Microsoft today pushed out seven updates to fix a variety of security issues in Windows, Microsoft Office and other software. If you’re using Windows, take a moment to check with Windows Update or Automatic Update to see if new security patches are available.
Most of the vulnerabilities addressed in this month’s patch batch apply to business applications, such as Microsoft Sharepoint, Microsoft SQL Server and Fast Search Server. The lone “critical” update (MS12-064) plugs two security holes in Microsoft Word, and applies to all versions of Microsoft Office. Another patch (MS12-069) fixes a denial-of-service vulnerability in Windows 7 and Windows 2008.
In addition, Microsoft also has shipped an update (KB2758994) for the version of Adobe‘s Flash Player plugin that comes bundled with Windows 8 and Windows 2012 Server.
Also, if you haven’t yet installed the Flash Player update that Adobe released yesterday, now would be a great time to take care of that.
Dear Brian,
Thank you for your great security website!
Just to point out that “applies to all versions of Microsoft Office” is not quite correct.
According to MS12-064, Office for Mac 2008 and 2011 are unaffected.
All the Best,
Franklin
Security Advisory 2749655 and timestamping
– https://blogs.technet.com/b/srd/archive/2012/10/09/security-advisory-2749655-and-timestamping.aspx?Redirected=true
9 Oct 2012 – “… due to a clerical error, a subset of binaries processed by the PRSS lab between June 12, 2012 and August 14, 2012 were digitally signed in an incorrect manner… we are re-releasing an initial batch of four security updates — MS12-053, MS12-054, MS12-055, and MS12-058 — with new digital signatures, each of which has been timestamped with a proper timestamping certificate. We are continuing our investigation and expect to re-release additional bulletins as needed in months to come…”
What the…
I know PC.Tech; MS updates are like watching the keystone cops! And on we go as their guinea pigs!
The programmers in the Microsoft bug-fixing department must be in a wretched state, plumb worn out and worn down, like Buck and the other sled dogs in the Jack London classic “The Call of the Wild”:
Chapter 5: The Toil of Trace and Trail
“Thirty days from the time it left Dawson, the Salt Water Mail, with Buck and his mates at the fore, arrived at Skaguay. They were in a wretched state, worn out and worn down. Buck’s one hundred and forty pounds had dwindled to one hundred and fifteen. The rest of his mates, though lighter dogs, had relatively lost more weight than he. Pike, the malingerer, who, in his lifetime of deceit, had often successfully feigned a hurt leg, was now limping in earnest. Sol-leks was limping, and Dub was suffering from a wrenched shoulder blade.
“They were all terribly footsore. No spring or rebound was left in them. Their feet fell heavily on the trail, jarring their bodies and doubling the fatigue of a day’s travel. There was nothing the matter with them except that they were dead tired. It was not the dead tiredness that comes through brief and excessive effort, from which recovery is a matter of hours; but it was the dead tiredness that comes through the slow and prolonged strength drainage of months of toil. There was no power of recuperation left, no reserve strength to call upon. It had been all used, the last least bit of it. Every muscle, every fiber, every cell, was tired, dead tired. And there was reason for it. In less than five months they had traveled twenty-five hundred miles, during the last eighteen hundred of which they had but five days’ rest. When they arrived at Skaguay, they were apparently on their last legs. They could barely keep the traces taut, and on the down grades just managed to keep out of the way of the sled.
“Mush on, poor sore feets,” the driver encouraged them as they tottered down the main street of Skaguay. “Dis is de last. Den we get one long rest. Eh? For sure. One bully long rest.”
(Ref: http://jacklondons.net/writings/CallOfTheWild/cotw5.html)
It’s gotta be tough on the MS programmers’ morale, month after month after month, grinding out update after update after update. It’s embarrassing that the code base is such a house of cards, and even worse when you mess up a released patch!
There’s a reason many folks wait a couple of days to install any released patches…
Why are there so many fixes to IE and so few to Chrome and FF?
Browsers are complicated software with a complicated task to perform, so it’s not surprising that new vulnerabilities are constantly being discovered. I don’t know if you’ve seen The Ten Immutable Laws Of Computer Security, but Law #1 is “if a bad guy can persuade you to run his code on your computer, it’s not your computer anymore.” And yet that’s basically a web browser’s job; render any HTML code you want, from any source, and try to contain the damage if it’s malicious.
In point of fact, (1) there was no IE update in the batch being discussed here, and (2) judging by Symantec’s and GFI’s research, IE has had fewer serious vulnerabilities in the last two years than FireFox or Chrome have, with a steady decline as time has gone on. They’re doing OK.
@Hans. Mozilla released Firefox 16.0 this week.
Well, kinda sorta.
….Mozilla is aware of a security vulnerability in the current
release version of Firefox (version 16). We are actively working on
a fix and plan to ship updates tomorrow. Firefox version 15 is
unaffected.
Firefox 16 has been temporarily removed from the current installer
page and users will automatically be upgraded to the new version as
soon as it becomes available……’
To read the complete article see:
https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/
http://nakedsecurity.sophos.com/2012/10/11/firefox-browser-in-version-16-upgrade-downgrade-confusion/
Thank you Brian for helping to prove my point.
Firefox 16.0.1 is now available for download.
The one Critical patch in the batch is for Word, and Microsoft warns that it’s going to be simple to exploit, so you systems administrators and unofficial I.T. chiefs will want to patch that one ASAP.
From my recent reading, it sounds like .RTF is enjoying a comeback as an attack vector. Office can be configured to open them in Protected View with no option to disarm Protected View. This can be done in several ways:
1. via the Trust Center in Word’s File > Options > Trust Center > Trust Center Settings > File Block Settings (check the box for .RTF files and choose “Open in Protected View”)
2. by a Registry key, namely HKCU\software\policies\microsoft\office\14.0\word\security\fileblock\rtffiles
REG_DWORD:4
and enforce the “Open in Protected View” setting for blocked files with
HKCU\software\policies\microsoft\office\14.0\word\security\fileblock\openinprotectedview
REG_DWORD:2
3. use Microsoft Security Compliance Manager (a freebie) to create a GPO and deploy it via Active Directory
Being in the SOHO realm these days, I went with SCM and applied the resulting GPO manually using the LocalGPO tool that comes with SCM.
The privilege-escalation kernel patch also sounds pretty important. Microsoft says an attacker has to be able to log on locally to exploit it, but it sounds like any exploit that could get user-level privileges to execute a Trojan Horse could then elevate to kernel privileges using this vulnerability. At least they rate it difficult to create a reliable exploit for that one.
Anyway, we had no problems with any of this batch ourselves. Anyone had any problems with these?
Oh, and the above assumes Office 2010. Microsoft’s bulletin includes workarounds for other versions.
Since there is a critical update for Microsoft Word this month, Windows users might want to check that Microsoft Update is enabled instead of Windows Update which defaults on Windows XP, Vista and 7. In addition to applying updates to everything that Windows Update does, Microsoft Update includes updates for Microsoft software (i.e., Microsoft Office) that is not bundled with Windows (e.g., Windows Media Player).
For Windows XP and Vista users, here’s a link to help:
“Enabling Microsoft Update to keep Office 2003, Office XP, and other Microsoft Products Secure and Up-To-Date
http://blogs.technet.com/b/mu/archive/2009/03/20/enabling-microsoft-update-to-keep-office-2003-office-xp-and-other-microsoft-products-secure-and-up-to-date.aspx
For Windows 7 users, here’s the link (see the first bullet under the “Tips” heading):
http://windows.microsoft.com/en-US/windows7/How-can-I-tell-if-my-computer-is-up-to-date
This month’s Microsoft Word vulnerabilities involve remote code execution (1) if a user opens or views a specially-crafted Word file or (2) if a user opens or views a specially-crafted RTF file. These vulnerabilities could result in complete system compromise. Thus, exploits will likely find their way into the various exploit packs used by the malware miscreants as Microsoft Word has a very large installed base.
Thank you for some many helful replies!
Mr Krebs, I have bookmarked you very interesting
chart on infected PC…
I have also made a live OS, for use with my brokerage account..
Love the website and your wonderful perspective….
Make sure you have a recent recoverable image of the machine before attempting these updates on Windows Servers … That should always be the case and luckily it was – this update hung a critical database server