Microsoft repairs flaws in Forefront UAG, critical Office flaw

Microsoft addressed vulnerabilities in its Forefront Unified Access Gateway and flaws in Microsoft Office and PowerPoint as part of its monthly patching schedule.

The software giant issued three security bulletins, Tuesday, addressing 11 vulnerabilities in its November patching cycle. One of five vulnerabilities addressed in Microsoft Office could allow an attacker to execute code remotely on a victim's machine by getting a user to open a malicious rich text formatted email message. The security update is rated "critical" for Microsoft Office 2007 and 2010.

Josh Abraham, a security researcher at Boston-based vulnerability management vendor Rapid7 LLC, said the critical vulnerability could enable cybercriminals to conduct drive-by malware attacks.

MICROSOFT SECURITY:

Microsoft workaround could break Web pages: A temporary workaround to mitigate a zero-day vulnerability in Internet Explorer causes most Web pages to load improperly.

Microsoft issues advisory on Internet Explorer drive-by attack: Microsoft has confirmed a targeted attack against a new zero-day vulnerability in Internet Explorer.

October - Microsoft to address 49 flaws in record patching cycle: The software giant said it would release 16 bulletins next week addressing flaws in Internet Explorer, Microsoft Office, and the .NET Framework.

Microsoft also addressed four security vulnerabilities in its Forefront Unified Access Gateway. The gateway is an SSL VPN, used to give remote employees secure access to enterprise systems and applications. The UAG is open to a spoofing flaw that enables rogue employees to increase their user privileges. The bulletin is rated "important" for all supported versions of Forefront Unified Access Gateway 2010.

"Without the fix, administrators who click the malicious[cross-site scripting] link could cause code executionallowing attackers to create users or change settings on the Forefront server," wrote Wolfgang Kandek, chief technology officer of Redwood Shores, Calif-based vulnerability management vendor Qualys Inc., in the company's blog.

In addition, Microsoft addressed two PowerPoint flaws. Microsoft said the flaws enable an attacker to execute code remotely on a victim's machine after getting the user to open a malicious PowerPoint file. Despite being rated "important," Microsoft has given the vulnerabilities an Exploitability Index rating of 1, meaning that public exploit code attempting to target the vulnerabilities is likely. The update affects Microsoft PowerPoint 2002, 2003, and Microsoft Office 2004 for Mac.

An Internet Explorer zero-day vulnerability, acknowledged by Microsoft last week, remains unpatched. Security experts warned that the workarounds in the advisory could break some Web pages.