A flaw in Microsoft Word ranks among the top security problems addressed by December's Patch Tuesday fixes, closing a hole that allows remotely executing malicious code on targeted machines regardless of whether users open the infected file. The bulletin is one of five marked critical by Microsoft in its advanced notification about vulnerabilities this month, and several security experts say the Word vulnerability is the top priority.
FIRST LOOK: Surface RT
"In this case we assume the 'critical' rating comes from Outlook, which can be configured to use Word to visualize documents in its preview pane," says Qualys CTO Wolfgang Kandek. "This is an automatic mechanism that does not require user interaction. In any case, this will be an important bulletin to watch out for."
The patch is rated as Important for Word 2003 SP3 and critical for Word 2007 SP2 & 3 and Word 2010 SP1.
This bulletin is similar to one issued earlier this year in that it deals with an issue with rich text format documents that can be parsed in the Outlook Preview Pane, thereby executing the vulnerability, says Alex Horan, a senior product manager with CORE Security .
"This is classic client side fodder, send an email with a job offer attached, or the new 401k plan attached and get control of a user's machine," says Paul Henry, a security and forensic analyst with Lumension, "plus if you exploit Bulletin 2, you get control of everything."
Bulletin 2 applies to all versions of Windows, including Windows 8 and Windows RT, Microsoft's two new operating systems. Given that it affects older operating systems as well, the vulnerability is likely with code from those earlier operating systems that is included in Windows 8 and RT.
"They don't say if this is a vulnerability on those systems that could be attacked over the network or if you need to be able to run code locally," says Horan, "but having an exploit that would potentially work against a wide range of windows systems is a great utility to have in your bag."
Still the actual danger may be limited, Henry says, and "because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and [Internet Explorer] issues."
The IE problem threatens Target IE6 through 10, and provides a means for remotely executing code on a victim's computer. "This is a good one," says Horan, "a client side for Windows 7 and 8. A very attractive exploit [for] attackers to have."
He says that fixing a vulnerability found in Exchange 2007 SP3 and 2010 SP1 and 2 are important because these servers face the Internet and so are open to widespread attack. Fixing them may be troublesome. "You don't just randomly turn off email servers without generating howls of protest from your company," Horan says.
The same vulnerability is found in SharePoint and Microsoft Office Web Apps SP1, the latter of which may have less impact on enterprises because they don't use the platform widely, Kandek says.
The final critical bulletin is again a remote-code execution flaw affecting Windows XP SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2, Windows 7 SP0 and 1, and Windows 2008 SP0 and 1. "Essentially, when Windows Explorer parses a file name, it hits this vulnerability," Henry says.
In looking back on 2012 Patch Tuesdays, Henry notes that the total number, 83, was fewer than the even 100 logged in 2011.
The number of critical and moderate bulletins remained about the same year to year, but the number of bulletins ranked important dropped from 63 to 46, he says.