Microsoft released six updates on Tuesday for at least nine security flaws, fixing critical issues in Word, Internet Explorer and the e-mail programs that the company ships with its Windows operating systems.
The most widespread vulnerability appears to be in the way Internet Explorer handles a script error, allowing an attacker to access freed memory. The flaw has been rated critical on for both IE 6 and IE 7 running on Windows XP and Vista. Because Internet Explorer runs in an enhanced security configuration on Windows Server 2003, that platform is not impacted as severely. The three other vulnerabilities fixed by the Cumulative Security Update for Internet Explorer had a maximum severity of Moderate.
Another vulnerability in the way Microsoft's e-mail programs handled news groups via NNTP (Network News Transfer Protocol) was rated Critical for Outlook Express and Important for Windows Vista's Mail application. The software giant rated a vulnerability in Microsoft Word only Critical for Office 2000 and Important for later versions of the productivity suite. A security hole in the Kodak Image Viewer also received a Critical rating by Microsoft.
Windows users should patch their systems as soon as possible. Online attacks have increasingly used flaws in Internet Explorer to redirect unwary visitors, using IFrames, from legitimate sites to malicious sites that compromise the victims computers. The MPack infection tool kit is one of the programs commonly used to automate the process. Espionage attacks emanating from servers in China, among other nations, have regularly used Office flaws to infect the victim's computer.
The last two vulnerabilities patched by Microsoft had a maximum severity of Important. The software giant originally had stated that it would release seven patches, but withdrew one.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos