Microsoft Tuesday released four patches to fix six vulnerabilities, three of which were rated critical for Microsoft Word, Publisher and the Jet Database Engine 4.0.
Experts say the fourth patch, rated important, could also be viewed as critical because it affects security software that could be shut down in an attack.
The software patches were released as part of Microsoft's regularly scheduled Patch Tuesday. (Compare patch and vulnerability management products.)
The fourth patch (MS08-029), which affects the Microsoft Malware Protection Engine, can result in a crash on a variety of different Microsoft security platforms, including Windows Defender; Live OneCare; Antigen for Exchange and SMTP Gateway; and Forefront Security for Exchange Server and SharePoint.
"I think it is moderate because the immediate consequence is a denial-of-service attack. But if you take the context that this is an antivirus product that should be running all the time, then I think people should look at this as critical as well," says Amol Sarwate, manager of vulnerability research for Qualys.
The three critical patches -- MS08-026, MS08-027, MS08-028 -- all involve specially crafted files that could be embedded with vulnerabilities.
Experts classify the Jet Database vulnerability (MS08-028) as the most important.
"It's been noted by Microsoft that 028 has been in the wild," says Jason Miller, security team manager for Shavlik Technologies. "It has been affecting systems and results in evil users being able to take complete control of computers."
The Jet Database 4.0 vulnerability concerns .MDB files and could be especially troubling for users of Outlook 2003 and 2007 who use the preview pane feature to view e-mail. Attacks that exploit the vulnerability can be carried out if a specially crafted file is embedded in an e-mail message. Malicious files also can be embedded in Word files.
Microsoft recommends that users upgrade immediately.
The Jet Database vulnerability affects Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003 Service Pack 1, Windows Server 2003 x64 Edition, and Windows Server 2003 with SP1 for Itanium-based Systems.
Microsoft's MS08-026 patch is closely aligned with MS08-028 in that specially crafted files can be embedded in Word files. It also affects users of Outlook 2007 and Outlook 2007 Service Pack 1 because both those programs contain some of the same core files that are affected in Word, namely editing features.
MS08-026 is rated critical for Office 2000 Service Pack 3 and 2007 Office System, but only important for other platforms because the attack takes two steps instead of one to complete. Those platforms are: Office XP Service Pack 3, Office 2003 Service Pack 2, Office 2003 Service Pack 3, 2007 Office System Service Pack 1, Word Viewer 2003, Word Viewer 2003 Service Pack 3, Office Compatibility Pack for Word, Excel and PowerPoint 2007 File Formats, Office Compatibility Pack for Word, Excel and PowerPoint 2007 File Formats Service Pack1, and Office 2004 and 2008 for Mac.
The other critical patch -- MS08-027 -- affects Publisher in Office 2000 Service Pack 3, Office XP Service Pack 3, Office 2003 Service Pack 2 and 3, 2007 Office System and 2007 Office System Service Pack 1.