Microsoft Fixes Office, Excel Flaws In 'Non-Critical' Patch Tuesday Release

Microsoft issued a modest patch load for its September Patch Tuesday release, but coupled the security bulletin with yet another update blacklisting more fraudulent DigiNotar SSL certificates.

Microsoft’s Patch Tuesday bulletin mildly surprised the security community by containing just five updates, none of which were deemed with the highest severity ranking of "critical."

Instead, Microsoft ranked all five updates with the slightly less severe rating of ’important,’ covering vulnerabilities in Microsoft Windows, Office, Excel, WINS and SharePoint. The patch represented one of the first in the company’s history that didn’t contain a ’critical’ fix.

Three of the five updates in this month’s patch load fix flaws that enable remote code execution attacks, which allow hackers to launch malicious code onto users’ computers remotely, typically without any user intervention.

One of the patches, MS11-72, repairs flaws in Microsoft Excel that pave the way for remote code execution attacks if a user opens a malicious Excel spreadsheet file.

Attackers who successfully exploit the vulnerability could take over the victim’s computer to steal sensitive information or execute denial-of-service attacks that would shut down the user’s system entirely.

Andrew Storms, director of security operations at nCircle, said that of the entire patch load this month, the Excel flaw should probably be given the highest priority, ’only because it has the fewest number of mitigations,’ he said. ’You could e-mail an Excel file to a user, and they could save it to the desktop, open it and be in a bad position.’

In addition, the September patch also repaired remote code execution flaws in Microsoft Office, addressed by MS 11-73, which enabled attackers to infect users by enticing them to open a malicious Office file, or by opening a legitimate Office file located in the same network directory as a malicious library file.

Wolfgang Kandek, chief technology officer for security firm Qualys, said that priority should also be given to the Microsoft Office patch MS11-73.

’Attackers could use a malicious word file to execute code on victim machines,’ Kandek said in an e-mail.

In addition, the Microsoft patch also repaired a third remote code vulnerability, addressed by MS11-71, which occurred in Windows components, and exploitable by opening a legitimate rich text format file, text file or Word document located in the same network directory as a malicious dynamic link library file.

While the flaws enabled remote code execution, Storms said that the threat was greatly mitigated by the steps that both the attackers and users would have to take in order for successful exploitation.

’These kinds of attacks are going to be difficult to fulfill -- the user would have to go through so many steps to become infected,’ Storms said.

The other two bulletins both repair elevation of privilege vulnerabilities. The first, MS11-70, occurred in Windows Internet Name Service (WINS), which enabled exploitation if a user received a malicious WINS replication packet.

The remaining patch, MS 11-74, plugged five elevation of privilege flaws in Microsoft SharePoint and Windows SharePoint Services that allowed exploitation if users clicked on a malicious link or was redirected to an infected web page.

Next: Microsoft Prematurely Exposed September Patch Details

While this month’s patch load was relatively benign, Microsoft erred Friday when it accidentally released details of the all five Patch Tuesday updates four days before it was scheduled to issue the full security bulletin.

Normally, the Microsoft advanced notification bulletins alert users only to the applications that the company plans to fix, as well as the severity rating of the vulnerabilities.

However, Storms said that he didn’t anticipate any accelerated attacks based on the premature release and doubted that the gaffe would compromise any users.

’To one degree, (Microsoft) lucked out in that there was nothing in this release of a high severity,’ he said. ’Also, the bulletin data themselves don’t include the exact means to attack someone. They’re not going to tell you by any means where to exploit and in what libraries."

Microsoft did, however, issue another security advisory Tuesday, blacklisting six additional root certificates to the Untrusted Certificate Store, issued by certificate authorities Entrust and Cybertrust on behalf of DigiNotar.

The move followed after news broke in August that SSL certificates issued by Dutch certificate authority DigiNotar had been compromised in a massive hack affecting a myriad of high-profile vendors, including Google, Mozilla and Microsoft.

Last week Microsoft deemed several DigiNotar certificates ’untrustworthy,’ which it demonstrated by migrating the fraudulent SSL certificates into the Untrusted Certificate Store.

Darrel Bowman, CEO of MyNetworkCompany.com, a Tacoma, Wash.-based security solution provider, said that "Microsoft did the right thing,’ in response to the DigiNotar SSL hack.

’Everybody did the right thing as soon as they found out,’ Bowman said. ’They blacklisted them and everybody else did too. They had no other choice.’

In light of the updates, the DigiNotar hack didn’t have a major effect on his company, thanks in part to engineers that were ’on top of it,’ Bowman said, but added that it was not surprising that DigiNotar was put out of business as a result.

’They didn’t do what they needed to do and take the steps that they need to take a while ago,’ Bowman said. ’If you don’t protect the market, you’re not going to be protected by the market.’