Microsoft Patches Old Software Flaws with New Fixes

Gracie Films/20th Century Fox Television

Gracie Films/20th Century Fox Television

Microsoft released eight fixes for 19 security flaws in this month's Patch Tuesday update, including one actively being exploited by a possibly state-sponsored team of Chinese hackers.

At the same time, Adobe Systems patched four flaws in two of its products, the commonly used Flash Player (which plays YouTube videos) and the Web-developer tool ColdFusion.

However, Microsoft did not patch a very serious flaw in Microsoft Office that affects all versions of Windows and is currently being exploited by a second team of malicious hackers, this one in South Asia. It's possible that flaw will be fixed by an out-of-cycle update before next month's scheduled Patch Tuesday on Dec. 9.

MORE: 5 Free PC Security Programs Worth Downloading

Two of the three "critical" updates, which is how Microsoft classifies vulnerabilities that could lead to "code execution without user interaction" (i.e., silent takeover of a PC) involve flaws in all supported versions of Internet Explorer, 6 through 11, on all supported versions of Windows, XP through 8.1.

Blasts from the past

However, the third critical update reaches back in time to fix a flaw in Windows Write, a primitive Microsoft word processor that was first used on Windows 1.0 in 1985.

"The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad," the "accessory" program that handles legacy Write files in current versions of Windows, the official Microsoft November security bulletin summary states.

"Supporting legacy file formats often leads to security issues," Sophos security researcher Chester Wisniewski pointed out in a posting on his company's Naked Security blog.

None of the critical vulnerabilities being fixed involved privileged escalation, in which an attacker or his malware gains more power over the operating system than the user being compromised.

Windows users who conduct most of their activities under limited accounts will suffer less from infection than those who always run administrator accounts that can install and modify software.

Another word processor, Corel's WordPerfect, which debuted in 1979 but is still developed and sold, is behind an "important" patch for three vulnerabilities. The flaws could let malware into the machine if a user were to be tricked into opening a "specially crafted WordPerfect document file" in Microsoft Office.

The four other important patches are for a flaw in Hyper-V, which creates and runs "virtual machines" on servers; for a Windows flaw that lets users under limited accounts access administrator-level data; for a Microsoft Outlook flaw that lets malicious email attachments gather networking data about targeted PCs; and for a Windows flaw that could let a malicious cryptographic key temporarily kill Web connections.

Windows users who have automatic updates enabled will receive the updates this week; users who prefer to update manually (not advised) should open Windows Update in the Control Panel, or simply point Internet Explorer to

No Microsoft software running on Macs is affected by this month's patches.

How to get the Adobe security updates

That's not the case with Adobe's round of patches, which affect Windows, Mac OS X and Linux, and in one case, Android as well.

The two Flash Player vulnerabilities being patched could allow remote system takeover of all four operating-system families, although Adobe considers Linux and Android flaws as less threatened than Windows or Mac OS X.

As is the case every month, receiving and installing the Flash Player patches depends on what you're running. Google Chrome will install the patches automatically on all platforms, but only for its own use. Outside Chrome, Windows 8, 8.1 and RT will automatically get and install the updates along with their Microsoft patches.

On older versions of Windows and Android, as well as on Macs, some versions of Flash Player will automatically download the update, then ask for user permission to install it. Some Linux users will also be prompted to install the update.

The same applies for the Adobe AIR applet platform, which uses Flash Player code. (Apple's iOS also uses Adobe AIR, but doesn't seem to be affected by these flaws.)

Anyone who doesn't get an update prompt should use a browser to visit the Adobe Flash Player Download Center, the Adobe AIR download page or Google Play.

Windows, Linux and Mac OS X are equally threatened by the two ColdFusion flaws, which could also allow remote system takeover.

Security blogger Brian Krebs suspects that one of the flaws has already been exploited in a wave of hacker attacks upon corporate databases, whose victims include LexisNexis, Dun & Bradstreet and Adobe itself.

The ColdFusion update process is fairly complicated and involves a lot of grunt work; Adobe has posted a long page of instructions online.

Cryptography as old as Bart Simpson

Along with the vulnerability patches, Microsoft is also removing the use of the aging RC4 cryptographic algorithm, which has been weakened by mathematical and processing-power advances in recent years.

"As computing power increases, cryptographic attacks that were once only theoretical become practical," wrote Microsoft Trustworthy Computing manager Dustin Childs in a blog posting yesterday (Nov. 12). "This is the case with RC4, which was originally designed in 1987."

"That's the same year 'The Simpsons' first appeared as shorts on 'The Tracy Ullman Show,'" Childs observed. "Computing has changed somewhat in that time."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.