As expected, Microsoft today closed a security hole in its PowerPoint presentation software, with a fix in its latest regular monthly installment of “Patch Tuesday” updates.
The patch addresses a glitch that Microsoft (NASDAQ: MSFT) ranks as “critical,” the highest ranking on its four-tier severity scale.
The zero-day
The zero-day hole had been discovered, and live attacks detected, just before Microsoft’s April Patch Tuesday. For several years, Microsoft has been releasing almost all of its patches on the second Tuesday of each month to provide users, particularly IT shops, with predictable and regular patch drops. But the timing of the zero-day’s discovery meant that it missed cut-off for inclusion in April’s round of updates.
The patch fixes a total of 14 separate vulnerabilities in all supported versions of Office PowerPoint — from Office 2000 Service Pack 3 (SP3) up through Office 2007 SP2. Of those, 12 rate a critical designation.
However, the only version of PowerPoint in which Microsoft rates the bugs as “critical” is the oldest — PowerPoint 2000 SP3. For later versions, up to and including PowerPoint 2007, the bugs rate as “important” — the second-highest Microsoft threat level.
That does not mean that “important” means “not to worry,” though. Often, the difference between a ratings is a question of one or two extra mouse clicks.
Several top security analysts, therefore, warned against complacency and urged users to apply the patch to all versions of PowerPoint.
“Although Microsoft only dropped one patch for PowerPoint this month, IT administrators shouldn’t get the wrong impression and breathe easy given the light load,” Paul Henry, security and forensic analyst for Lumension, said in an e-mail to InternetNews.com.
In fact, being too complacent could leave even a savvy user open to attacks that, once inside the firewall, could spread havoc, said another security analyst.
“A single e-mail with a malicious PowerPoint attachment exploiting these vulnerabilities could be enough to compromise the desktops of enough critical personnel to cripple even a large enterprise,” Tas Giakomuniakis, CTO at Rapid7, told InternetNews.com in an e-mail.
As a key component of Office, the sheer ubiquity of PowerPoint inside corporations means that even a bug tagged as important is still a threat to be dealt with.
“We think it’s very important to install the patch,” Qualys’ CTO Wolfgang Kandek told InternetNews.com.
With the PowerPoint vulnerabilities, all a user would need to do to trigger an attack is to open a booby-trapped PowerPoint file — delivered either in an e-mail or instant message, or through a malicious Web site.
Windows 7 RC real and “fake” updates
It’s the second round of patches for a major Microsoft offering in days. The company on Friday released a “hotfix” for the Windows 7 “Release Candidate” (RC), which began public testing last week.
Users testing the RC of Windows 7 — specifically, Windows 7 32-bit Ultimate — should install Friday’s hotfix, but only if they are affected by the bug it’s meant to fix, according to a Microsoft statement.
The Windows 7 RC of 32-bit Ultimate is missing some “security descriptors,” the lack of which do not allow the user to perform some user-level functions such as deleting a folder.
“This problem occurs because the English version of Windows 7 Release Candidate 32-bit Ultimate incorrectly sets access control lists (ACLs) on the root,” the company.
Additionally, beginning today, Microsoft plans to release as many as ten test updates for Windows 7. The updates — which do not actually update any system software — are meant to check to make sure that the RC properly supports Microsoft’s Windows Update system.
The updates aim “to verify our ability to deliver and manage updating of Windows 7 in certain real-life scenarios. These updates do not deliver any new features or fixes,” Microsoft’s Brandon LeBlanc wrote in a post on the Windows 7 Team blog.
This will be the second test of the feature. Microsoft released a similar set of dummy updates for the beta of Windows 7 back in February.