Microsoft security patches include fixes for Word, Office, Windows

In its May "Patch Tuesday," Microsoft released seven bulletins covering 23 vulnerabilities

Microsoft has fixed 23 vulnerabilities in its software products, including several considered critical, the company said on Tuesday in its monthly security patch report.

The security holes, included in seven bulletins, affect Office, Windows, .Net Framework and Silverlight, and in the worst-case scenarios could give attackers control of affected systems, including the ability to run malicious code remotely on them.

The first critical bulletin covers a vulnerability in Microsoft Office that could allow attackers to execute remote code on compromised systems. For that to happen, users would have to open an infected rich-text format (RTF) file. If successful, the exploit would give attackers the same usage rights as the current user.

The issue is labeled critical for all supported editions of Microsoft Word 2007. It is rated "important" -- the second highest severity level in Microsoft's four-level scale -- for all supported editions of Word 2003, Office 2008 for Mac and Office for Mac 2011, as well as all supported versions of Office Compatibility Pack. The security hole was privately reported to Microsoft.

The second critical bulletin involves 10 vulnerabilities in Office, Windows, .NET Framework, and Silverlight, seven of which were privately reported to the company. The most dangerous vulnerability would let attackers run code remotely on an affected user's machine if the user opens an infected document or is tricked into visiting a malware-laden webpage with embedded TrueType font files.

The problem is rated critical for all supported editions of Windows, .Net Framework 4 (except when installed on Windows editions for Itanium chips); and Silverlight 4 and 5. It's considered important for Office 2003, Office 2007 and Office 2010.

Commenting on this bulletin in a separate blog post, Jonathan Ness, from the Microsoft Security Response Center Engineering team, said that since fixing a vulnerability five months ago that was being exploited by the Duqu malware through malicious Office documents, Microsoft found that the problematic Microsoft code, win32k.sys, was in other products as well.

Fixing the vulnerabilty, an insufficient bounds check within the font parsing subsystem of win32k.sys, in the newly-discovered places led Microsoft to include several products in this bulletin and consolidate a variety of other fixes in it, according to Ness.

The third critical bulletin covers two privately-reported vulnerabilities in .Net Framework that could open the door for attackers to execute code remotely on the infected machine with the same level of rights as the affected user. For the exploit to be successful, users would need to visit an infected webpage using a browser that can run XAML Browser Applications (XBAPs).

This security update is considered critical for all supported editions of the Microsoft .NET Framework on all supported editions of Microsoft Windows.

The four bulletins labeled important include one that covers six Office vulnerabilities that could allow remote code execution if users open an infected Office file. This fix is considered important for all supported editions of Excel 2003, Excel 2007, Office 2007, Excel 2010, Office 2010, Office 2008 for Mac, and Office for Mac 2011, as well as for supported versions of Excel Viewer and Office Compatibility Pack.

Another important bulletin addresses one vulnerability in Visio Viewer 2010 that could give attackers the ability to execute malicious code remotely if users open an infected Visio file.

The third bulletin tagged as important deals with two security holes in Windows, including one affecting the TCP/IP component that could allow an attacker that logs on to a system to upgrade his user access privileges by running a specially crafted application. This hole is considered important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

The final bulletin also involves Windows, specifically its Windows Partition Manager and a vulnerability that could let an attacker who gains access to a system to run a malicious application to elevate his user access privileges. The attacker needs to have valid credentials to access the system, and must log on manually on the affected machine. This issue is considered important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Users who have their machines set up to receive Microsoft's software patches automatically don't need to do anything. The fixes will be installed on their computers automatically. The updates can also be manually downloaded at the Microsoft Update and Windows Update sites.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Join the CSO newsletter!

Error: Please check your email address.

More about ExcelIDGMicrosoftVisio

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts