Microsoft announced it will patch 20 security flaws in its product line-up next week. According to the Redmond-based vendor, the upcoming update will deliver security fixes for Office, SharePoint Server, SQL Server and Windows products and close significant holes that could allow attackers discretionary access to the vulnerable systems.
Particularly important in the upcoming Patch Tuesday is the delivery of a critical update to Office 2007 and 2010 suites. According to Andrew Storms, director of security operations at nCircle Security, the issue (or issues) for patching may reside in the XML-based file formats introduced in Office 2007.
“It’s not only the one critical [update]. It’s also critical in Word 2007 and Word 2010, but only important in Office 2003,” Storms told Computerworld. “We haven’t seen a good critical Word bug in a while, and as I’ve said before, the newer [versions] should be more secure. That’s not the case here.”
Critical bugs are extremely rare, and just as dangerous. They can impact a system without any form of user interaction. Office formats (such as Word or Excel documents) carry an extra risk especially for corporate users because of two main reasons: the user does not expect that a non-executable file format to carry badware and, at the same time, these file formats are permitted by default to pass through the corporate firewall.
Just as usual, Microsoft did not provide additional information prior to patching. One thing is for sure: there is a highly dangerous bug in the wild that spreads via Word files and the patch is a couple of days away. In the meantime, you should be careful not to open documents from unknown senders, or â€“ at least â€“ not to open them before a scan with your favorite antivirus.