• silicon.com
• Technology
• Security

By Elinor Mills, 15 April 2009 08:49

NEWS

Microsoft on Tuesday closed security holes in Excel, Windows and Word that had been exploited in the wild, as well as other holes for which exploit code or details exist, all as part of its monthly patch update cycle.

The critical Excel hole could allow an attacker to take complete control of an unpatched system if a user opens a specially crafted Excel file. Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability.

The patch affects Microsoft Office, 2002, 2003 and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, according to the Microsoft bulletin.

Microsoft also released a patch for a critical vulnerability in WordPad and Office that could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Word. This vulnerability is currently being exploited on the internet, Microsoft said. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Server 2003, Microsoft Office Word 2000 and Word 2002.

Another patch fixes four critical vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted web page or if a user connects to an attacker's server via HTTP. Exploit code and attack details have been made public for a couple of the vulnerabilities. Affected software is IE 5, 6 and 7.

A patch for Microsoft DirectShow closes a critical vulnerability that could allow an attacker to take complete control of a system if a user opened a specially crafted MJPEG file. It affects DirectX 8 and DirectX 9.

A fifth patch addresses critical vulnerabilities in Windows HTTP services that could allow an attacker to take complete control of the system and for which exploit tools and code have been made public. Affected are Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008.

Also fixed are important holes in Windows being exploited in the wild that could allow elevation of privilege if an attacker is allowed to log on to a system and run a specially crafted application. Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008 are affected.

Other patches address less critical holes in Microsoft Internet Security and Acceleration Server 2004 and 2006 and the medium business edition of Forefront Threat Management Gate, as well as SearchPath.

In all, Microsoft issued eight patches for about 24 reported vulnerabilities.

Wolfgang Kandek, CTO of vulnerability-management-software company Qualys, said: "We were astonished to see how many zero-days are in that release," in reference to exploits that target software with a vulnerability that has not been patched yet.

"Ten of the vulnerabilities have either exploits out in the wild or there is proof-of-concept code available and that's a first, I think, in terms of the number of zero days in a single bulletin," he said. "For the IT guys, that means their window has just shrunk to zero to get these things fixed."

The IE vulnerability is of particular concern, Ben Greenbaum, senior research manager at Symantec Security Response, said in an email statement. It "appears to be the easiest of the bunch to take advantage of by an attacker and also happens to be the one that requires the least amount of involvement by a user to exploit. An attacker can simply lure a victim into viewing a web page that contains malicious content and that individual's computer can then be taken over", he said.

Missing from the bulletin was a fix for a zero-day hole in PowerPoint that Microsoft warned on 2 April had been targeted by attackers.