May 9, 2012
Microsoft Patches 23 Bugs In Update
Microsoft Patches 23 Bugs In Update
Microsoft sent out over 20 security fixes across several of its software platforms as part of May´s Patch release on Tuesday.Three of the 23 security patches released were rated as “critical,” while four were listed as “important,” the company wrote in its Security Bulletin summary.
“This advance notification is intended to help our customers plan for effective deployment of security updates, and includes information about the number of new security updates being released, the software affected, severity levels of vulnerabilities, and information about any detection tools relevant to the updates,” Microsoft wrote in the release.
The security bugs apply to all versions of its Windows operating system, Microsoft Office, .NET Framework, and Silverlight.
Microsoft said that exploit code for 18 of the bugs was likely, although none of them fixed in the May update are currently being actively targeted.
The most crucial patch, known as the RTF Mismatch Vulnerability, patches a flaw in Rich Text Format files that can be exploited through Microsoft Office 2003 and 2007 to gain control of an end-user´s machine.
“In an email attack scenario, an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an email message,” Microsoft wrote in its advisory. “The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer.
“An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file.”
In a Web-based attack scenario, Microsoft said an attacker could host a Website that has an Office file used to exploit this vulnerability as well.
Windows machines are not the only computers that need the patch, Microsoft Office for Mac 2011 was also included in the list of affected programs.
Microsoft also issued 10 fixes as part of the patch, which some reports said are meant to implement the final fixes on a vulnerability exploited by the Duqu malware.
The Duqu worm was designed and created using the same tools as the Stuxnet worm, which is a Trojan designed to attack Iran´s nuclear facilities and equipment. Duqu was designed to steal data like authentication certificates.
Duqu has been found to exploit a vulnerability affecting Microsoft Word, so the company set out a patch to fix the bug, but other Microsoft products were discovered to contain the same vulnerability.
However, Microsoft reached out to RedOrbit through email and said that Duqu does not affect the software addressed by security update MS 12-034.
“Duqu was only designed to exploit specific instances of CVE-2011-3402 that were addressed last year. We have not received any information to indicate that the attack vectors addressed in bulletin MS12-034 have been publicly used to attack customers," Yunsun Wee, director at Microsoft Trustworthy Computing, said in an official statement emailed to RedOrbit.
The company also patched vulnerabilities in the .NET Framework that could enable an attacker to execute code if a victim views a specially crafted Webpage by using a Web browser that runs XAML browser applications.
Andrew Storms, director of security operations at nCircle, told PCMag that it is probably best if people do not spend much time analyzing the patches, but instead just install them as soon as they can.