We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft patches two critical holes

Remote code execution possible

Microsoft has patched two critical holes this Patch Tuesday.

The more serious of the two flaws is a remote code execution vulnerability affecting Outlook and Exchange Server. It involves a format called TNEF (Transport Neutral Encapsulation Format), which is used when sending email messages in Rich Text Format.

An attacker could gain administrative control of a compromised system, warned Microsoft.

What makes the TNEF flaw particularly dangerous is the fact that it exists in Exchange and Outlook - both widely used by companies - and does not require user participation.

"All that needs to take place is for an email to get sent to a server," for the flaw to be exploited, said Michael Sutton, director at security consultants iDefense. This raises the possibility of widespread infections if an exploit ever becomes available for the flaw, he added.

But exploiting the flaw won't be particularly easy, said Alain Sergile, technical product manager at ISS' X-Force team. "We think that from a software engineering perspective, it will be fairly complicated to exploit, but it is feasible," he said.

The other flaw is in how Windows handles malformed embedded web fonts.

According to Microsoft's description: "An attacker could exploit the vulnerability by constructing a malicious embedded web font that could potentially allow remote code execution if a user visited a malicious website or viewed a specially crafted email message."

Though the flaw is also serious, it requires active user interaction for it to be exploited, thereby making it less dangerous than the TNEF flaw, Sutton said.


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

What's new in VR: the companies creating exciting new mixes of augmented and virtual reality

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...