- Image via CrunchBase
A month after breaking its record for the largest Patch Tuesday update in history, Microsoft released a much smaller round of fixes Nov. 9 with just three security bulletins.
The bulletins cover a total of 11 vulnerabilities across Microsoft Office and Forefront Unified Access Gateway (UAG). Just one of the bulletins is rated “Critical” – MS10-087, which addresses five vulnerabilities in Microsoft Office. Among those five is a rich text format stack buffer overflow vulnerability Microsoft considers likely to be exploited.
“The bulletin is rated Critical for Office 2007 and Office 2010 due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file,” explained Jerry Bryant, group manager of response communications for Microsoft Security Response Center, in a blog post. “The update also addresses an Office vector for the vulnerability described in Security Advisory 2269637, which has been referred to as ‘DLL Preloading’ and ‘Binary planting’.”
A second bulletin affecting Microsoft Office deals with two vulnerabilities in PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file, according to Microsoft. The bulletin is rated “Important” because user interaction is required to open the malicious file, Bryant blogged.
The final bulletin, also rated Important, plugs four vulnerabilities in UAG, which is part of Microsoft Forefront. The most significant of these bugs could allow elevation of privilege if a user clicks on a malicious link on a Website, Bryant noted, adding the update is only being offered through the Microsoft Download Center at the moment.
Josh Abraham, security researcher from Rapid7, said the critical bulletin should be at the top of enterprise patch lists this month.
Related articles
- Patch Tuesday: Critical security holes in Microsoft Office (zdnet.com)
- Microsoft Office Takes Center Stage for Patch Tuesday (pcworld.com)
