Microsoft’s October security bulletin contained seven updates, including one that could prevent a serious security attack. If you run Windows but don’t have automatic updating enabled, experts recommend you download and install the latest Microsoft updates manually as soon as possible.
The critical update applies to all versions of MS Word. It patches two vulnerabilities but the most serious one could allow remote code execution if a user opens or previews a malicious Rich Text Format (RTF) file.
This bug is particularly troubling because all users have to do is preview a RTF document in Outlook 2007 or Outlook 2010, both of which use Word as its default text editor, and the hack is set in motion.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user, Microsoft said.
One more reason IT needs to stay on top of who has access to what on the network. Inappropriate user access privileges are often cited as a commonly-overlooked security risk by industry experts.
Security pros also noted two other updates: one to patch bugs in SafeHTML, which protects users from cross-site scripting attacks, and one to patch bugs in components of SharePoint Server 2010.
Both of these updates are designed to correct flaws already being targeted by hackers.
The rest of the Microsoft updates affect:
- Windows XP, Vista and Windows 7
- Server 2003
- Server 2008 and Server 2008 RS
- SQL Server, versions 2000 and later (including SQL Server 2012)