As part of its monthly Patch Tuesday security update, Microsoft has dispatched 13 patches for 47 bugs in its Windows, Office, Internet Explorer and SharePoint Server products.
The Patch Tuesday release includes four critical patches, or Microsoft “bulletins,” with the bug of utmost concern being a privately reported vulnerability in Microsoft Outlook. The bug could allow a remote attacker to execute code if a user merely previews a malicious email message in Outlook or opens it, a Tuesday bulletin summary said.
On Tuesday, Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing team, wrote in a blog post that the patch for Outlook was the “first bulletin that caught [his] attention.”
The issue could allow remote code execution (RCE) if an email carried a specially crafted S/MIME certificate, which stands for secure/multipurpose internet mail extensions, a standard for public key encryption and signing MIME data.
Microsoft did not detect any active attacks on the bug, Childs wrote, and the company believes a hacker would need to be particularly sophisticated to carry out the exploit.
“Creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult,” Childs wrote. “Still, the possibility is there and that is why we listed this update as our highest priority for this month.”
The three other fixes deemed “critical,” Microsoft's highest rating, addressed flaws in Sharepoint Server, Internet Explorer versions 6 to 10, and Windows. The patches also resolved remote code execution flaws.
Despite advanced notification that its Patch Tuesday release would include 14 fixes, Microsoft left out one patch initially planned for the update. The fix would have addressed an issue in the company's .NET software framework, which could allow denial-of-service.
According to Ross Barrett, senior manager of security engineering at Rapid7, who emailed prepared comments on the security update to SCMagazine.com, the last-minute decision to pull a patch often points to operability issues that couldn't be worked out in time.
“A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component,” Barrett wrote.
Just last month, Microsoft was forced to pull one of its Patch Tuesday fixes after it had already been released. The move came after customers reported issues when installing the fix, which addressed three vulnerabilities in Exchange Server.
In this month's security update, Microsoft dispatched a total of nine fixes ranked “important," all addressing remote code execution flaws that could allow an attacker to carry out a denial-of-service, or give saboteurs elevated privileges.
One of the patches deemed “important” resolved a privately reported vulnerability in Microsoft FrontPage. To exploit the flaw, which could lead to information disclosure, an attacker would need to, first, trick a user into opening a malicious document, Microsoft said in its bulletin.