Patch Tuesday Leaves Some Vulnerabilities Unpatched

After a record-breaking Halloween avalanche of patches last month, Microsoft on Tuesday issued three security bulletins to address 11 vulnerabilities, with only one rated critical. Microsoft said it hasn’t seen any active attacks seeking to exploit any of the vulnerabilities in this month’s bulletin — but active exploits on other flaws remain in the wild.

Microsoft Office is a major theme this month. The only critical vulnerability impacts Office, specifically Word. The RTF Stack Buffer Overflow issue will most likely be used in targeted e-mail attacks against Outlook users, since Outlook uses Word to display e-mail content, said Joshua Talbot, security intelligence manager for Symantec Security Response.

According to Talbot, one of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to be infected — all that is required is for the content of the e-mail to appear in Outlook’s Reading Pane.

“If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected,” Talbot said. “The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their inbox. That e-mail will appear in the Reading Pane by default and the computer will be infected.”

Older Versions Safer?

Drilling deeper into the Microsoft Office bulletin MS10-087, each of the four vulnerabilities appear to allow remote-code-execution attacks. But there is one in particular that addresses a publicly disclosed critical flaw in Office 2007 and Office 2010 known as DLL Preloading and Binary Planting. Still, Microsoft is stressing the RTF Stack Buffer Overflow issue.

“Microsoft indicates that this patch is its top priority for this round of patches,” said Don Leatham, director of solutions and strategy at Lumension. “Interestingly, this vulnerability is rated as ‘important’ for Office XP and Office 2003. This…

Related Articles