Microsoft today announced it will deliver seven security updates, one critical, to patch 20 vulnerabilities in Office, SharePoint Server, SQL Server, Windows and other parts of its product lineup.
"It looks like an Office month," said Andrew Storms, director of security operations at nCircle Security. "Look at the 'Affected Software' column on the advance notification. Office, Office, Office."
The one update pegged critical, Microsoft's highest threat ranking, will tackle bugs in all supported versions of Office on Windows. The remaining six updates were labeled "important," the next-most-serious rating in the company's four-step scoring system.
There was no update scheduled for Internet Explorer (IE), as Microsoft took care of that last month when it rushed out an emergency patch to stymie active attacks exploiting a bug in the browser. The Sept. 21 "out-of-band" update also included patches for several additional vulnerabilities, which were originally slated to ship next week.
Security experts, not surprisingly, all tapped the critical Office update as the one to plan to deploy as soon as possible.
"It's not only the one critical [update]. It's also critical in Word 2007 and Word 2010, but only important in Office 2003," said Storms in an interview Thursday. "We haven't seen a good critical Word bug in a while, and as I've said before, the newer [versions] should be more secure. That's not the case here."
Storms speculated that the flaw -- or flaws, since Microsoft does not spell out how many patches compose each update in its advance notification -- may be in the file formats used by Office 2007 and Office 2010 on Windows.
Microsoft debuted new XML-based file formats in Office 2007 as replacements for older, proprietary binary formats.
"Maybe there's a bug in how Word opens or parses files," Storms theorized.
Others wondered the same.
"This vulnerability requires a victim to open up a malicious file or preview a malicious file in Outlook Web Access," noted Marcus Carey, security researcher with Rapid7, in an email today. "This vulnerability could result in the complete compromise of a system if exploited."
Wolfgang Kandek, CTO of Qualys, also focused his attention on the Word update, but put different spin on it than Carey. "[A critical rating] is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability," Kandek said.
The six important updates will address one or more vulnerabilities in Windows, SharePoint Server, FAST Search Server, Groove Server, Office Web Apps, Microsoft Communicator, Microsoft Lync and SQL Server, versions 2000 and later, including SQL Server 2012, which shipped six months ago.
Most of them can be postponed, the experts said today, at least according to the information available in the bare-bones advance notice.
"Bulletin 7 [the SQL Server update] will depend on the attack vector Microsoft reveals next week," said Storms. "If it's an elevation of privilege bug that's difficult [for hackers] to get to, you'll be better off waiting."
Storms based that advice on the calendar: Many enterprise lock down their networks, servers especially, in October and early November to insure they're running during the crucial holiday season. During a lockdown period, IT administrators pass on all patching, just in case a fix causes problems. SQL Server is often a mission-critical part of a company's back-end infrastructure, powering databases that manage online sales stores.
Alex Horan, senior product manager at Core Security, gave a nod to Bulletin 7, too, but for a different reason. "These patches highlight the amount of code that is being reused," said Horan. "Bulletin 7 involves code reused in versions since 2000. That's 12 years of reused, and now vulnerable code."
It's possible, Horan continued, that the vulnerabilities have been quietly exploited for years.
Also next Tuesday, Microsoft will begin rolling out a long-planned update that invalidates all certificates with keys less than 1,024 bits long.
It was in June that Microsoft first told users it was going to disable those certificates, saying at the time that it would issue an update in August to block Windows accessing short keys. Microsoft did ship the update that month, but made it an optional download. Next week, Microsoft will effectively push it to everyone.
The update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, a sophisticated espionage tool uncovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It spoofed Windows Update to infect completely-patched Windows PCs.
Microsoft reacted by throwing the kill switch on three of its own certificates.
"My sense is that one, most enterprises have already done this, and two, the enterprises that haven't will deny [the update] via WSUS [Windows Server Update Services]," said Storms. "So really, the immediate impact will be on the smaller guys who either don't use WSUS or haven't gotten the word about the update coming. For them, stuff may break, and they're going to be scratching their heads trying to figure out why."
Microsoft will release the seven updates at approximately 1 p.m. ET on Oct. 9.
