Patch/Configuration Management, Vulnerability Management

Word bugs, key-length issue addressed in Microsoft update

Microsoft on Tuesday shipped seven patches that rectify 20 security weaknesses across Windows, Office and SQL Server, but none of the vulnerabilities are considered particularly worrisome.

The high-priority fix is MS12-064, a "critical" bulletin that seals off two holes in Word that, if exploited, could result in remote code execution if a user is tricked into opening a "specially crafted" rich text format (RTF) file -- or merely previewing or opening a malicious RTF email message.

Paul Henry, security and forensic analyst at patch management company Lumension, said launching an exploit against the vulnerabilities would be difficult, but it still ranks as a more severe issue than most Word patches.

"Normally, Word bulletins that affect remote code execution vulnerabilities are marked as 'important' by Microsoft," Henry said in an email. "This is primarily because there are a lot of stops for the bug before it can be executed. But this particular execution is marked 'critical' because the preview pane in Microsoft Outlook can parse the RTF if it's embedded in a Word document."

All of the other patches are deemed "important" by Microsoft, including MS12-067, which addresses 13 vulnerabilities in Exchange and FAST Search Server 2010 for SharePoint. The bugs actually lie in Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats. That technology ships on Exchange Server 2007 and 2010 and FAST Search Server 2010 for SharePoint.

Microsoft first warned about these flaws in July, but despite being publicly known, the software giant is not aware of any public exploits.

Tuesday's patch batch also served as Microsoft's final call for users to install an update that requires they employ certificates carrying an RSA key length of at least 1,204 bits.The update initially could be installed manually, but now Microsoft has made it available automatically through Windows Update.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.