Feeds

Outlook preview pane-shatter bug fix stars in November Patch Tuesday

'Giant pool of potential victims'

Protecting against web application threats using SSL

Microsoft's light sprinkling of just three bulletins as part of its November Patch Tuesday contains a patch to address a critical hole that is particularly ripe for exploitation.

The single "critical" update in the batch (MS10-087) affects Microsoft Office 2007 and 2010, which both currently contain a handy mechanism to push malware in booby-trapped emails while relying on minimal user interaction.

Andrew Storms, director of security operations at patching firm nCircle, explained: “The bug means that anyone who receives a malformed email with the preview pane enabled need only click on it to be infected with malware. The number of people using preview panes creates a giant pool of potential victims, and that makes this bug extremely attractive to hackers."

The flaw has prompted the first security patch for Microsoft Office 2010. Joshua Talbot, security intelligence manager at Symantec Security Response, added that the flaw exploits vulnerabilities in how Word handles Rich Text Format files, rather than the more common route of bobby-trapped .doc files. Malformed files can be used to execute a buffer overflow-based code injection attack on vulnerable systems.

The two remaining patches in November's litter cover lesser ("important") updates for PowerPoint and Microsoft ForeFront Unified Access Gateway (an SSL VPN product). In total the three advisories cover 11 vulnerabilities.

What is even more significant than the vulnerabilities addressed on Tuesday is an unpatched security bug in Internet Explorer. The IE zero-day, confirmed by Redmond last week, has already appeared in targeted malware attacks but a fix may have to wait until December.

As usual a neat diagram explaining the bulletins has been put together by the SANS Institute's Internet Storm Centre here. Redmond's advisory is here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.