Critical Office Hole Patched In November Release

Author: Paul Roberts
minute read

Microsoft issued its monthly patch on Tuesday, releasing three security bulletins to fix security holes in a range of products, including a critical hole in versions of the Microsoft Office Suite. The three bulletins, MS10-087, 088 and -089 fixed a total of 11 vulnerabilities, five in Microsoft Office, two in Microsoft Office PowerPoint and four in Microsoft Unified Access Gateway. The release comes one month after a massive, October patch consisting of 16 bulletins addressing 49 vulnerabilities across a range of products.

Microsoft Patch TuesdayMicrosoft issued its monthly patch on Tuesday, releasing three security bulletins to fix security holes in a range of products, including a critical hole in versions of the Microsoft Office Suite. 

The three bulletins, MS10-087, 088 and -089 fixed a total of 11 vulnerabilities, five in Microsoft Office, two in Microsoft Office PowerPoint and four in Microsoft Unified Access Gateway. The release comes one month after a massive, October patch consisting of 16 bulletins addressing 49 vulnerabilities across a range of products.

Following that patch tsunami, November offers a relative respite, as Microsoft indicated in its pre-release guidance last week. Of the three bulletins, only one is rated critical: MS10-087, which fixes holes in versions of the Office Suite ranging from Office XP SP3 to Office 2010. Among the holes patched is a stack buffer overflow vulnerability that’s rated critical for Office 2007, SP2 and for the 32 and 64 bit versions of Office 2010.

Stack buffer overflows occur when a program writes to a memory address that’s outside the call stack, or data structure, allocated for that program – often by sending more data to a fixed length buffer than was intended. Attackers can use this type of programming vulnerability to place malicious code on the vulnerable system and run it with the permissions accorded to the vulnerable application.

In this case, attackers could use a Rich Text Format (RTF) file to trigger the overflow. Microsoft rated the vulnerability critical due to a recognized attack vector that could use the Outlook e-mail message preview pane to trigger the vulnerability, according to a post on Microsoft’s Security Resource Center (MSRC) blog. The bulletin also closes an Office-based attack vector for a widespread  “DLL Preloading” vulnerability that garnered attention after security researcher HD Moore posted information on applications from a variety of vendors that contained the flaw in August.

MS10-088 fixes what Microsoft describes as “cooperatively disclosed” holes in the PowerPoint 2002 Service Pack 3 and 2004, Service Pack 3. MS10-089 fixes application and Unified Access Gateway (UAG), a remote access product that is part of the Microsoft Forefront family of products.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.