New
#1
Microsoft Plugs Office Holes, But No IE Fix Yet
More -Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.
Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.
“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response.
“All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”
Microsoft Plugs Office Holes, But No IE Fix Yet — Krebs on Security