Microsoft today issued its security fixes for May, fixing six vulnerabilities in four bulletins. All six are client-side issues, with three affecting applications and one affecting Microsoft’s security products.
Three of the four bulletins are listed as critical, the most severe of vulnerabilities while one is listed as moderate. The moderate fix is in the security software. MS08-029 addresses two privately reported issues affecting the Microsoft Malware Protection Engine that could allow a specially crafted file to launch a denial of service attack.
MS08-026 addresses two newly-discovered vulnerabilities in Microsoft Word that could allow remote code execution if a user opens a specially crafted Word file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS08-027 addresses a vulnerability in Microsoft Publisher that would allow for the same scenario as the Word flaw. An attacker could take control of a system via a specially crafted file to install programs, view, change, or delete data, or create new accounts with full user rights.
Both flaws could be lessened if the user’s computer was set to a more restricted level than Administrator, which is how most computers are configured.
MS08-028 resolves a vulnerability in Microsoft Jet Database Engine 4.0, a.k.a. Jet. Like the other vulnerabilities, it could allow a hacker to gain complete control of the system and make changes to the system through a specially crafted file.
Also, Microsoft (NASDAQ: MSFT) has reissued a bulletin from two years ago for people who have installed Windows XP Service Pack 3. Bulletin MS06-069 from November 2006 must be reapplied if you install Service Pack 3. The binary itself has not changed.
There have been two additions to Microsoft’s Malicious Software Removal tool. This month’s update removes the “Win32/Oderoor” and “Win32/Captiya”
line of Trojans.
Microsoft will hold a live
chat on Wednesday, May 14, at 11:00 AM PDT to discuss this month’s fixes.