Skip to main content

Microsoft patches critical Office vulnerability amid 'limited, targeted' attacks

Microsoft patches critical Office vulnerability amid 'limited, targeted' attacks

/

Microsoft is releasing a security update to patch a vulnerability in an ActiveX control that has already seen some exploits in the wild.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Microsoft is releasing a security update to patch a critical vulnerability in the ActiveX controls included in all 32-bit versions of Office for Windows, among other products. If exploited with a malicious document or webpage, the vulnerability can allow attackers to execute remote code on their targets' systems, and according to Microsoft, "limited, targeted attacks" using malicious RTF email attachments have been spotted in the wild.

The security update, MS12-027, patches the vulnerability by disabling the ActiveX control in question and swapping it with a new one. It comes at the same time as five other updates, three of which are labeled critical (they could be used to propagate a worm), but due to the documented attacks, MS12-027 is the highest priority. In addition to the update, Microsoft is also offering a number of security-hardening suggestions that mitigate the problem and ones like it, but it still recommends applying the update "right away."