Microsoft releases critical security update
Microsoft's latest monthly patch release includes three critical software fixes, including one for a vulnerability in Microsoft Office that the firm said could allow remote code execution if a user opens a specially crafted RTF file.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the bulletin said.
According to Wolfgang Kandek, CTO at security solution provider Qualys, it is the most critical bulletin "as [the vulnerability] can be used to gain control of an end-user's machine without requiring interaction".
The second critical update is for Microsoft Office, Windows, .NET Framework, and Silverlight and addresses a total of 10 vulnerabilities.
Kandek explained why the update applied to a broad selection of Microsoft software.
"In December of 2011, Microsoft issued a bulletin that patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware.
"After the fix was delivered, Microsoft's internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft's other software packages and found multiple products that contained the flawed code. [This bulletin] now provides the patches necessary to address these vulnerabilities," he said.
Kandek emphasised that Qualys is not aware of any malware that currently exploits this issue.
The third critical update is to fix a vulnerability in the .NET Framework that could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XBAPs, a Microsoft browser-based application delivery format.
"It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the intranet zone of the target," said Kandek.
Of the remaining four important bulletins, Qualys recommends users to focus on the Excel and Visio security fixes.
"Both are file-format vulnerabilities that allow an attacker to take control of the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year's data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing email that can trick a percentage of the emails recipients into opening such a file," Kandek explained.
The software patches can be downloaded
here.