Microsoft issued three security bulletins today fixing 11 holes, including one rated "critical" that could be used by an attacker to send a malicious e-mail that is previewed only or opened by default in Word.
The priority update, MS10-087, resolves five issues affecting all currently supported Microsoft Office products. The bulletin is rated "critical" for Office 2007 and Office 2010 "due to a preview pane vector in Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF (Rich Text Format) file," a Microsoft Security Response Center blog post said. Outlook is not directly affected, however, because the vulnerabilities can only be exploited through Microsoft Word.
"One of the most dangerous aspects of this vulnerability is that a user doesn't have to open a malicious e-mail to be infected," said Joshua Talbot, security intelligence manager at Symantec Security Response. "All that is required is for the content of the e-mail to appear in Outlook's Reading Pane. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected."
That update also addresses an Office vector for a vulnerability referred to as "DLL Preloading" or "Binary planting" related to the way Windows handles dynamic-link library files and which plagued numerous applications recently and led to attacks in the wild.
The second update customers should focus on is labeled MS10-088. It resolves two holes in Microsoft PowerPoint that could allow remote code execution if a user opens a malicious PowerPoint file.
And finally, there is MS10-089, which plugs four holes in Unified Access Gateway, a component of Microsoft Forefront. The most significant of the vulnerabilities could allow elevation of privilege if a user clicks on a malicious link on a Web site. This update is offered through the Microsoft Download Center and is not available through Microsoft Update at this time.
Microsoft is not aware of any active attacks seeking to exploit the vulnerabilities addressed in this month's release, the company said.