Microsoft Patches Critical Word Vulnerability for Windows and More

Anthony Freed
By | October 10, 2012

Posted in: Network Security Trends

Microsoft issued patches Tuesday to mitigate twenty vulnerabilities in a variety of their software products, including a critical patch to remedy a bug in the popular Word application that could be exploited by attackers remotely in targeted attacks.

The Word vulnerability is present in all versions of the software for Windows systems (2003, 2007 and 2010), as well as Word Viewer, Office Web Apps, Office Compatibility Pack, and free versions of Word, Excel, PowerPoint and OneNote. Outlook users who have Word set as the default email reader are also at risk.

All Microsoft customers are urged to configure automatic updates for their software, or to check online for recently released patches using the Microsoft Update service as soon as possible.

The exploit targeting Microsoft's word processing software employs a malicious Rich Text Format (RTF) file which, if viewed in Word, could allow an attacker to remotely take control of the infected device.

"The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft Security Bulletin MS12-064 explains.

The patch issued corrects the manner in which Microsoft Office handles memory when parsing data for specially crafted files, such as the RTF files identified in the exploit. Microsoft Office for Mac 2008 and 2011 are not susceptible to the attack.

Microsoft also issued patches ranked as "important" for vulnerabilities discovered in Microsoft Works, SQL Server, Kerberos, FAST Search Server 2010 for SharePoint, the HTML Sanitization Component, and Windows Kernel.

The company also produced an update for Adobe's Flash Player designed to run on Internet Explorer for Windows 8 and the Windows 2012 Server, which corresponds to a Flash Player update that Adobe released on Monday.

You May Also Be Interested In: