Microsoft Patches Nine Bugs

Microsoft has patched critical vulnerabilities in its Office, Outlook and Windows software.

The software vendor released three sets of critical patches Tuesday, fixing nine security bugs. A fourth update fixes a flaw in Office 2003’s Brazilian Portuguese Grammar Checker. Microsoft gives this flaw a less-serious rating of “important.”

Hackers have been paying close attention to Microsoft’s Office products over the past few months, taking advantage of unpatched bugs in PowerPoint, Word and Excel to conduct extremely targeted attacks. Typically, the attacker will send the victim an e-mail that includes a malicious Office attachment and try to entice the victim into opening the malicious message.

In early December, these attacks occurred on a very limited scale, exploiting unpatched vulnerabilities in Microsoft Word.

Microsoft didn’t issue patches for Word on Tuesday, but it did patch five flaws in Excel, which has also been a point of attack over the past few months.

The Office flaws should be a top priority for system administrators, said Chris Andrew, vice president of security technology with Patchlink.

The Windows update, which fixes a critical flaw in Windows’ vector markup language (VML), is also one to watch, he said.

Microsoft Security Program Manager Mark Griesi said the VML bug is “the most serious one” patched Tuesday.

Last September, Microsoft was forced to rush an early patch for a similar VML bug after attackers began exploiting the flaw on the Internet. By tricking victims into visiting specially crafted webpages, criminals could use this VML flaw to run unauthorized software on a victim’s computer, Microsoft said.

Tuesday’s VML update replaces the MS06-055 VML bug fix that Microsoft published last September, the company said.

The SANS Internet Storm Center rates all four updates as critical, but it is singling out the VML bug in particular, saying there is an “immediate danger” of attackers exploiting this flaw.

SANS says there are known exploits for bugs in all of the updates released Tuesday, except the Excel patches.

Microsoft had been planning to release eight sets of patches Tuesday, but late last week, it abruptly pulled four of these updates out of the pipeline. No reason was given for this sudden decision.

Microsoft has been known to pull planned updates in the past, but it is unusual for the company to withdraw so many at the last minute. That happened this time because a number of the updates were pulled for related issues, Microsoft’s Griesi said. Three of the pulled updates were for Microsoft Office, he said. The fourth one fixed a flaw in Windows.

“I’ll let you guess which ones were related,” he said.

-Robert McMillan, IDG News Service (San Francisco Bureau)