November 9, 2010

Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy  a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.

Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”

Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month — today — is Patch Tuesday).

Since that advisory, the IE exploit has been bundled into the Eleonore Exploit pack, a powerful and widely-used commercial crimeware kit that makes it trivial for attackers to turn legitimate Web sites into platforms for installing malware when visitors browse the sites with vulnerable PCs.

If you have Office Installed, take a moment to visit Microsoft Update to patch things up. If you use IE, either upgrade to IE8 — which provides additional protections against this zero-day attack — or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.

A summary of today’s bulletins is available here.

Update, 7:03 p.m. ET: Added information at the end of this post on the Microsoft FixIt Tool.

11 thoughts on “Microsoft Plugs Office Holes, But No IE Fix Yet

  1. xAdmin

    Haven’t had a chance to install the updates yet (use Office 2003), but configuring Outlook to read all mail as plain text protects against the Rich Text Format (RTF) Stack Buffer Overflow vulnerability that Joshua Talbot is talking about.

    How to view all e-mail messages in plain text format

    I’ve always used this as a layer of security as it disables active content in any incoming e-mail.

  2. JBV

    Thank you, yet once more, Brian, for your always helpful reminders.

  3. timeless

    Brian, could you rewrite this line:
    > Yet, we have no additional guidance from Microsoft on this IE flaw today: No Fix-It tool, and not even an acknowledgment of the increased threat against this dangerous bug.

    I understand you added:
    > If you use IE, either … or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.

    But the first part rules out the possibility that later paragraphs would have such a thing :(. This isn’t helped by the way that second paragraph seems to be about Office :(.

    — I’m off to try to update Office. Worse, it seems that this applies to Office 2008 and 2011 for OS X too, and I can’t remember how to update them 🙁

    1. d

      I forgot this line:

      Open Word, Excel, etc.

      Then do this:

      Go to Help –> Check for Updates.

      However, the updates for Office for Mac usually appear much later than the Windows ones, that’s if Redmond decides to update the Mac versions.

    1. Moike

      I also see install attempt failures on this update. Just keep trying; eventually it will succeed.

  4. Tom

    The Office 2003 fixes installed without a problem – Win7 machine.

Comments are closed.