Microsoft's 'Patch Tuesday' targets six critical flaws

NEWS

Microsoft has released six critical patches for August's 'Patch Tuesday', including a fix for six vulnerabilities in Internet Explorer.

Affected versions of the web browser include Internet Explorer 7 (IE7) for multiple iterations of Vista, XP and Server 2008; IE6 for versions of XP and Server 2003 and 2000; and IE5.01 for Server 2000.

Latest photo stories from silicon.com

Photos: Waging war on the web's bad guys

Photos: How to destroy your hard drive

Photos: It's virtual everything in Cisco's future

Photos: Inside a supercomputer lab

Photos: A peek at the future of telemedicine

Photos: 60 years of NHS tech

Photos: Wi-fi in the great outdoors

Photos: Shopping just got high-tech

Photos: Top tech for the festival season

Photos: Top 5 Bill Gates moments

Photos: Bill Gates through the ages

The vulnerabilities allow an attacker to remotely execute arbitrary code on a system if a user visits a specially crafted web page with affected versions of IE.

The vulnerabilities, as detailed in Microsoft Security Bulletin MS08-045, relate to HTML objects memory corruption, HTML component handling and uninitialised memory corruption.

In Security Bulletin MS08-041, Microsoft warned that attackers could further use the internet to exploit a vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access.

The arbitrary file download vulnerability in ActiveX could be exploited if the user visits a web page containing malicious code, Microsoft warned. Versions of Office are affected by this flaw, including Office XP Service Pack 3 (SP3), and Office 2003 SP2 and SP3.

Office applications have received critical patches from Microsoft this month. Four vulnerabilities in Excel have been addressed, as detailed in Security Bulletin MS08-043.

The vulnerabilities in indexing validation and array, record parsing, and credential caching could allow an attacker to compromise a system if the user opens a malicious Excel file. Affected software includes Office XP SP3, Office 2003 SP3, Office 2008 for Mac, Office 2004 for Mac, and iterations of Office SharePoint Server 2007.

Three critical vulnerabilities also lie in Microsoft Office PowerPoint, which could allow an attacker to completely control a system. The memory allocation, calculation, and parsing overflow vulnerabilities affect versions of Office including XP SP3 and 2003 SP3, according to Security Bulletin MS08-051.

Security Bulletin MS08-044 gives details of five critical vulnerabilities in Office filters that could allow remote code execution, while Security Bulletin MS08-046 gives details of a vulnerability in the Microsoft Windows Image Color Management system.

The Security Bulletin Summary for August 2008 also gives details of five patches rated as 'important', including a vulnerability in IPsec policy processing.

Security vendor McAfee noted that Microsoft had not released this many bulletins simultaneously since February, and had not patched as many vulnerabilities at once for the past two years.

Karthik Raman, a research scientist at McAfee, said in a statement: "This is a mammoth Patch Tuesday, and we have not seen anything of this scale in a long time."