Microsoft releases seven bulletins addressing 20 security issues in Windows, SQL Server and Office.
Only one of the October Patch Tuesday bulletins carries a Critical rating this month. MS12-064 details a pair of vulnerabilities in Microsoft Word 2003, 2007 and 2010 that could potentially lead to remote code execution. Microsoft describes one of the vulnerabilities as a remote code execution vulnerability that involves how Microsoft Word handles specially crafted Word files. The second vulnerability is a use-after-free issue that can be exploited if a user opens or previews a specially crafted RTF file.
“The RTF bug in Microsoft Word warrants special attention since users can be exploited simply by previewing a malicious RTF file in Outlook,” said Andrew Storms, director of security operations for nCircle. “Security teams should prioritize, distribute and install this fix as soon as possible.”
Microsoft Works is also being tagged this month for a remote code execution issue that could be triggered by Microsoft Word.
“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works,” Microsoft warned. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.”
A vulnerability Microsoft ranks as Important involves HTML sanitization and could potentially lead to elevation of privilege exploits on Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps.
“The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user,” Microsoft warned in its advisory.