Microsoft to patch 20 bugs next week in month of Office updates

Single critical update will fix serious flaws in Office 2007, 2010 on Windows that hackers could use to hijack PCs

Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.

"It looks like an Office month," said Andrew Storms, director of security operations at nCircle Security. "Look at the 'Affected Software' column on the advance notification. Office, Office, Office."

The one update pegged critical, Microsoft's highest threat ranking, will tackle bugs in all supported versions of Office on Windows. The remaining six updates were labeled "important," the next-most-serious rating in the company's four-step scoring system.

There was no update scheduled for Internet Explorer (IE), as Microsoft took care of that last month when it rushed out an emergency patch to stymie active attacks exploiting a bug in the browser. The Sept. 21 "out-of-band" update also included patches for several additional vulnerabilities, which were originally slated to ship next week.

Security experts, not surprisingly, all tapped the critical Office update as the one to plan to deploy as soon as possible.

"It's not only the one critical [update]. It's also critical in Word 2007 and Word 2010, but only important in Office 2003," said Storms in an interview Thursday. "We haven't seen a good critical Word bug in a while, and as I've said before, the newer [versions] should be more secure. That's not the case here."

Storms speculated that the flaw -- or flaws, since Microsoft does not spell out how many patches compose each update in its advance notification -- may be in the file formats used by Office 2007 and Office 2010 on Windows.

Microsoft debuted new XML-based file formats in Office 2007 as replacements for older, proprietary binary formats.

"Maybe there's a bug in how Word opens or parses files," Storms theorized.

Others wondered the same.

"This vulnerability requires a victim to open up a malicious file or preview a malicious file in Outlook Web Access," noted Marcus Carey, security researcher with Rapid7, in an email today. "This vulnerability could result in the complete compromise of a system if exploited."

Wolfgang Kandek, CTO of Qualys, also focused his attention on the Word update, but put different spin on it than Carey. "[A critical rating] is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability," Kandek said.

The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.

Most of them can be postponed, the experts said today, at least according to the information available in the bare-bones advance notice.

"Bulletin 7 [the SQL Server update] will depend on the attack vector Microsoft reveals next week," said Storms. "If it's an elevation of privilege bug that's difficult [for hackers] to get to, you'll be better off waiting."

Storms based that advice on the calendar: Many enterprise lock down their networks, servers especially, in October and early November to insure they're running during the crucial holiday season. During a lockdown period, IT administrators pass on all patching, just in case a fix causes problems. SQL Server is often a mission-critical part of a company's back-end infrastructure, powering databases that manage online sales stores.

Alex Horan, senior product manager at Core Security, gave a nod to Bulletin 7, too, but for a different reason. "These patches highlight the amount of code that is being reused," said Horan. "Bulletin 7 involves code reused in versions since 2000. That's 12 years of reused, and now vulnerable code."

It's possible, Horan continued, that the vulnerabilities have been quietly exploited for years.

Also next Tuesday, Microsoft will begin rolling out a long-planned update that invalidates all certificates with keys less than 1,024 bits long.

It was in June that Microsoft first told users it was going to disable those certificates, saying at the time that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update that month, but made it an optional download. Next week, Microsoft will effectively push it to everyone.

The update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by throwing the kill switch on three of its own certificates.

"My sense is that one, most enterprises have already done this, and two, the enterprises that haven't will deny [the update] via WSUS [Windows Server Update Services]," said Storms. "So really, the immediate impact will be on the smaller guys who either don't use WSUS or haven't gotten the word about the update coming. For them, stuff may break, and they're going to be scratching their heads trying to figure out why."

Microsoft will release the seven updates at approximately 1 p.m. ET on Oct. 9.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place