Severe flaw in Outlook 2007/2010 patched

Microsoft has released 13 security updates for Internet Explorer, Outlook, SharePoint and Windows. 47 vulnerabilities in all are patched, but perhaps the scariest affects Outlook 2007 and 2010.
Written by Larry Seltzer, Contributor

47 separate vulnerabilities were patched today by Microsoft in the Patch Tuesday updates.

This month's advance notification indicated that there would be 14 bulletins, but only 13 were released today. They affect Microsoft Outlook, Access, Excel, components of Windows, FrontPage, SharePoint, Active Directory and there is a cumulative update for Internet Explorer.

Perhaps the most alarming of the vulnerabilities is a certificate parsing vulnerability in Microsoft Outlook 2007 and 2010: "A remote code execution vulnerability exists in the way that Microsoft Outlook [2007, 2010] parses specially crafted S/MIME email messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

In other words, you could be exploited merely by opening such a message. On the other hand, Microsoft says that exploit code for this vulnerability would be difficult to build. Even so, this sounds like one to patch ASAP.

Below are the bulletins in more detail:

  • MS13-067: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052) (Critical) — This addresses 10 vulnerabilities, one of which had already been publicly disclosed. That vulnerability is not rated critical and Microsoft says that functioning exploit code for it is unlikely. Office Web Apps 2010 are also affected and one of the vulnerabilities for it is a critical one. The matrix of affected products is complicated, and administrators need to study the bulletin closely.
  • MS13-068: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473) (Critical) — An error in the way Outlook 2007 and 2010 parse certificates in S/MIME messages could allow malicious code execution.
  • MS13-069: Cumulative Security Update for Internet Explorer (2870699) (Critical) — 10 vulnerabilities, several of them critical, are addressed in this latest Cumulative Update for IE. All 10 are memory corruption vulnerabilities which could result in malicious code execution. All have already been addressed in Internet Explorer 11 in Windows 8.1.
  • MS13-070: Vulnerability in OLE Could Allow Remote Code Execution (2876217) (Critical) — A critical vulnerability in OLE that affects only Windows XP and Windows Server 2003.
  • MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) (Important) — A maliciously-crafted theme file could cause malicious code execution on Windows XP and Windows Server 2003. The user would have to install it manually. Windows Vista is technically affected, but is not vulnerable in the default configuration.
  • MS13-072: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537) (Important) — 13 vulnerabilities in Office 2003, 2007 and 2010 (but not 2013). One is due to improper parsing of specially-crafted XML files. The other 12 are memory corruption vulnerabilities in Microsoft Word.
  • MS13-073: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) (Important) — Three vulnerabilities, affectingn all versions of Microsoft Excel, could lead to remote code execution of information disclosure.
  • MS13-074: Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) (Important) — Three memory corruption vulnerabilities affect Access 2007, 2010 an 2013, and could allow malicious code execution.
  • MS13-075: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) (Important) — The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in "Microsoft Pinyin IME for Simplified Chinese".
  • MS13-076: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) (Important) — Several vulnerabilities in the Windows Kernel-Mode Driver could allow privilege elevation.
  • MS13-077: Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) (Important) — An oddly-specific one, affecting only Windows 7 and Windows Server 2008 R2. A "double free" vulnerability in the Windows Service Control Manager (SCM) could allow elevation of privilege.
  • MS13-078: Vulnerability in FrontPage Could Allow Information Disclosure (2825621) (Important) — FrontPage 2003 could disclose file contents.
  • MS13-079: Vulnerability in Active Directory Could Allow Denial of Service (2853587) (Important) — A denial of service vulnerability in Active Directory affects Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
Editorial standards