Internet Security Systems - AlertCon(TM)

October 2012 Microsoft Super Tuesday

Posted by Zubair Ashraf on October 09, 2012 at 2:39 PM EDT.

Microsoft's October 2012 Security Bulletin has been made publicly available. The vendor has released 7 bulletins, 20 CVE's today. Only one of the bulletins, affecting Office and Server Software, is marked as critical. The remaining bulletins, affecting Office, Server Software, MSQL, Lync and Windows are all rated as important. We encourage customers to refer to the notification for additional information.

Let's take a look at the critical one:

  • Microsoft Security Bulletin MS12-064 - Critical - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)


    The critical vulnerability in this bulletin is CVE-2012-2528 - RTF File listid Use-After-Free Vulnerability. For an attacker to exploit this vulnerability the user would have to open a malicious RTF file, common vectors for delivery of such file is a spear phishing email. This attack vector has recently been quite a favorite for targeted attacks. Successful exploitation of the vulnerability can allow the attacker to execute arbitrary code with the same permission as the user. We would recommend this patch be applied as soon as possible, and as always user education is the best thing to do for future threats. Making sure that your users are aware of the risks associated with opening various Office and Adobe documents, and to be cautious of phishing and spearphising emails is the strongest prevention measure you can take.

We would also like to remind you that the certificate key length increase patch will be rolled out this month as well.

Happy patching and stay safe!

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.