February 13th, 2007
MS Patch Tuesday: 12 bulletins, 6 critical, 20 vulnerabilities
Microsoft’s Patch Tuesday train rumbled into security central with a full load today: 12 bulletins with patches for at least 20 vulnerabilities in a wide range of widely used software products.
Six of the 12 bulletins are rated “critical,” Redmond’s highest severity rating.
As expected, there are fixes for gaping holes in the Microsoft Office desktop productivity suite but it is not immediately clear if all the flaws exploited in the recent zero-day attacks are covered.
The biggest batch is contained in MS07-014, which covers six different vulnerabilities in Microsoft Word. The Information and Communication Security Technology Center in Taiwan is credited with reporting two of the six Word bugs to Microsoft, suggesting that a government agency or business in Taiwan might have been the target of the attacks.
Four of the 12 bulletins deal with holes in Office applications — Access, Excel, FrontPage, Outlook, PowerPoint, Publisher and Word. A separate update (MS07-015) covers two different bugs in Excel and PowerPoint.
There’s also a “critical” fix (MS07-016) for the dominant Internet Explorer browser to cover a trio of PC takeover flaws if a user simply browses to a malicious Web page. Uberhacker HD Moore of BreakingPoint Systems is credited with reporting five class identifiers documented in one of IE vulnerabilities.
Another critical update, MS07-009, is also flagged as a high-priority issue because public proof-of-concept exploits are already available. This patch covers a bug in MDAC (Microsoft Data Access Components) that could be exploited via Internet Explorer. “The ADODB.Connection ActiveX control included in MDAC could, if passed unexpected data, cause Internet Explorer to fail in a way that could allow code execution,” according to the alert.
The critical MS07-010 update is also a big black eye for Microsoft. It covers a remote code execution hole that affects all the security products that use the Malware Protection Engine. Affected software include Windows Live OneCare, Microsoft Antigen 9.x, Microsoft Windows Defender, Microsoft ForeFront Security for Microsoft Exchange Server 1.x, and Microsoft ForeFront Security for SharePoint Server 1.x.
A successful exploit will completely compromise the affected computer.
Home users can download the patches from the Automatic Updates mechanism built into Windows. Patches also also be downloaded from Microsoft Update or Windows Update.
Security and reliability fixes for Microsoft Office can be downloaded from the Microsoft Office site.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
