Severe flaw in Outlook 2007/2010 patched

Severe flaw in Outlook 2007/2010 patched

Summary: Microsoft has released 13 security updates for Internet Explorer, Outlook, SharePoint and Windows. 47 vulnerabilities in all are patched, but perhaps the scariest affects Outlook 2007 and 2010.

SHARE:
TOPICS: Security, Microsoft
48

47 separate vulnerabilities were patched today by Microsoft in the Patch Tuesday updates.

This month's advance notification indicated that there would be 14 bulletins, but only 13 were released today. They affect Microsoft Outlook, Access, Excel, components of Windows, FrontPage, SharePoint, Active Directory and there is a cumulative update for Internet Explorer.

Perhaps the most alarming of the vulnerabilities is a certificate parsing vulnerability in Microsoft Outlook 2007 and 2010: "A remote code execution vulnerability exists in the way that Microsoft Outlook [2007, 2010] parses specially crafted S/MIME email messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

In other words, you could be exploited merely by opening such a message. On the other hand, Microsoft says that exploit code for this vulnerability would be difficult to build. Even so, this sounds like one to patch ASAP.

Below are the bulletins in more detail:

  • MS13-067: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052) (Critical) — This addresses 10 vulnerabilities, one of which had already been publicly disclosed. That vulnerability is not rated critical and Microsoft says that functioning exploit code for it is unlikely. Office Web Apps 2010 are also affected and one of the vulnerabilities for it is a critical one. The matrix of affected products is complicated, and administrators need to study the bulletin closely.
  • MS13-068: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473) (Critical) — An error in the way Outlook 2007 and 2010 parse certificates in S/MIME messages could allow malicious code execution.
  • MS13-069: Cumulative Security Update for Internet Explorer (2870699) (Critical) — 10 vulnerabilities, several of them critical, are addressed in this latest Cumulative Update for IE. All 10 are memory corruption vulnerabilities which could result in malicious code execution. All have already been addressed in Internet Explorer 11 in Windows 8.1.
  • MS13-070: Vulnerability in OLE Could Allow Remote Code Execution (2876217) (Critical) — A critical vulnerability in OLE that affects only Windows XP and Windows Server 2003.
  • MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) (Important) — A maliciously-crafted theme file could cause malicious code execution on Windows XP and Windows Server 2003. The user would have to install it manually. Windows Vista is technically affected, but is not vulnerable in the default configuration.
  • MS13-072: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537) (Important) — 13 vulnerabilities in Office 2003, 2007 and 2010 (but not 2013). One is due to improper parsing of specially-crafted XML files. The other 12 are memory corruption vulnerabilities in Microsoft Word.
  • MS13-073: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) (Important) — Three vulnerabilities, affectingn all versions of Microsoft Excel, could lead to remote code execution of information disclosure.
  • MS13-074: Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) (Important) — Three memory corruption vulnerabilities affect Access 2007, 2010 an 2013, and could allow malicious code execution.
  • MS13-075: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) (Important) — The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in "Microsoft Pinyin IME for Simplified Chinese".
  • MS13-076: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) (Important) — Several vulnerabilities in the Windows Kernel-Mode Driver could allow privilege elevation.
  • MS13-077: Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) (Important) — An oddly-specific one, affecting only Windows 7 and Windows Server 2008 R2. A "double free" vulnerability in the Windows Service Control Manager (SCM) could allow elevation of privilege.
  • MS13-078: Vulnerability in FrontPage Could Allow Information Disclosure (2825621) (Important) — FrontPage 2003 could disclose file contents.
  • MS13-079: Vulnerability in Active Directory Could Allow Denial of Service (2853587) (Important) — A denial of service vulnerability in Active Directory affects Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • Outlook 2010 has protected mode

    No word on how an exploit would circumvent that? By default (unless you switch it off) Outlook 2010 and later opens emails and attachments in a sandbox (low integrity mode) which means that the process cannot alter system state or install anything.
    honeymonster
    • Microsoft disagrees

      Click on the link for MS13-068. They wrote the thing. If they say it can be exploited, I'm in no position to disagree.
      davidr69
    • here you go

      An error in the way Outlook 2007 and 2010 parse certificates in S/MIME messages could allow malicious code execution.

      Sounds like you need to receive a malicious certificate from the NSA or other entity to exploit this vulnerability.
      greywolf7
    • Exploitability

      As I said, Microsoft gave this one an exploitability index of 3 to say that it would be very difficult to exploit. Perhaps this is *because* of protected mode.
      larry@...
      • or perhaps

        because crafting an malicious certificate would be no small task. in theory it has to pass the smell test before you start parsing a certificate... even incorrectly.
        greywolf7
  • Patches

    Guess that someone with a lot more knowledge that I have figured this out - so patch it!!!
    puppadave
  • Frontpage 2003?

    Really?
    Evil Sandmich
    • Why are you so shocked?

      Support ends when XP does. (Apr 2014)
      2nd Paradox
      • Shocked because...

        It was amazing to come across someone who was using it in 2003, let alone ten years later.
        Evil Sandmich
        • Actually, I've used it a lot.

          Back when I just started building websites.
          Good times. :)
          FrontPage 2003 is quite nostalgic to me.
          Its replacement (Microsoft Expression Web), which was also discontinued, is quite identical.
          2nd Paradox
  • Keeps Wanting to Reinstall

    3 of the MS Office 2007 patches for some reason keep having Windows Update tell me to download and install them repeatedly. As I did install them, I'll just have to ignore those files for now.
    SvZurich
    • Try searching for Windows Update Repair or Microsoft Update Repair

      This is the Microsoft Tool and there are some articles that give manual steps.
      http://support.microsoft.com/mats/windows_update/
      greywolf7
    • Be Careful there are 3rd party sites

      I have no idea of their legitimacy or possible charging policies... The Microsoft Tool is Free and it from MS Support.
      greywolf7
    • Having the exact same problem

      After repeatly installing those 3 updates, it still shows up in update.
      I found that it only affects computers running Office 2007 and not on Office 2010.
      hans98ko
  • Outlook?!

    People still use Outlook? Gmail has been around for how many years?! Outlook sounds as old as Compuserve or Netscape. lol
    rm6565
    • Gmail????

      Since when does Gmail have full offline capabilities?
      jaykayess
      • When you use it with an email client

        Doh
        Alan Smithie
        • Like Outlook?

          for example... ;-)
          thekman58
    • Gmail?

      You must not work in IT, or at least not a business that requires Enterprise-class email and collaboration. Troll on, rm6565.
      BowTech
    • Gmail?!

      Outlook does a million useful things that GMail doesn't
      larry@...