Today’s monthly advance notification of Microsoft’s upcoming security bulletin release on Tuesday includes a number of critical Office patches that have experts worried.
Of particular concern are remote code execution vulnerabilities in Outlook 2007 and 2010 that can be exploited by merely previewing an email; the Office bugs make up just one of four critical bulletins, 14 in all that Microsoft is expected to release.
“It looks like a heavy month for file rendering vulnerabilities. Network administrators will likely see an uptick in phishing attacks using crafted Office documents as attackers quickly reverse Microsoft’s patches to create 0.5 day exploits,” said Craig Young, security researcher at Tripwire.
True, hackers don’t need a lot of time to reverse engineer patches and develop exploits for published flaws. Given Outlook’s criticality to so many businesses, it’s a popular attack vector for targeted attacks. Spear phishing has been the kickoff to any number of targeted persistent attacks against organizations and individuals by criminal gangs and nation-states.
“Since 50 percent of the patches apply to Microsoft Office, there’s probably going to be a lot of cussing in enterprise security teams when the patch is released,” said Tyler Reguly, technical manager of security research and development at Tripwire.
Office is being patched back to Office 2007 SP 3 and Office 2010 SP1; Office 2013 is not affected, Microsoft said.
Microsoft is also patching critical remote code execution vulnerabilities in SharePoint, going back to SharePoint Portal Server 2003 SP 3 and FrontPage 2003 SP 3.
“[Sharepoint Server] should be the highest priority on the list for your server administrators, after diligent testing to assure that the patch does not impact any business critical functionality,” said Qualys CTO Wolfgang Kandek.
Tripwire’s Reguly points out there are 17 SharePoint vulnerabilities on the list, in addition to the remaining critical bulletins for IE and Windows.
“The SharePoint list is huge this month. Given the complexity of SharePoint and its services, it’s no wonder it’s patched so frequently,” he said. “It’s amazing that Microsoft is still supporting Frontpage 2003 and SharePoint Portal Server 2003. These platforms are 10 years old, and from a software lifecycle point of view, it’s time to let them die and have customers upgrade.”
IE, meanwhile, is being patched again. After last month’s cumulative IE rollup, the browser is getting another patch job for a set of remote code execution bugs. IE has been patched almost monthly since late last year. Client-side versions of IE are being patched for remote code execution vulnerabilities all the way back to IE 6 on Windows XP, up to IE 10 on Windows 8 and RT. Patches for server versions of the browser are rated moderate by Microsoft.
The final set of critical patches address remote code execution bugs in Windows XP and Windows Server 2003, both of which are being phased out of regular support cycles by Microsoft in April 2014.
“You should be phasing those out by now,” Kandek said. “Those operating systems and the Office suite will then start to accumulate unfixed vulnerabilities and become a magnet for attackers who will have access to easy-to-use and surefire tools to exploit setups that run on XP/2003 or that have Office 2003.”
The remaining 10 bulletins are all rated important by Microsoft; four of them patch remote code execution flaws in Office, while three other privilege escalation flaws are being fixed in Windows and Office, as well as an information disclosure bug and two denial of service issues in Office and Windows respectively.
“Overall it’s a sizeable Patch Tuesday focused mainly on desktop vulnerabilities, at least if you do not run Sharepoint Server,” Kandek said.