Outlook preview pane-shatter bug fix stars in November Patch Tuesday
'Giant pool of potential victims'
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Microsoft's light sprinkling of just three bulletins as part of its November Patch Tuesday contains a patch to address a critical hole that is particularly ripe for exploitation.
The single "critical" update in the batch (MS10-087) affects Microsoft Office 2007 and 2010, which both currently contain a handy mechanism to push malware in booby-trapped emails while relying on minimal user interaction.
Andrew Storms, director of security operations at patching firm nCircle, explained: “The bug means that anyone who receives a malformed email with the preview pane enabled need only click on it to be infected with malware. The number of people using preview panes creates a giant pool of potential victims, and that makes this bug extremely attractive to hackers."
The flaw has prompted the first security patch for Microsoft Office 2010. Joshua Talbot, security intelligence manager at Symantec Security Response, added that the flaw exploits vulnerabilities in how Word handles Rich Text Format files, rather than the more common route of bobby-trapped .doc files. Malformed files can be used to execute a buffer overflow-based code injection attack on vulnerable systems.
The two remaining patches in November's litter cover lesser ("important") updates for PowerPoint and Microsoft ForeFront Unified Access Gateway (an SSL VPN product). In total the three advisories cover 11 vulnerabilities.
What is even more significant than the vulnerabilities addressed on Tuesday is an unpatched security bug in Internet Explorer. The IE zero-day, confirmed by Redmond last week, has already appeared in targeted malware attacks but a fix may have to wait until December.
As usual a neat diagram explaining the bulletins has been put together by the SANS Institute's Internet Storm Centre here. Redmond's advisory is here. ®
COMMENTS
Preview PAIN!
Hmm who in their RIGHT mind has the preview pane turned on? I turned my Windows Live Mail one off when I updated it.. I turn it off even in web based mail that has it where possible. I know it's a massive "You don't need click anything here as you've just been code injected" although most AV will catch it.. I really can't believe people still use it.
Not too bad...
...but still very annoying (fortunately my boss is very patient)
One 2.5hr chkdsk d: /r later, and I'm back up and running - the restart must have been done for a file or two.
Back on topic...
Preview pane in Outlook - I seem to remember that I switched that off a few years ago when there was another scare about auto-executable code as an attachment, and never switched it on again, I don't have that version of PowerPoint installed, nor do I use Forefront , so I didn't need any of the updates that caused the hassle. Marvellous.
HTML in emails
Simple, just remove all the "<" from the email and send it back to the sender asking if they can send the email in English.
What gets me is the number of emails that contain a text version of the HTML including things like "Click here to see this email in your web browser", but that don't include the link in the email text so nothing happens!!
I also hate the fact that it means that my phone will try to roam to download all the images in the email, costing me a fortune if I don't stop it.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
