Five vulnerabilities identified in Microsoft Office products could lead to an attacker executing arbitrary code and gaining user rights on the affected system.

Microsoft has issued a security update to resolve multiple vulnerabilities affecting Microsoft Office products for both Windows and Mac platforms. Five vulnerabilities were identified, each one of them could lead to remote code execution.

 

This remote code execution vulnerability was caused by system memory corruption that results when Microsoft Office software parses specially crafted RTF-formatted data. An attacker could exploit this vulnerability to execute arbitrary code and obtain user rights on the affected system. The update addresses this issue by modifying the way RTF-formatted data are parsed. 

 

This remote code execution vulnerabilities were caused by system memory corruption that results when a user opens a specially crafted Office file. An attacker could exploit these vulnerabilities to execute arbitrary code and obtain user rights on affected system. The update addresses this issues by modifying the way Microsoft Office software parses files. 

 

This remote code execution vulnerability results when a specially crafted DDL file is loaded into memory. For this vulnerability to exist, the user has to open a document contained within the same working directory as the DDL file. An attacker who successfully exploit this vulnerability, could execute arbitrary code and obtain user rights on the affected system. The update addresses this issue by ensuring that a more appropriate and secure search order are used when loading libraries. 

 

Install the latest update for applicable product.

 

 

** The security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and Open XML File Format Converter for Mac are unavailable at this time.

Microsoft Security Bulletin MS10-087 (http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx)