Microsoft was quick to point out, however, that the Flash Player attack would not work on Excel 2010. A Microsoft Security Research & Defense blog post explains, “The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process.”

Fair enough. Office 2010 provides better security than previous versions of Office, and the 64-bit version of Office 2010 is even more secure still. Many organizations still rely on Office 2007 or earlier releases, though–so are they just out of luck?

Fortunately, Microsoft provides a better solution than simply suggesting that everyone upgrade to Office 2010. Microsoft offers a tool called the Enhanced Mitigation Experience Toolkit–or EMET. The tool is basically designed to let you implement mitigations to better protect older software that does not have the benefit of the security controls found in current products.

The Microsoft blog post says, “Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation. EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.”

I highly suggest you download EMET and take a look at what it can do for you. It can help with newer software, but for legacy software it is a must-have.

Microsoft has only three security bulletins planned this month. Two affect Windows, and one addresses issues with Microsoft Office. One of the two slated for Windows is Critical, while the second is rated Important. The Microsoft Office bulletin is ranked as Important as well, and all three may require a system reboot for the update to complete.

Amol Sarwate, manage of the Vulnerability Research Lab for Qualys, passed on this analysis of the Patch Tuesday advance notification. 

“The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.”

• Adobe Reader and Acrobat
• ColdFusion
• Adobe Shockwave Player
• Adobe Flash Player