Microsoft Critical Vulnerabilities that You Must Patch Coming Tuesday

Microsoft Update install

On passed Thursday, Microsoft has released an advance advisory alert for upcoming Patch Tuesdaywhich will address Remote Code Execution vulnerabilities in several Microsoft’s products.

Microsoft came across a limited targeted attacks directed at their Microsoft Word 2010 because of the vulnerability in the older versions of Microsoft Word.

This Tuesday Microsoft will release Security Updates to address four major vulnerabilities, out of which two are labeled as critical and remaining two are Important to patch as the flaws are affecting various Microsoft software such as, Microsoft Office suite, Microsoft web apps, Microsoft Windows, Internet Explorer etc.

Google Security Team has reported a critical Remote code execution vulnerability in Microsoft Word2010 (CVE-2014-1761) which could be exploited by an attacker to execute the malicious code remotely via a specially crafted RTF file, if opened by a user with an affected version of Microsoft Word or previewed.

The vulnerability could also be exploited if a user opened a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.

A specially crafted RTF file can make the system memory corrupt in such a manner that a cyber criminal could execute the arbitrary code when parsed by Microsoft Word. For successful exploitation of security flaw, Microsoft Word versions are used as email viewer in MS Outlook 2007, 2010 and 2013 as well.

In short, if an attacker successfully exploits the vulnerability, he could gain the same rights and privileges as the current user have. So, those users whose accounts are configured to already have fewer user rights on the system could be less impacted than those who operate their system with administrative user rights.

By exploiting the same Remote code execution vulnerability, an attacker could host a website that contains a webpage, containing a specially crafted RTF file. Moreover, the compromised websites, or the services that accept or host user-provided contents or advertisements could contain specially crafted content by the cyber criminals that could exploit this vulnerability easily.

In all cases of web-based scenario, an attacker would have to convince users to visit the compromised website, typically by getting them to click on a link provided in an email or Instant Messenger message that will take users to the attacker's website.

According to Microsoft, applying the Microsoft Fix it solution, "Disable opening RTF content in Microsoft Word," prevents the exploitation of this issue through Microsoft Word.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to offer information that they can use to provide additional protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

In this update, Microsoft is again going to patch the security flaws in its weakest application i.e. Internet Explorer web browser which is listed in Bulletin 2.

Bulletin 1 and 4 are mainly concerned with Microsoft Office, whereas, Bulletin 3 will address the vulnerabilities in Windows Operating system.

8th April is the last official day for Windows XP, as well the last Patch Tuesday for it and hence is the most important patch release day for all the windows XP users.

It is highly recommended to install this patch on Tuesday to keep your operating system a bit secure. The update contains one critical and one important fix for windows XP as well.

Just three days ago, Apple released Safari 6.1.3 and Safari 7.0.3 with new security updates, addressing more than two dozen vulnerabilities in Safari web browser, including some critical ones.