Microsoft patches critical Outlook drive-by bug. Microsoft November 9 patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, security experts said. As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are using to hijack Windows PCs. Of the 11 flaws addressed in three separate updates, only one was pegged as “critical,” Microsoft’s top ranking in its four-step scoring system.
The remaining 10 were all marked “important,” the second-highest rating. “The one that gives me the heebie-jeebies this month is the Office update,” said the director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.” He was referring to MS10-087, a fivepatch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.
The only critical bug this month is in the RTF (rich text format) parser within Outlook, the e-mail client packaged with Office. “The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook,” Microsoft’s advisory stated. Both Office 2007 and Office 2010, Microsoft’s two newest suites, can be exploited using drive-by attacks launched against Outlook. Today’s patch was the first critical update for Office 2010, which launched only in June 2010.
Microsoft forgets to patch Mac Office 2004, 2008. Microsoft November 9 revealed four vulnerabilities in the Mac version of its Office suite, but then failed to produce patches for the 2004 and 2008 editions. Office for Mac 2011, which launched October 26, was the only version updated as part of Microsoft’s monthly Patch November 9. Microsoft did not explain the omission of Office for Mac 2004 and Office for Mac 2008 patches, or say when it would ship updates for those editions.
According to that bulletin, Office for Mac contains four vulnerabilities, all rated “important,” the second-highest threat ranking in Microsoft’s four-step scoring system. Microsoft confirmed that each bug could be used by attackers to infect a Mac with malware by labeling them with the phrase “remote code execution.” Along with a fifth bug, the same four flaws were patched November 9 in all still-supported versions of Office for Windows.
Source: http://www.computerworld.com/s/article/9195719/Microsoft_patches_critical_Outlook%20_drive_by_bug
Source: http://www.computerworld.com/s/article/9195819/Microsoft_forgets_to_patch_Mac_O%20ffice_2004_2008
No comments:
Post a Comment