Microsoft released four fixes on Tuesday to close a half dozen security holes, including a vulnerability in the Microsoft Jet database which is currently being exploited by attackers, the company stated in its bulletins.
The security vulnerabilities affect various Microsoft Office products, the Jet database engine, and Microsoft's Malware Protection Engine. Among the most critical flaws, the Microsoft Jet database engine vulnerability allows an attacker to execute code by accessing a database file through Microsoft Word. The company patched both the Jet database flaw and the Word flaw on Tuesday.
"Vulnerabilities of the type Microsoft is patching today have been a favorite attack method among cybercrooks, especially in stealthy attacks that seek to steal high-value intellectual property," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in a statement reviewing Tuesday's patch release. "Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite."
Microsoft patched two vulnerabilities in Microsoft Word, including one issue that could be exploited through the Outlook e-mail client because the software uses a component of Word to display rich text format (RTF) and Web (HTML) files in the preview pane. Attacks against Microsoft Office have jumped over the past two years, though most exploits generally require some user interaction -- clicking 'OK' in a dialog box -- for all but the oldest versions of Office.
The software giant also remedied an issue in the way that its Malware Protection Engine -- used in its Windows Live OneCare service and Microsoft Forefront and Antigen products -- handles file scanning. A specially crafted file could be used to lock up the program or to keep the program from working on incoming files, the company stated in its bulletin.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos