Microsoft has dispatched 13 patches for 47 bugs in its Windows, Office, Internet Explorer and SharePoint Server products, as part of its monthly Patch Tuesday security update.
The release includes four critical patches, or Microsoft “bulletins,” with the bug of utmost concern being a privately reported vulnerability in Microsoft Outlook.
The bug could allow a remote attacker to execute code if a user merely previews a malicious email message in Outlook or opens it, a Tuesday bulletin summary said.
Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing team, said the patch for Outlook was the “first bulletin that caught [his] attention.”
The issue could allow remote code execution (RCE) if an email carried a specially crafted S/MIME certificate, which stands for secure/multipurpose internet mail extensions, a standard for public key encryption and signing MIME data.
Microsoft did not detect any active attacks on the bug, Childs said in a blog post, and the company believes a hacker would need to be particularly sophisticated to carry out the exploit.
“Creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult,” Childs wrote. “Still, the possibility is there and that is why we listed this update as our highest priority for this month.”
The three other fixes deemed “critical,” Microsoft's highest rating, addressed flaws in Sharepoint Server, Internet Explorer versions 6 to 10, and Windows. The patches also resolved remote code execution flaws.
Despite advanced notification that its Patch Tuesday release would include 14 fixes, Microsoft left out one patch initially planned for the update. The fix would have addressed an issue in the company's .NET software framework, which could allow denial-of-service.
According to Ross Barrett, senior manager of security engineering at Rapid7, the last-minute decision to pull a patch often points to operability issues that couldn't be worked out in time.
“A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component,” Barrett said.
Just last month, Microsoft was forced to pull one of its Patch Tuesday fixes as it had already been released. The move came after customers reported issues when installing the fix, which addressed three vulnerabilities in Exchange Server.
In this month's security update, Microsoft dispatched a total of nine fixes ranked “important," all addressing remote code execution flaws that could allow an attacker to carry out a denial-of-service, or give saboteurs elevated privileges.
One of the patches deemed “important” resolved a privately reported vulnerability in Microsoft FrontPage. To exploit the flaw, which could lead to information disclosure, an attacker would need to, first, trick a user into opening a malicious document, Microsoft said in its bulletin.
