Microsoft’s Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail.
The flaw was addressed in November in a fix issued on Patch Tuesday, but with the malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn’t overlooked.
One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to become infected. All that’s required is for the content of the e-mail to appear in Outlook’s “Reading Pane”. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected.
Microsoft Summary for MS10-087 Patch:
The security update resolves one publicly disclosed vulnerability and five privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The security update is rated Critical for all supported editions of Microsoft Office 2007 and Microsoft Office 2010. This security update is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; and Open XML File Format Converter for Mac
What To Do:
All users of Microsoft Office should be sure to install the fix. You can use your Start menu to check for updates: Click the Start button, click All Programs, and then click Windows Update. Details of the MS10-087 update, including which software versions are affected, can be found here.