Microsoft quashes critical bugs in IE10, Windows 8, Word

Drive-by attacks possible against IE9, IE10, as well as Word 2007 and Word 2010

By , Computerworld |  Windows, IE10, Microsoft

IE10 also received an update today for Adobe's Flash Player, the popular media software that's baked into Microsoft's newest browser. Last month, Adobe said it would adopt the "Patch Tuesday" schedule of its Redmond, Wash. partner for future Flash security updates. Today's update, the 10th for Flash this year, contains fixes for three critical flaws.

Also bright on security professionals' radar was the Word update, MS12-079, which corrects another flaw in the word processor's parsing of RTF (rich text format) files.

"RTF documents are very relevant in the enterprise, and [MS12-079] should concern me if I'm using Outlook 2007 or 2010. That's a lot of people," said Miller.

Hackers can trigger a successful exploit by sending a maliciously-crafted email to Outlook 2007 and 2010 users who simply preview it. In that way, an exploit would be very similar to a browser "drive-by" attack.

Outlook 2003 users are at risk if they open, rather than preview, a malformed RTF attachment. The newest version of the suite, Office 2013, was not affected by the bug.

Other updates patched three vulnerabilities in Exchange, Microsoft's widely-used mail server; two critical bugs in Windows' font-parsing; a flaw in Windows' file handling; an important bug in DirectPlay; and another in the IP-HTTPS protocol that's used to create a VPN-like secure connection between Windows clients and servers.

The font-parsing update (MS12-078) contained two critical patches for Windows 8 and Windows RT, and the DirectPlay bulletin included a fix for an important Windows 8 vulnerability.

This was the second month running that Microsoft has patched its newest desktop and tablet operating systems.

Microsoft also re-released four older bulletins this month, a continuation of a project it kicked off in October, when it said it had uncovered "a clerical error made in code-signing" in updates issued as far back as June 2012.

Both Storms and Miller believed that today's re-releases would be the last from Microsoft. Previously, Microsoft said it would wrap up the project before the affected bulletins' certificates expired in early 2013.

December's seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS (Windows Server Update Services), the de facto patching mechanism for businesses.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question