In the November 2010 edition of Patch Tuesday, Microsoft has released 3 new bulletins addressing 11 vulnerabilities.  Only one of these vulnerabilities, addressed in Security Bulletin MS10-087, is publicly known.  This zero-day vulnerability was previously discussed in Microsoft Security Advisory 2269637.  Microsoft typically follows a large patch release month with a lighter patch month, so a release this small is not completely unexpected. 

For the November Patch Tuesday, there is one bulletin IT administrators should focus on first and foremost.  Security Bulletin MS10-087 affects all supported versions of Microsoft Office.  This bulletin addresses 5 vulnerabilities and is rated as critical.  If a maliciously crafted RFT formatted document is previewed with Microsoft Office, an attacker can gain remote code execution.  Although this vulnerability is not publicly known, we are likely to see exploit attempts against this vulnerability in the near future.  RTF document attachments are typically not blocked and used as a common shared file format like PDF Files.

The second bulletin released this Patch Tuesday cycle, MS10-088, affects older versions of Microsoft PowerPoint and PowerPoint Viewer addressing 2 vulnerabilities.  Opening a malicious PowerPoint document can lead to remote code execution.

The last bulletin Microsoft has released, MS10-089, addresses 4 vulnerabilities in their Microsoft Forefront Unified Access Gateway product.  With these vulnerabilities, an attacker can gain Elevation of Privilege with a successful exploit.  The update for this product is currently only available for manual download through the Microsoft Download Center.  Administrators should assess their networks and identify any systems with UAG installed and manually apply the patch as it will not be automatically applied with Windows Update.  On a good note, most companies will not have many systems with this software program installed.  However, as this is a high profile product, administrators should know if this program exists and the machine it is installed on.

It is also important to note MS10-089 also applies to Intelligent Application Gateway (IAG).  A patch is not being supplied publicly to cover the vulnerabilities as Microsoft is asking customers using this product to contact their OEM for a fix.  IAG is typically deployed to networks from authorized distributors.  Any company currently running IAG on their network should review the Microsoft Security Bulletin for more information.

- Jason Miller