Microsoft has unveiled a dozen security updates that patched 20 vulnerabilities, including one found in every security product of its consumer and enterprise lines, including software either bundled with or able to run on the new Windows Vista operating system.
More than half of the 20 patches – 11 total – were labelled "critical," the highest rating in Microsoft's four-step threat scoring system.
Among the updates are several that tackle long-standing problems in numerous editions of Microsoft Office, including six patches for Word, and one each for PowerPoint and Excel.
But the update deemed by analysts to be most important is MS07-010, which patched a critical bug in the malware scanning engine used by Windows OneCar and Defender, Forefront Security and Antigen products. The flaw, said Microsoft, could be used by a hacker to hijack a supposedly protected PC because the scanning engine improperly parses portable document format (PDF) files. Attackers could feed malformed PDFs to PCs via email, for instance, and grab control of the machines without any interaction from users.
But according to Microsoft, the scanning engine bug hasn't been used yet by attackers.
No matter, said Amol Sarwate, who manages Qualys' vulnerability lab. "MS07-010 is the most critical of the bulletins. The flaw in the core protection engine of several Microsoft [security] products can be used to execute attack code on a machine without any user interaction. And this [is the software] which is supposed to protect your desktops and servers from attack."
Symantec's alert to customers of its DeepSight threat network, for instance, rated MS07-010 as a "10" out of a possible 10 on its urgency scale. And Minoo Hamilton, senior security researcher with patch management vendor nCircle, said the patch was not only a critical fix, but an embarrassment to Microsoft.
"There have been so many vulnerabilities having to do with parsing files," said Hamilton, "that this is exactly the kind of thing that you would have expected Microsoft to catch. They'll have to put more effort into securing their security software because this is embarrassing."