Microsoft is prepping seven patches for release as part of next week’s monthly security update.
Just one of the seven bulletins is labeled “critical” and it addresses vulnerabilities in all versions of Word, the software giant announced Thursday. The remaining patches are designated as “important,” and fix flaws in Windows, Office and SQL Server.
In total, 20 bugs are scheduled to be patched, some of which are publicly known.
In July, Microsoft warned about 13 vulnerabilities in Exchange and FAST Search Server 2010 for SharePoint. The bugs actually lie in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats. That technology ships on Exchange Server 2007 and 2010 and FAST Search Server 2010 for SharePoint.
If exploited, “an attacker [can] take control of the server process that is parsing a specially crafted file,” according to Microsoft. “An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do.”
Tuesday’s patch batch also will serve as a final call for users to install an update that requires they employ certificates carrying an RSA key length of at least 1,204 bits.The update initially could be installed manually, but now Microsoft is making it available automatically through Windows Update.
Customers actually are encouraged to run certs with much higher key lengths, even beyond 2,048 bits. This is an additional safeguard that the software giant is releasing as a result of the Flame virus, which spread by spoofing Microsoft certificates.