Redmond patches Windows, Office flaws

Microsoft yesterday released fixes for vulnerabilities in its Windows and Office software but left several known Word zero-day flaws without a patch.

As part of its monthly patch cycle, Microsoft published four security bulletins with fixes for 10 vulnerabilities. Three of the bulletins are deemed "critical", the company's most serious rating, while the fourth is tagged "important", a notch lower. All bulletins, however, address flaws that could allow an attacker to commandeer a PC.

A Microsoft representative said in a statement: "Microsoft does recommend that all customers sign up for Microsoft Update and enable its Automatic Updates functionality to receive all updates available this month and to help make their systems more secure."

Among Microsoft's fixes are three vulnerabilities that were previously known. But the company left several known zero-day vulnerabilities without a patch.

Andrew Storms, director of security operations at network security company nCircle, said in a statement: "Conspicuous by their absence are patches for the zero-day exploits in Word." These patches were probably pulled due to quality issues, he said. Last week, Microsoft postponed four of its planned eight security bulletins.

All of the security vulnerabilities addressed by Microsoft's first fixes of 2007 relate to how multiple versions of Windows and Office handle specific files. Attackers could create malicious files that, when opened, at worst could give the attacker control of a vulnerable PC, according to Microsoft's bulletins.

Nine of the 10 security holes Microsoft provided fixes for lie in Office applications. Five affect Excel, three hit Outlook and one impacts the Brazilian Portuguese grammar checker for Office. Opening rigged files could trigger the flaws and allow an attack to occur, Microsoft said. Both Windows and Mac versions of Office are affected.

Oliver Friedrichs, a Symantec Security Response director, said in a statement: "Today's patch release illustrates once again that the volume of client-side vulnerabilities for the Windows platform is not slowing down. Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible."

The 10th hole is in Windows and is similar to a bug Microsoft rushed out a fix for in September after Windows users came under attack. The vulnerability lies in a Windows component called 'vgx.dll' that is meant to support Vector Markup Language (VML) documents in the operating system. VML is used for high-quality vector graphics on the web.

Like the first VML hole, this vulnerability can be exploited by tricking a user into viewing a malicious VML file on a website with Internet Explorer. All recent versions of Windows are vulnerable with all recent versions of IE - including IE 7 - according to Microsoft. The exception is Windows Vista, which is not impacted, it said.

Microsoft's patches will be distributed via Automatic Updates and the company's Microsoft Update downloads website.

Joris Evers writes for CNET News.com