Patch Tuesday Preview: Microsoft To Address Office Application Vulnerabilities


Microsoft Thursday announced it will address 14 vulnerabilities, including several flaws in Microsoft Office applications, in its next round of security updates.

Microsoft's September Patch Tuesday Advance Notification includes 14 security bulletins -- significantly more than the usual eight or nine -- that are mostly desktop vulnerabilities. The preview includes five vulnerabilities for Microsoft Office, one of which is critical.

In addition, eight of the 14 bulletins involve remote code execution, which involves vulnerabilities that allow cybercriminals or hackers to remotely initiate unauthenticated commands on unsuspecting networks.

[Related: 10 Trending Cyberthreat Attacks In 2013]

Wolfgang Kandek, chief technology officer at Qualys, a security software provider based in Redwood City, Calif., said the update shows the growing importance of updating applications and patching security holes.

"Many of the attacks we're seeing lately are going after the applications instead of the operating system," Kandek said. "Attackers are now looking for security holes in things like Microsoft Office, so I'd put those vulnerabilities at the top of the list."

While IT administrators spend most of their time securing the OS, Kandek said, hackers and cybercriminals are turning their efforts toward exploiting holes at the application level. This presents a challenge for both IT administrators and security firms, he said, because it's much easier to concentrate on one operating system -- most often Windows -- than dozens of disparate applications.

Specifically, Kandek said bulletin No. 2, which is one of four critical vulnerabilities in the update, should be high priority for security teams and IT administrators because it concerns a flaw in Microsoft Office 2007 and 2010 that can be triggered simply by previewing an email in Outlook rather than actually opening the email.

Kandek also highlighted bulletin No. 4, which involves a critical remote code executive flaw for XP and Windows Server 2003. Microsoft plans to end support for Windows XP next April, and the software giant has said there are more than 100 million XP systems still in use in North America.

That poses a huge security risk for companies, according to Kandek. "It's really important for businesses to update or migrate off of older software because support is ending and that will open up XP to more attacks," he said. "If businesses aren't going to upgrade, then they should at least isolate the systems and limit or completely cut off their exposure on the Web."

PUBLISHED SEPT. 5, 2013