Microsoft has patched 47 bugs in its Windows, Office, Internet Explorer and SharePoint Server products including a critical remote execution flaw in Office that could be exploited if users merely previewed an email.
The Patch Tuesday release includes four critical patches with the Outlook bug of utmost concern, Microsoft Trustworthy Computing team group manager Dustin Childs said.
The issue could allow remote code execution if an email carried a specially crafted S/MIME certificate, which stands for secure/multipurpose internet mail extensions, a standard for public key encryption and signing MIME data.
Microsoft did not detect any active attacks on the bug, Childs wrote, and the company believes a hacker would need to be particularly sophisticated to carry out the exploit.
“Creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult,” Childs wrote.
“Still, the possibility is there and that is why we listed this update as our highest priority for this month.”
The three other fixes deemed critical, Microsoft's highest rating, addressed flaws in Sharepoint Server, Internet Explorer versions 6 to 10, and Windows. The patches also resolved remote code execution flaws.
Despite advanced notification that its Patch Tuesday release would include 14 fixes, Microsoft left out one patch initially planned for the update. The fix would have addressed an issue in the company's .NET software framework, which could allow denial-of-service.
“A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component,” Rapid7 engineering manager Ross Barrett said.
Just last month, Microsoft was forced to pull one of its Patch Tuesday fixes after it had already been released. The move came after customers reported issues when installing the fix, which addressed three vulnerabilities in Exchange Server.
In this month's security update, Microsoft dispatched a total of nine fixes ranked “important," all addressing remote code execution flaws that could allow an attacker to carry out a denial-of-service, or give saboteurs elevated privileges.
One of the patches deemed “important” resolved a privately reported vulnerability in Microsoft FrontPage. To exploit the flaw, which could lead to information disclosure, an attacker would need to, first, trick a user into opening a malicious document, Microsoft said in its bulletin.