Microsoft patches Office, but IE Zero-day still in the wild

Patch Tuesday is light, but Internet Explorer still at risk

Microsoft on Tuesday fixed a critical security hole in Office 2007 and Office 2010, but the monthly security update did not patch a vulnerability that is affecting users of Internet Explorer.

This month's Patch Tuesday is a light one, with only three security bulletins. But IT pros may have their hands full nonetheless in protecting against attacks targeting IE6, 7 and 8 because of the unpatched vulnerability.

Windows after 25 years: a visual history

Security bulletin MS10-087 resolves five vulnerabilities including one that would allow remote code execution when a user "opens or previews a specially crafted RTF e-mail message," Microsoft says.

For example, a user's machine could be taken over simply by viewing a malicious email in the Outlook preview panel, says Amol Sarwate, manager of the Vulnerabilities Research Lab at Qualys.

"The number of people using preview panes creates a giant pool of potential victims, and that makes this bug extremely attractive to hackers," says Andrew Storms, director of security operations for nCircle.

MS10-087 also includes the first patch for the DLL load hijacking vulnerability revealed a few months ago. "Office 2007 and Office 2010 were both patched to protect users from DLL load hijacking attacks," Computerworld reporter Gregg Keizer reports.

The security update is rated critical for all supported editions of Microsoft Office 2007 and 2010, and rated important for Office XP, Office 2003, and several Office for Mac products.

Microsoft is "not aware of any active attacks seeking to exploit the vulnerabilities addressed in this month's release," according to the Microsoft Security Response Center blog.

However, that doesn't mean other Microsoft systems aren't being attacked.

Last week, Microsoft issued an advisory warning users of Internet Explorer 6,7 and 8 that an attack seen "in the wild" can subject users to Trojans if they visit a malicious Web page. "We are aware of targeted attacks attempting to use this vulnerability," Microsoft said.

IE8 is less vulnerable to this attack than IE6 and IE7, and the newly released Internet Explorer 9 is not affected. Microsoft has offered several workarounds but not a patch. The simplest workaround is to change Outlook's default settings to view all e-mails in plain text format.

The other workarounds "could be a little bit tricky" for common users to implement, Sarwate says. Qualys spoke with Microsoft officials Tuesday morning, and learned that Microsoft is in the process of testing a patch for the IE vulnerability. So far, "they haven't seen a critical mass of attacks," but if attacks increase Microsoft could issue a security update before the next scheduled Patch Tuesday, Sarwate said.

Back to this month's Patch Tuesday, the other two vulnerabilities are MS10-088, which could allow remote code execution in PowerPoint; and MS10-089, which could allow elevation of privilege attacks in the Forefront Unified Access Gateway. 

Both security updates are rated as important.

MS10-088 "resolves two privately reported vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted PowerPoint file," Microsoft said. "An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

MS10-089, meanwhile, "resolves four privately reported vulnerabilities in Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow elevation of privilege if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

Forefront Unified Access Gateway, by the way, lets IT shops offer secure remote access to corporate resources on PCs and mobile devices. The software is likely not as familiar to users as Office and PowerPoint. nCircle lead security engineer Tyler Reguly was apparently referring to FUAG when he said "There are only three bulletins [this month] and one of them is for a product I'd never heard of before [last week's] advance notification."

Follow Jon Brodkin on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT