Eleven months down, one to go. Today is Patch Tuesday for November, and Microsoft is taking it easy on IT admins with a relatively meager three security bulletins. Microsoft Office has the dubious honor of being the focus of this month’s patches–while a recently uncovered zero-day flaw in Internet Explorer remains unpatched.
A post on the Microsoft Security Response Center blog states, “As part of our usual cycle of monthly updates, today Microsoft is releasing three security bulletins, addressing 11 vulnerabilities. One of the bulletins has a Critical severity rating, while the other two are rated Important.” This is in stark contrast to last month, when Microsoft unleashed a record 16 security bulletins to patch 49 vulnerabilities.
Tyler Reguly, lead research engineer for nCircle, commented, “We knew this was going to be a lean month, but we didn’t know how lean it would actually be. There are only three bulletins and one of them is for a product I’d never heard of before advance notification. As a researcher looking at the patches, it’s hard to decide if this is a good month or just a boring month.”
Of the three security bulletins, only one is rated as Critical–and that distinctive bulletin impacts Microsoft Office. “Microsoft Office is a major theme this month,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “In fact, the only critical vulnerability impacts Office, specifically Word. The RTF Stack Buffer Overflow issue will most likely be used in targeted email attacks against Outlook users, since Outlook uses Word to display email content.”
The vulnerability addressed by MS10-087 is particularly dangerous because it doesn’t require the user to open a malicious e-mail. Andrew Storms, director of security operations for nCircle, explains, “This bug means that anyone who receives a malformed email with the preview pane enabled need only click on it to be infected with malware. The number of people using preview panes creates a giant pool of potential victims, and that makes this bug extremely attractive to hackers.”
Symantec’s Talbot offers some additional guidance. “Though this vulnerability is now patched, it’s not the first we’ve seen that highlights issues with Rich Text Format. One simple way to mitigate these types of vulnerabilities is to change the default settings in Outlook to view all emails in plain text format.”
Today’s security bulletins do not address the recent zero-day Internet Explorer vulnerability, which can exploit to execute arbitrary code by tricking users into visiting malicious Web pages. “More noteworthy than what’s included in today’s release is what was omitted,” Craig Schmugar, research architect at McAfee Labs. “Exploits targeting the recent Internet Explorer zero-day (CVE-2010-3962) have been spotted in Eleonore, also known as Exploit-Eleono, a popular exploit attack kit.”
nCircle’s Reguly agrees. “After seeing exploits for the IE zero-day in various exploit frameworks, the most notable item this month is the lack of an IE patch. It’s only been a week since the vulnerability was released, so this isn’t surprising, but it’ll be interesting to see if it warrants an out-of-band bulletin or if things stay quiet enough to wait until December.”
Microsoft, as well as all of the security experts and vendors referred to in this article recommend that the Microsoft patches be installed as soon as possible.