a maliciously crafted RFT formatted document is previewed with Microsoft Office, an attacker can gain remote code execution.

“Although this vulnerability is not publicly known, we are likely to see exploit attempts against this vulnerability in the near future. RTF document attachments are typically not blocked and used as a common shared file format like PDF files.”

Wolfgang Kandek, CTO of Qualys, said: “MS10-087 is a code execution vulnerability that can be used by attackers in a drive-by download scenario where no user interaction is required to exploit this vulnerability. Attackers can do this by sending a specially crafted RTF mail message. The preview panel in Outlook 2007 or 2010 will incorrectly interpret the RTF and cause an attacker to take over the system.”

Andrew Storms, director of security operations at nCircle, said: “This bug means that anyone who receives a malformed email with the preview pane enabled need only click on it to be infected with malware. The number of people using preview panes creates a giant pool of potential victims, and that makes this bug extremely attractive to hackers.”

Joshua Talbot, security intelligence manager at Symantec Security Response, claimed that Microsoft Office is a major theme this month, with the only critical vulnerability impacting Office. Although the vulnerability is now patched, he said it is not the first flaw that highlights issues with Rich Text Format.

“One simple way to mitigate these types of vulnerabilities is to change the default settings in Outlook to view all emails in plain text format,” he said.

Patching four cooperatively disclosed vulnerabilities in Unified Access Gateway (UAG) is MS10-089, the most significant of which could allow elevation of privilege if a user clicks on a malicious link on a website. This update is offered through the Microsoft Download Center and is rated as important.

Miller said: “Administrators should assess their networks and identify any systems with UAG installed and manually apply the patch as it will not be automatically applied with Windows Update. On a good note, most companies will not have many systems with this software program installed. However, as this is a high profile product, administrators should know if this program exists and the machine it is installed on.”

Finally, MS10-088 is rated as important and resolves two cooperatively disclosed vulnerabilities in Microsoft PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file.

Storms said: “Even though it's a small patch this month, IT teams have very little reason to celebrate, because there is an Internet Explorer zero-day in the wild. At this point everyone is anxiously watching the threat landscape to see if exploits will develop too quickly for Microsoft to test and release the patch in December and be forced to patch it in an out-of-band release.”

Alan Bentley, SVP international at Lumension, said: “Despite an expected tidal wave of online Christmas shoppers, no patch was made available for the vulnerability discovered recently which exposes users of Internet Explorer versions 6, 7 and 8 to ‘drive-by' hacks.

“Although Microsoft has issued advice to help mitigate this threat in the interim until a patch is made available, workarounds are not typically implemented by the majority of users themselves. So IT teams won't be left resting on their laurels this month as it will undoubtedly fall to them to review the suggested workaround and ensure that users are protected as best as they can be, until the risk is resolved."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews