It should be a relief to many that none of the bulletins requires immediate attention, as none of them address vulnerabilities being exploited in the wild; all were privately reported vulnerabilities. This means that there isn’t any publicly known exploit code for this month’s bulletin cycle.
Bulletin 1, marked as critical, is a vulnerability in Microsoft Office 2003, 2007, and 2010 as well as Word Viewer and Microsoft Office Web Apps. This vulnerability required a victim to open up a malicious file or even preview a malicious file in Outlook Web Access. This vulnerability could result in the complete compromise of a system if exploited.
Since this is an Office vulnerability this may affect both Windows and Macintosh users.
Microsoft will also be issuing an update this Tuesday that will deprecate the use of certificates that are less than 1024 bit encrypted. This could result in headaches for organizations who still have legacy certificates in production. This weekend will be the last weekend to clean up legacy certificates before next Tuesday.
Per Microsoft, some known issues that customers may encounter after applying this update may include:
- Error messages when browsing websites that have SSL certificates with keys that are less than 1024 bits
- Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
- Difficulties creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
- Difficulties installing Active X controls that were signed with less than 1024 bit signatures
- Difficulties installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).
Author: Marcus Carey, security researcher at Rapid7.