Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft patches 20 bugs, including critical Word flaw

Gregg Keizer | Oct. 10, 2012
Microsoft today patched 20 vulnerabilities in Word, Office, Windows, SharePoint Server, SQL Server and other products in its portfolio, including a critical bug used to attack the company's own online services

He and Miller also noted MS12-067, a 13-bug update for FAST Search Server 2010, a component of the popular SharePoint Server 2010 software.

The bugs were not in Microsoft's code, but in Oracle's Outside In libraries, which Microsoft licenses to display file attachments in a browser rather than to open them in a locally-stored application, like Microsoft Word. The vulnerabilities were within code that parses those attachments.

In July, Microsoft warned customers that Exchange, its widely-used email server software, contained Outside In vulnerabilities. The Redmond, Wash. developer patched the same 13 bugs in Exchange two months ago with MS12-058.

Storms and Miller pointed out that because the Outside In vulnerabilities have been exploited by hackers for months, enterprises running SharePoint 2010 should apply MS12-067 as soon as possible.

Other bulletins issued today addressed vulnerabilities in Windows XP, Vista and Windows 7, as well as Server 2003, Server 2008 and Server 2008 RS; and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped just six months ago.

Windows 8, which has not yet officially launched, and Server 2012, which has, were not affected by any of Tuesday's updates. An update to Internet Explorer 10 (IE10) in Windows 8 and Server 2012, however, shipped Monday to patch 25 critical bugs in the browser's baked-in Flash Player.

Also on Tuesday, Microsoft began pushing a long-planned update that invalidates all certificates with keys less than 1,024 bits long.

Microsoft first told users in June that it was going to disable those certificates, saying then that it would issue an update in August. Microsoft did ship the update that month, but made it an optional download. As of today, Microsoft is forcing it on everyone.

The update to kill certificates with shorter, more vulnerable keys, was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.

Microsoft reacted by throwing the kill switch on three of its own certificates.

"Last chance," said Storms about users' opportunities to apply the update earlier, or block it from arriving on machines via WSUS (Windows Server Update Services). "While we have known for some time that the key update was going out, it's being officially released today," Storms added. "It will applied unless you stop it."

October's seven security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.



Previous Page  1  2 

Sign up for Computerworld eNewsletters.