clock menu more-arrow no yes

Filed under:

Microsoft patches critical Office vulnerability amid 'limited, targeted' attacks

New, 9 comments

Microsoft is releasing a security update to patch a vulnerability in an ActiveX control that has already seen some exploits in the wild.

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

activex stock 1020
activex stock 1020

Microsoft is releasing a security update to patch a critical vulnerability in the ActiveX controls included in all 32-bit versions of Office for Windows, among other products. If exploited with a malicious document or webpage, the vulnerability can allow attackers to execute remote code on their targets' systems, and according to Microsoft, "limited, targeted attacks" using malicious RTF email attachments have been spotted in the wild.

The security update, MS12-027, patches the vulnerability by disabling the ActiveX control in question and swapping it with a new one. It comes at the same time as five other updates, three of which are labeled critical (they could be used to propagate a worm), but due to the documented attacks, MS12-027 is the highest priority. In addition to the update, Microsoft is also offering a number of security-hardening suggestions that mitigate the problem and ones like it, but it still recommends applying the update "right away."