Small, But Serious Patch Tuesday

Microsoft patches a handful of security holes, but at least one of the vulnerabilities is dangerous and wide-spread. The message is, don't let your guard down.

Microsoft's November "Patch Tuesday" event may turn out to be more like "Patch Tuesday Lite" for systems managers this month.

In fact, Microsoft (NASDAQ: MSFT) only released three patches to fix a total of 11 vulnerabilities on Nov 9 -- and only one of the patches is rated "critical" on the company's four-tier severity ranking scale.

In contrast, last month, Microsoft fixed 49 individual security flaws with 16 patches -- four of them rated critical -- in what may have been the heaviest Patch Tuesday drop ever for the software giant.

Despite its seemingly innocuous size, though, November's patch release fixes an important security flaw that triggered international attention in late summer when security researchers in Slovenia and the U.S. discovered that planting a booby-trapped dynamic link library (DLL) in an application's search path could open the door to takeover of the user's PC. Researchers claimed to have identified more than 100 applications, including versions of Microsoft Office, that are vulnerable to attack using what's called "DLL Planting."

At the time, Microsoft released a "Fix-It" -- an automated tool that carries out changes to a system's configuration like editing the Windows Registry, which an administrator might otherwise need to do manually in order to block a security flaw.

The fix for that security bug is ranked "important" -- the next step down Microsoft's severity scale from critical -- and it affects Office 2010 (both 32 and 64-bit editions), as well as Office 2007 Service Pack 2.

The same patch fixes another security bug that is rated critical, however, and it affects the same three Office versions. By sending the user a specially crafted -- i.e., malicious -- rich text format (RTF) message and getting the user to open it or view it in preview mode, an attacker can take over the user's machine without any active participation on the user's part.

Although the DLL planting exploit is public knowledge at this point, the others have not yet been disclosed and no known attacks are blamed on any of the bugs in the patch. Neither should the size of the patch drop cause administrators to lower their guard, one researcher said.

"This is a light load when compared with last month's record release, however this month's critical bulletin addresses some very concerning vulnerabilities and IT teams must remain diligent in getting this patch fully deployed," Don Leatham, director of solutions and strategy at security firm Lumension, told in an e-mail.

Patch Tuesday occurs on the second Tuesday of each month. The company sends out an advance notice of what's to come the Thursday prior in order to give systems managers a heads-up as to how much time and labor will be required to deploy that month's patches.

A Microsoft spokesperson pointed out that November's patch release does not include a patch for a security issue that the company warned users about last week. That hole is a flaw in Internet Explorer 6, 7, and 8 that could let an attack program compromise the user's system. Microsoft sent out a Security Advisory last week to warn customers about it.

However, researchers from both Microsoft and other security firms have said that the IE bug is difficult to exploit. Microsoft released a Fix-It last week that changes the browsers' defaults to block exploits while it continues to work on a patch.

Other than the one critical patch, the two other patches released Tuesday are also only rated as important. One patch impacts PowerPoint 2002 and 2003, while the second one affects Microsoft Forefront Unified Access Gateway.

Microsoft's next Patch Tuesday drop is due on Dec. 14.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up-to-date with Microsoft security news; follow eSecurityPlanet on Twitter @eSecurityP.