Microsoft on Tuesday released four security updates to patch 10 vulnerabilities, seven of them judged "critical." But the company failed to fix multiple flaws in its popular word processor that have been exploited by attackers for more than a month.
January's security bulletins were half the number original expected, as on Friday Microsoft changed its mind and pared the number from eight to four without an explanation. Of the updates, three involve Microsoft's Office suite, while the fourth affects Internet Explorer, the developer's oft-patched Web browser.
The most dangerous bugs, says Amol Sarwate, manager of Qualys' vulnerability lab, is patched by MS07-003, which affects Microsoft Outlook, the e-mail client packaged with Office. The update fixes three flaws, one tagged critical. "It addresses one zero-day [vulnerability] that had already been made public," says Sarwate. "And it also fixes a calendar vulnerability. Meeting requests are common in day-to-day use and users could be expected to open the e-mail with a malformed request." Two of the three Outlook flaws could let an attacker hijack a PC running Outlook 2000, 2002, or 2003. The newest version, Outlook 2007, is immune to these vulnerabilities.
Lamar Bailey, operations manager of IBM Internet Security Systems' X-Force vulnerability research group, disagreed with Sarwate, and put MS07-004 at the top of the must-patch-now list.
The vulnerability is being exploited in the wild, Bailey said as explanation, "and there have been two remote code execution exploits of the VML engine in the past. It's obvious [the engine] has more issues."