Microsoft rolled out seven security updates today, including a fix for a critical remotely exploitable Word vulnerability. In all, 20 vulnerabilities were repaired by Microsoft, which also issued an advisory regarding poorly generated digital certificates that have to be replaced and the distribution of an automated mechanism that will check for certificate key lengths and revoke any shorter than 1024 bits.
The patch for the Word flaw fixes memory-parsing vulnerability in Microsoft Office. Attackers using a specially crafted RTF file could remotely gain the same system privileges as the user. Users would kick off the exploit by simply previewing—or opening—the infected RTF file in the Outlook preview pane if Word is the default email reader for Outlook. Microsoft Word 2003, 2007 and 2010 are vulnerable, as are Microsoft Word Viewer, Microsoft Office Compatibility Pack, Microsoft Word Automation Services on Microsoft SharePoint Server 2010, and Microsoft Office Web Apps.
“Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed,” said Qualys CTO Wolfgang Kandek in a statement. “And [we] recommend applying the update as quickly as possible.”
Microsoft also announced it had discovered a problem with digital certificates used to sign core Microsoft components and binaries. The certs were generated without a proper timestamp, Microsoft said, and this could cause compatibility issues. The certificates, meanwhile, will expire prematurely, Microsoft said, and would affect users’ ability to install security updates or repair the affected components.
“This issue is caused by a missing timestamp Enhanced Key Usage (EKU) extension during certificate generation and signing of Microsoft core components and software. Some certificates used for two months of 2012 did not contain an X.509 timestamp Enhanced Key Usage (EKU) extension,” Microsoft said in its advisory. “This update will help to ensure the continued functionality of all software that was signed with a specific certificate that did not use a timestamp Enhanced Key Usage (EKU) extension. To extend their functionality, WinVerifyTrust will ignore the lack of a timestamp EKU for these specific X.509 signatures.”
Meanwhile, Microsoft announced in June that it would no longer accept RSA certificate key lengths shorter than 1024 bits. As part of today’s bulletins, Microsoft is distributing this automated checking functionality through Windows update. Certificates shorter than 1024 will be considered untrusted and will be revoked. The updater checks daily for certificates that are no longer valid and automatically revokes them.
The SANS Internet Storm Center recommends patching the remote execution vulnerabilities in Microsoft Works and FAST Search Server 2010 for SharePoint immediately; known exploits are available for the SharePoint bug.