News

Microsoft Goes Easy With November Patch Release

• By Jabulani Leffall
• 11/09/2010

Microsoft's November security update arrived today, and it's something less than a Thanksgiving meal.

IT pros will no doubt be happy that the pickings are slim this time around. The November security patch contains just three bulletins -- one deemed "critical" and two "important" items. They address two remote code execution (RCE) risk factors and one elevation-of-privilege issue. A total of 11 vulnerabilities are covered.

Products affected in this month's patch include Microsoft Office and Microsoft Forefront Unified Access Gateway.

Three Times a Patch
The one critical patch is aimed at fixing issues in the Microsoft Office suite, particularly with Outlook. The update resolves one publicly disclosed vulnerability and four privately reported vulnerabilities in Office, according to Microsoft. The most severe of these vulnerabilities could allow RCE if an Outlook user opens or previews a specially crafted rich text format (RTF) e-mail message. It appears that Hotmail or any browser-based e-mail is vulnerable as well.

"People should definitely be patching Office first this month," said Tyler Reguly, lead security engineer at nCircle. "Especially since the only competition is a product no one has heard of. The threat of being owned by Outlook's preview pane is definitely scary."

For the second patch, deemed important, specially crafted PowerPoint files are the culprit. They can lead to an RCE attack if a user opens the corrupted PowerPoint document and could lead to the attacker taking complete control of an affected system, Microsoft said.

The third and final patch in November's rollout deals with four privately reported vulnerabilities in the Microsoft Forefront Unified Access Gateway security product.

All three patches may require a restart, Microsoft explained in the security update.

The Patch That Got Away
Most security experts talked about the patch that Microsoft didn't ship in this month's slate -- the one regarding Internet Explorer. There is still a big in-the-wild hole in IE that likely won't be patched until December, barring the release of an out-of-band patch before Thanksgiving.

Microsoft released Security Advisory 2458511 last week, which describes this still-unresolved IE vulnerability. The flaw, which is an "invalid flag reference" that could lead to a RCE attack, is found in IE versions 6, 7 and 8. It's not found in the IE 9 beta. Users can trigger the RCE attack during an IE browsing session "if they visit a Web site hosting malicious code," Microsoft explained.
This flaw might be addressed by Microsoft in the immediate future through an off-cycle patch release, according to Josh Abraham, a security researcher at Rapid7.

"Administrators should be watching for the patches which Microsoft did not ship this month," Abraham said. "This is the new IE zero-day exploit, which Microsoft decided not to fix. My bet is that if the attacks increase we will be seeing an out-of-band patch coming from Redmond soon."

A new development concerning this IE flaw has already raised eyebrows. Roger Thompson, chief research officer for the software security company AVG, said in this blog post that an exploit related to the unpatched IE flaw has been tacked on to the Eleonore attack kit.

That news may signal more attacks to come. Hackers typically use these kits (or "crimeware") to plant malware on hacked Web sites. The aim is to hijack PCs during a browser session. The kits are sold on the black market.