Microsoft has announced that it is to release seven bulletins next Tuesday, including one critical fix for vulnerabilities in Microsoft Word.
According to a statement by Dustin Childs, group manager at Microsoft Trustworthy Computing, the other six bulletins are rated as important and will address issues in Windows, Microsoft Office and SQL Server. Also addressed in this release is the issue in FAST Search Server, first described in advisory 2737111.
Looking at the single critical issue, Marcus Carey, security researcher at Rapid7, said: “Bulletin one is a vulnerability in Microsoft Office 2003, 2007 and 2010, as well as Word Viewer and Microsoft Office Web Apps. This vulnerability required a victim to open up a malicious file or even preview a malicious file in Outlook Web Access.
“This vulnerability could result in the complete compromise of a system if exploited. Since this is an Office vulnerability this may affect both Windows and Macintosh users.
“It should be a relief to many that none of the bulletins requires immediate attention, as none of them address vulnerabilities being exploited in the wild; all were privately reported vulnerabilities. This means that there isn't any publicly known exploit code for this month's bulletin cycle.”
Andrew Storms, director of security operations for nCircle, said: “After a rocky September that included a rare zero-day bug in Internet Explorer, Microsoft will release seven bulletins next week. The bulletin that looks most serious is a rare Microsoft Word update tagged as critical for the brand new Word 2010, but downgraded to important in Word 2003.
“I can't remember the last time we saw a critical bug that affected all versions of Word. It makes me remember the bad old days when Word was a nearly constant source of security problems for businesses.
In the ‘it's about time' category, Microsoft has confirmed they will release the patch for the bug in the FAST Search Server for SharePoint discussed back in July. Since many companies use SharePoint extensively, this is definitely welcome news.”
Paul Henry, security and forensic analyst for Lumension, said: “The lightness of last month's Patch Tuesday led many to say that this month would be a horrific Patch Tuesday for IT admins. With only seven bulletins and only one critical, those naysayers may want to retract those statements.
“The biggest issue for this month from Microsoft is the certificate encryption. As we've been saying for the last several Patch Tuesdays, Microsoft is pushing out a patch that will break any encryption that is less than 1024-bit. This patch has been optional since August and we hope you've taken the time to test it and patch it. It will no longer be an option starting on Tuesday. There are still a few days left if you haven't tested it, but don't let this be an ‘I told you so' moment.
“The only critical bulletin this month affects Microsoft Word. It's a rich text vulnerability for the .rtf file format. Normally, Word bulletins that affect remote code execution vulnerabilities are marked as important by Microsoft; this is primarily because there are a lot of stops for the bug before it can be executed.
“However this particular execution is marked critical because the preview pane in Microsoft Outlook can parse the RTF if it's embedded in a Word document, so there is a bit more of an execution capability with this vulnerability than normal. However, this exploit can be difficult to actually accomplish, making even this critical update less impactful.
“The other interesting patch this month is bulletin six. This one is a denial-of-service issue that affects Windows Authentication for DOS. If you're accepting Kerberos for Windows authentication, then you are vulnerable to this DOS.”