Microsoft addressed vulnerabilities in its Forefront Unified Access Gateway and flaws in Microsoft Office and PowerPoint
as part of its monthly patching schedule.
The software giant issued three security bulletins, Tuesday, addressing 11 vulnerabilities in its November patching cycle. One of five vulnerabilities addressed in Microsoft Office could allow an attacker to execute code remotely on a victim's machine by getting a user to open a malicious rich text formatted email message. The security update is rated "critical" for Microsoft Office 2007 and 2010.
Josh Abraham, a security researcher at Boston-based vulnerability management vendor Rapid7 LLC, said the critical vulnerability could enable cybercriminals to conduct drive-by malware attacks.
Microsoft also addressed four security vulnerabilities in its Forefront Unified Access Gateway. The gateway is an SSL VPN, used to give remote employees secure access to enterprise systems and applications. The UAG is open to a spoofing flaw that enables rogue employees to increase their user privileges. The bulletin is rated "important" for all supported versions of Forefront Unified Access Gateway 2010.
"Without the fix, administrators who click the malicious [cross-site scripting] link could cause code execution allowing attackers to create users or change settings on the Forefront server," wrote Wolfgang Kandek, chief technology officer of Redwood Shores, Calif-based vulnerability management vendor Qualys Inc., in the company's blog.
In addition, Microsoft addressed two PowerPoint flaws. Microsoft said the flaws enable an attacker to execute code remotely on a victim's machine after getting the user to open a malicious PowerPoint file. Despite being rated "important," Microsoft has given the vulnerabilities an Exploitability Index rating of 1, meaning that public exploit code attempting to target the vulnerabilities is likely. The update affects Microsoft PowerPoint 2002, 2003, and Microsoft Office 2004 for Mac.