Microsoft has patched critical vulnerabilities in its Office, Outlook and Windows software.
The software vendor released three sets of critical patches today, fixing nine security bugs. A fourth update fixes a flaw in Office 2003’s Brazilian Portuguese Grammar Checker. Microsoft gives this flaw a less-serious rating of ‘important’.
Hackers have been paying close attention to Microsoft’s Office products over the past few months, taking advantage of unpatched bugs in PowerPoint, Word and Excel to conduct extremely targeted attacks. Typically, the attacker will send the victim an email that includes a malicious Office attachment and try to entice the victim into opening the malicious message.
In early December 2006 these attacks occurred on a very limited scale, exploiting unpatched vulnerabilities in Microsoft Word.
Microsoft didn’t issue patches for Word today but it did patch five flaws in Excel, which has also been a point of attack over the past few months.
The Office flaws should be a top priority for system administrators, said Chris Andrew, vice-president of security technology with Patchlink Corp.
The Windows update, which fixes a critical flaw in Windows’ VML (Vector Markup Language) language is also one to watch, he said.
Microsoft Security Program Manager Mark Griesi, said that the VML bug is “the most serious one” patched Tuesday.
In September 2006, Microsoft was forced to rush an early patch for a similar VML bug after attackers began exploiting the flaw on the internet. By tricking victims into visiting specially crafted web pages, criminals could use this VML flaw to run unauthorised software on a victim’s computer, Microsoft said.
Today’s VML update replaces the MS06-055 VML bug-fix that Microsoft published last September, the company said.
The SANS Internet Storm Centre rates all four updates as critical but it is singling out the VML bug in particular, saying that there is an “immediate danger” of attackers exploiting this flaw.
SANS says there are known exploits for bugs in all of the updates released today, except the Excel patches.
Microsoft had been planning to release eight sets of patches today but late last week, it abruptly pulled four of these updates out of the pipeline. No reason was given for this sudden decision.
Microsoft has been known to pull planned updates in the past, but it is unusual for the company to withdraw so many at the last minute. That happened this time because a number of the updates were pulled for related issues, Microsoft’s Griesi said. Three of the pulled updates were for Microsoft Office, he said. The fourth one fixed a flaw in Windows.
“I’ll let you guess which ones were related,” he said.