Microsoft released nine patches on Tuesday to fix at least 14 security issues in its software, including problems in Windows, Office, Internet Explorer and its Virtual PC virtualization software.
Two patches -- a fix for a flaw in Microsoft XML Core Services and an update for Internet Explorer's handling of the Vector Markup Language (VML) -- were both rated Critical by Microsoft for both Windows XP Service Pack 2 and Windows Vista. Like the previous VML vulnerabilities in Internet Explorer, the latest flaw could be exploited to infect targeted machines either through a Web browser or e-mail.
"There is the possibility that this vulnerability could be used in an e-mail worm," said Tom Cross, a researcher with IBM Internet Security Systems' X-Force Labs. "It hasn't happen in a while, but there is that possibility, so it is one to watch out for."
The software giant also patched Excel 2000 for a Critical vulnerability that affected more recent versions of the Office spreadsheet application to a lesser extent. Another patch fixed three other vulnerabilities in Internet Explorer, while the Windows Media Player received its own patch for two flaws rated Important by the software giant. Three of the Gadget applets for Windows Vista's sidebar also had to be patched to fix one Important and two Moderate vulnerabilities.
IBM's Cross also highlighted the Virtual PC vulnerability as interesting, because it could be used to break out of a guest operating system and infect the host.
"People assume that virtualization makes for safer computing," Cross said. "This vulnerability is an example that could undermine that assumption."
CORRECTION: The original article cited the wrong figure for the number vulnerabilities fixed by the Microsoft patches. The nine patch bulletins specifically mention 14 vulnerabilities.
Posted by: Robert Lemos