Article

Microsoft repairs flaws in Forefront UAG, critical Office flaw

Robert Westervelt, News Director

Microsoft addressed vulnerabilities in its Forefront Unified Access Gateway and flaws in Microsoft Office and PowerPoint as part of its monthly patching schedule.

The software giant issued three security bulletins, Tuesday, addressing 11 vulnerabilities in its November patching cycle. One of five vulnerabilities addressed in Microsoft Office could allow an attacker to execute code remotely on a victim's machine by getting a user to open a malicious

    Requires Free Membership to View

rich text formatted email message. The security update is rated "critical" for Microsoft Office 2007 and 2010.

Josh Abraham, a security researcher at Boston-based vulnerability management vendor Rapid7 LLC, said the critical vulnerability could enable cybercriminals to conduct drive-by malware attacks.

Microsoft also addressed four security vulnerabilities in its Forefront Unified Access Gateway. The gateway is an SSL VPN, used to give remote employees secure access to enterprise systems and applications. The UAG is open to a spoofing flaw that enables rogue employees to increase their user privileges. The bulletin is rated "important" for all supported versions of Forefront Unified Access Gateway 2010.

"Without the fix, administrators who click the malicious [cross-site scripting] link could cause code execution allowing attackers to create users or change settings on the Forefront server," wrote Wolfgang Kandek, chief technology officer of Redwood Shores, Calif-based vulnerability management vendor Qualys Inc., in the company's blog.

In addition, Microsoft addressed two PowerPoint flaws. Microsoft said the flaws enable an attacker to execute code remotely on a victim's machine after getting the user to open a malicious PowerPoint file. Despite being rated "important," Microsoft has given the vulnerabilities an Exploitability Index rating of 1, meaning that public exploit code attempting to target the vulnerabilities is likely. The update affects Microsoft PowerPoint 2002, 2003, and Microsoft Office 2004 for Mac.

An Internet Explorer zero-day vulnerability, acknowledged by Microsoft last week, remains unpatched. Security experts warned that the workarounds in the advisory could break some Web pages.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: