Microsoft on Tuesday released a patch for a critical vulnerability in Microsoft Office that could allow an attacker to take over your PC – if you do nothing more than preview an RTF file in Outlook.
The security update is rated Critical for all supported editions of Microsoft Word 2007 and Microsoft Word 2010, and was part of the normal “Patch Tuesday” update that Microsoft normally issues. The issue can be fixed by going to the Microsoft Update site or manually approving the necessary patch, if your machine has already downloaded it.
What makes this particular update critically important is that the exploit allows for an attacker to remotely execute code on an unpatched system. The patch addresses two vulnerabilities. “The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file,” Microsoft says. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
With most malware, users need to click on a link to either begin a malware download process or visit a malware-loaded website. But in cases like this one, users don’t even need to take that extra step to be vulnerable.
What To Do?
Fortunately, the vulnerability was disclosed privately to Microsoft, which lessens the possibility that an attack may have already taken place. However, it’s important for Office users to have Microsoft Update turned on, and if not automatically set to update, to at be sure to manually approve the updates as quickly as possible.
Users should also not be tempted to run as the administrator. Sure, that level of account access eases hassles by making it easier to you to manage changes to your machine. But it also makes it easier for malware to get its hooks deep into your system.
Apart from this bug, Microsoft’s Patch Tuesday progressed relatively smoothly; six other bulletins address issues in Microsoft Works, SQL Server, SharePoint and Windows. One anomaly is that Microsoft was forced to re-issue several patches, because their specific digital certificates that were generated by Microsoft without the proper timestamp attributes. “While this is not a security issue, because the digital signature on files produced and signed by Microsoft will expire prematurely, this issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates,” Microsoft said.
On Monday, Microsoft issued a patch for Internet Explorer 10, which comes bundled with Windows 8, because of a vulnerability discovered inside Adobe Flash. Adobe has also seprately released security updates for Adobe Flash Player 11.4.402.278 and earlier versions for Windows, the company said, because it discovered a vulnerability that could cause a crash and cause an attacker to take control of the affected system.
Server admins, however, may be forced to deal with a change to Microsoft’s policy toward enforcing RSA key length. The length of the key plays an important role in the cryptographic complexity of the key itself, theoretically making a 512-bit key, for example, easier to crack than a longer 1,024-bit key. On Monday, Microsoft said that it had issued an update to Windows XP, Windows Vista, Windows Server 2003 and 2008, and Windows 7 to restrict keys of under 1024 bits.
“The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” Microsoft said.
Image source: Shutterstock/Lightspring.