A ‘Critical’ Patch Day For Microsoft

Microsoft’s monthly round of security bulletins cuts across several parts
of the software giant’s product lineup and are designed to prevent attackers from taking control of users’ systems remotely.

Heading the list are three separate
bulletins that, in all, address eight separate newly discovered
vulnerabilities in Microsoft Office which could allow an attacker to take
complete control of an affected system.

MS07-023 addresses BIFF record, set font and filter record vulnerabilities in Excel, while MS07-024 addresses array overflow, document stream and RTF parsing vulnerabilities that potentially allows remote
execution of code. The last of the top three bulletins MS07-025 fixes the drawing object vulnerability in Office.

An additional two fixes address a total of 10 vulnerabilities related to Microsoft
Exchange and Internet Explorer.

The other four bulletins include one that addresses four newly discovered
vulnerabilities in Microsoft Exchange, MS07-026. Another, MS07-027, addresses six vulnerabilities in Internet Explorer.

The last two bulletins are MS07-028, which addresses vulnerabilities in CAPICOM and Biztalk, and MS07-029, which provides a Microsoft Windows fix.

Microsoft also announced that its monthly installment of software
designed to remove malicious software from users systems is available today. Microsoft said this month’s update removes Win32/Renos. The
software removal tool is available here.

Security provider McAfee  said its McAfee Avert Labs
worked with Microsoft  to disclose and patch the
vulnerability in Word and is encouraging users to update their systems as
soon as possible.

“Of particular concern is the large number of Microsoft Office, Word,
Excel and Internet Explorer vulnerabilities being patched today,” said Dave
Marcus, security research and communications manager at McAfee Avert Labs.
“These applications are the most frequently targeted by malware
 writers, so we recommend that all customers evaluate
their security coverage and policies to insure they have adequate protection
in place.”

All of the security bulletins are available for download or as part of the regular automatic update download cycle
Microsoft offers to registered users.

Microsoft is offering a webcast for
systems administrators and others for more details on the security update
release. You can register online for the
webcast, which is set for May 9 at 11 a.m. PDT.

News Around the Web