Microsoft’s Office productivity suite is the latest focus of its regular monthly patches, with the software colossus today urging users to lock down a dozen vulnerabilities — four of which it considers “critical”.
Today’s updates — part of Microsoft’s routine “Patch Tuesday” fixes — come as Office security is receiving renewed attention from Microsoft and outside researchers.
All four critical flaws identified today could allow for unauthorized remote execution of code, potentially enabling attackers to take complete control of a system running Office — installing rogue programs, changing or deleting data or creating new accounts.
An attacker could use access rights to assume control of a machine when it might be less obvious to an observer, for instance. Microsoft added that users whose accounts are configured to have fewer user rights on the system “could be less impacted” than those with administrative user rights.
Heading today’s “Patch Tuesday” security bulletins are multiple vulnerabilities found in Microsoft Excel that could allow unauthorized remote execution if certain kinds of Excel files are opened.
A second critical vulnerability also relates to remote execution threats, but within Microsoft Outlook. In this case, a “specially crafted” URL has to be received by an Outlook user and opened.
Microsoft said simply viewing the e-mail in an Outlook preview pane isn’t enough to trigger the exploit. But if a user opens the URL, it could allow an attacker to install programs, read or alter data and create new accounts.
Third on the company’s list of critical updates is a set of vulnerabilities affecting Microsoft Office as a whole. In this instance, an attacker could gain remote access if they trick a user into opening a specific “malformed” Office file.
The final component to receive attention for a critical vulnerability is Microsoft Office Web Components. As with the other fixes, the Office Web Components update addresses remote execution issues whereby an attacker could potentially take over the system.
“It is the month of Office bugs,” said Dave Marcus, research and communications manager at McAfee Avert Labs, in a statement. “Vulnerabilities in Office applications have been a favorite attack method among cybercrooks, especially in stealthy attacks that seek to steal high-value intellectual property. Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite.”
The company, along with leading security firms, recommends that users who do not automatically receive Windows Update downloads manually download the updates, which accompany the bulletins as part of Microsoft’s routine “Patch Tuesday” fixes.
Per its usual custom, Microsoft is hosting a Webcast tomorrow at 11 AM Pacific time to address customer questions on the updates.