Microsot Fixes 11 Flaws In Light November Patch

Microsoft issued a light security bulletin for its November Patch Tuesday with one critical and two important updates repairing 11 vulnerabilities that included a critical DLL Preloading flaw.

Altogether, Microsoft addressed security flaws in Microsoft Office, PowerPoint and Forefront security products.

Included in the November patch load was bulletin MS10-087, designated with the highest severity level of "critical" for Office 2007 and Office 2010. The patch addressed five vulnerabilities, which included a critical DLL preloading, also known as binary planting flaw, which prompted Microsoft to release a security advisory in August.

If left unchecked, the security glitch could pave the way for hackers to exploit vulnerabilities that occur in how the applications load external libraries. Specifically, the issue enables hackers to launch malicious code remotely onto users' systems when they open a vulnerable application, which subsequently launches a file from an untrusted source. In an attack scenario, a hacker could trick an application into loading a malicious library by thinking it’s a trusted library.

In addition, MS10-087 repaired a bug in Microsoft's Outlook preview pane vector, which could enable hackers to execute remote code attacks when a user opens a malicious Rich Text Format (RTF) file. During an attack, users could become infected simply by opening the Outlook Preview pane, with no external intervention.

"All it takes is an e-mail and clicking on it and loading in the preview pane, and you're talking about code execution," said Tyler Reguly, technical manager of security research and development for security company nCircle.

In addition, the Microsoft update included two other patches designated with the slightly less severity ranking of "important."

The first patch, MS10-088, fixed two vulnerabilities in Microsoft PowerPoint, which could enable hackers to unleash malicious code attacks by sending a user an infected PowerPoint file and then enticing them to open it, usually through some kind of social engineering trick.

Microsoft said that the flaw was ranked "important" due to the fact that it required user intervention.

"You're talking about older platforms, 2002 and 2003," Reguly said. "Plus there's no automated attack vector, whereas with the RFT file, it just happens as soon as you receive it."

In addition, Microsoft also plugged four security holes in Unified Access Gateway, a component of Microsoft Forefront, with its update MS10-089. Hackers could use the vulnerabilities to obtain elevated privileges by directing and enticing users to click on a malicious link to a Website.

Next: Forefront Flaw Less Severe

Reguly said the Forefront vulnerabilities weren't earth shattering, despite the fact that they occur in a component of Microsoft's enterprise security product line.

"This product is not one of Microsoft's front runners and not one which people have made use of," he said. "With this one, I would actually question how many people are running the software. Does anyone know this product existed?"

Microsoft said that thus far, there are no known active attacks exploiting the vulnerabilities. Even still, security experts urge users to apply the patches as soon as possible.

Meanwhile, Microsoft has yet to fix a critical vulnerability in Internet Explorer, disclosed last week, which could compromise users' computers when they visit a Website hosting malicious code. However, the exploit code was discovered on a single Website, which has since been cleaned of the malware, Microsoft said.

Security experts say they'll have to wait and see whether the IE flaw will be incorporated in the December security update or fixed with an out-of-band patch, depending on the severity of the flaw.