RealTime IT News

Microsoft Patches IE, Office Holes

A favorite target of virus writers, Internet Explorer, is the recipient of four new vulnerability fixes today from Microsoft in the latest of the company's regular monthly product updates.

The most significant of the IE patches addresses remote code execution exploits in specially crafted Web pages.

Amol Sarwate, research manager for the security firm Qualys, said two of the critical IE vulnerabilities were zero-day exploits and could allow for address bar spoofing of URLs. "A victim can be fooled by a phishing attack. They might think they are going to a bank site by looking at the URL, but they are going to a hacker Web site," he told InternetNews.com.

A second major issue addressed in the update aims to patch a remote code execution vulnerability in another omnipresent product from the company, Microsoft Word. That hole could allow remote code execution with Microsoft Word 2000 and 2002 if a user opens a specially crafted file that contains a malformed string. The hole also affects Microsoft Office 2004 for Mac.

In the case of both the IE and Word vulnerabilities, users running with less than full Administrator rights are less likely to be impacted by the problems.

A third critical vulnerability patched in today's release also affects widespread applications -- in this case, Outlook Express and Microsoft Mail, the latter of which comes with Windows Vista. The patch addresses a remote code execution vulnerability that can appear in a malformed NNTP response. The hole could be exploited by creating a Web page with an e-mail link and triggered when the "mailto:" link is clicked.

Microsoft also issued a seventh critical security update for a less-known program, Kodak Image Viewer. The remote code execution vulnerability at issue affects Windows 2000, XP and Server 2003 systems.

In this instance, image files are the possible vector; a hacker could exploit the vulnerability with a specially crafted image that would allow for code execution once opened. As with the IE and Word fixes, the Kodak Image Viewer hole is also less likely to affect users without Administrator privileges.

Hiding malicious payloads within otherwise innocuous files, which can then be sent to unsuspecting users, has been a trend for about a year now, Sarwate said.

"It has been easier to send a malicious file because users who were not security-savvy were willing to open a file without realizing what they were doing or the potential risk," he said.

In addition to the critical fixes, Microsoft also listed two updates of lower importance. Those involved addressing a hole in the Remote Procedure Call (RPC) services found in all flavors of Vista, and a separate vulnerability in SharePoint services and server.

The RPC vulnerability could allow for a possible denial of service (DOS)   attack while performing an RPC request. In this case, a user can be victimized without doing a thing, since an attacker can send RPC packets to restart or shut down the affected machine.

Meanwhile, the SharePoint problem affects access rights in SharePoint Services 3.0 and Office SharePoint Server 2007, opening the door for an attacker's script to improperly elevate user privileges within the SharePoint site. The problem also could enable a hacker to run a script that modifies a user’s cache and wrongly disclosing information at their workstation.

Today's list of security bulletins represents an interesting mishmash of Microsoft products, notable by the fact that most of the problems are not related to operating systems.

While some parts of the Windows family needed some fixing, the bulk of this month's problems come from products outside of the OS. That continues a trend ongoing for some time now, seeming to suggest that Microsoft's OS releases are showing signs of becoming sufficiently hardened against threats, while applications still remain vulnerable.

Microsoft originally planned a seventh, undisclosed security bulletin as well. However, according to a spokesperson, the company decided at the last minute to withdraw it due to an unspecified "quality control issue."

As is tradition, Microsoft also took the opportunity Tuesday to update its Malicious Software Removal Tool to recognize a newly emerged threat. This month's update covers the Win32/Rjump variants.