Quiet Microsoft update fixes 11 flaws with three patches

Microsoft on Tuesday released three patches as part of its monthly security update.

Combined, the update closes 11 vulnerabilities, only one of which earned the severity rating of "critical." None of the flaws have been exploited in the wild.

In a blog post, the Microsoft Security Response Center Team encouraged customers to prioritize bulletin MS10-087, which resolves five vulnerabilities affecting Office. The patch drew a "critical" rating for Office 2007 and 2010 thanks to a flaw that could be exploited to execute remote code if a user simply views a malicious RTF (rich text format) file as part of a drive-by attack.

"Although this vulnerability is not publicly known, we are likely to see exploit attempts against [it] in the near future," Jason Miller, data and security team manager at Shavlik Technologies, said. "RTF document attachments are typically not blocked and [are] used as a common shared file format like PDF files." 

Meanwhile, MS10-088 addresses two vulnerabilities in PowerPoint that could be exploited to execute remote code if a user opens a specially crafted PowerPoint file. The bulletin, however, only garnered an "important" rating because user interaction is required to be infected.

Finally, MS10-089 takes care of four flaws in Unified Access Gateway, part of the Forefront enterprise security product line. The most significant of the bugs could allow for privilege escalation.

"No big shockers this month as Microsoft only releases three bulletins," said Josh Abraham, security researcher at Rapid7. "This is good news for anyone that is still behind on their patching after last month's monster Patch Tuesday."

Not fixed in Tuesday's update was a dangerous zero-day exploit, revealed last week, affecting Internet Explorer.

Microsoft's next update is due Dec. 14.