Microsoft delivers 13 patches for 47 flaws, including critical Outlook bug

Share this article:

As part of its monthly Patch Tuesday security update, Microsoft has dispatched 13 patches for 47 bugs in its Windows, Office, Internet Explorer and SharePoint Server products.

The Patch Tuesday release includes four critical patches, or Microsoft “bulletins,” with the bug of utmost concern being a privately reported vulnerability in Microsoft Outlook. The bug could allow a remote attacker to execute code if a user merely previews a malicious email message in Outlook or opens it, a Tuesday bulletin summary said.

On Tuesday, Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing team, wrote in a blog post that the patch for Outlook was the “first bulletin that caught [his] attention.”

The issue could allow remote code execution (RCE) if an email carried a specially crafted S/MIME certificate, which stands for secure/multipurpose internet mail extensions, a standard for public key encryption and signing MIME data.

Microsoft did not detect any active attacks on the bug, Childs wrote, and the company believes a hacker would need to be particularly sophisticated to carry out the exploit.

 “Creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult,” Childs wrote. “Still, the possibility is there and that is why we listed this update as our highest priority for this month.”

The three other fixes deemed “critical,” Microsoft's highest rating, addressed flaws in Sharepoint Server, Internet Explorer versions 6 to 10, and Windows. The patches also resolved remote code execution flaws.

Despite advanced notification that its Patch Tuesday release would include 14 fixes, Microsoft left out one patch initially planned for the update. The fix would have addressed an issue in the company's .NET software framework, which could allow denial-of-service.  

According to Ross Barrett, senior manager of security engineering at Rapid7, who emailed prepared comments on the security update to SCMagazine.com, the last-minute decision to pull a patch often points to operability issues that couldn't be worked out in time.

“A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component,” Barrett wrote.

Just last month, Microsoft was forced to pull one of its Patch Tuesday fixes after it had already been released. The move came after customers reported issues when installing the fix, which addressed three vulnerabilities in Exchange Server.

In this month's security update, Microsoft dispatched a total of nine fixes ranked “important," all addressing remote code execution flaws that could allow an attacker to carry out a denial-of-service, or give saboteurs elevated privileges.

One of the patches deemed “important” resolved a privately reported vulnerability in Microsoft FrontPage. To exploit the flaw, which could lead to information disclosure, an attacker would need to, first, trick a user into opening a malicious document, Microsoft said in its bulletin.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.