Microsoft gave weary administrators a break yesterday after releasing a record number of security bulletins last month. Three bulletins were released during November's Patch Tuesday -- one "critical" and two "important," according to the company's severity rating system.
MS10-087, a critical bulletin, addresses multiple security flaws in all versions of Microsoft Office (including Office 2010) that could allow a malicious user to execute code on a computer if the user opens a specially formatted Office document.
One of the more interesting flaws that Microsoft addressed in this patch has been a known problem for over 10 years. In this scenario, an attacker places a specially-named Dynamic Link Library (DLL) file in the same folder as other, legitimate Office files. When a user opens the Office file from this location, the malicious DLL is executed on his machine. The DLL can do anything on the computer that the locally logged-on user can do. This attack is most likely to occur inside your corporate border, using shared folders on internal file servers.
MS10-088 is an "important" security bulletin for Microsoft PowerPoint 2002 and 2003. Opening a malformed PowerPoint 95 document can allow an attacker to execute code on a computer. For those attackers who can't find PowerPoint 95 to build malicious files, a second flaw exists that can be triggered from any malformed PowerPoint file (regardless of version). The PowerPoint Viewer that ships with PowerPoint 2007 is also vulnerable to this attack.
MS10-089 discusses a security vulnerability in one of Microsoft's new security products -- Microsoft Forefront Unified Access Gateway (UAG) 2010. Microsoft's bulletin patches four flaws in UAG 2010 and has an "important" severity rating. The flaws include a spoofing attack and several types of cross-site scripting.
Make sure to install MS10-087 to all of your Office systems as soon as possible, then install MS10-088 and -089 as time permits. Also, keep a watch for next month's Patch Tuesday announcements. If Microsoft can release 11 bulletins in December, it would tie the record number of security bulletins released in one year (100 in 2000).
ABOUT THE AUTHOR
Eric Schultze is a principal product manager at Amazon Web Services. Prior to Amazon, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.