Microsoft patched 10 security flaws in its Excel, Outlook and Windows programs Tuesday in its first monthly security update of the year. Three bulletins addressed critical problems attackers could exploit to take complete control of targeted machines, while one was rated as important.
Michael Sutton, security evangelist for Atlanta-based security vendor SPI Dynamics Inc., said the most significant update is MS07-004, which fixes a flaw in the Vector Markup Language (VML) implementation within the Windows operating system.
"An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML email that could potentially allow remote code execution if a user visited the Web page or viewed the message," Microsoft said.
Sutton said the update is a big one because the flaw affects all versions of Internet Explorer (IE), including the recently-released IE 7.
"The good news is that user interaction is required for this kind of exploit to work," he said. "But when you have a huge user base like Internet Explorer, it stands to reason that someone will fall for this."
Sutton said the flaw will be a popular attack vector for bot herders looking to control as many machines as possible. He said those who are successful will be able to do whatever they want, whether it's launching spam and denial-of-service attacks or conducting phishing scams.
The other critical fixes are for flaws an attacker could exploit to "install programs, view, change or delete data; or create new accounts with full user rights," Microsoft said. They are:
MS07-002, which fixes five separate security flaws in Microsoft Excel, most of which are exploitable when the spreadsheet program parses certain files and processes malformed IMDATA, column and palette records. One of the flaws wasn't specified.
MS07-003, which fixes three separate flaws in Microsoft Outlook. The first flaw is exploitable when Outlook parses a file and processes a malformed VEVENT record. The second flaw is exploitable when Outlook parses an .oss file.
The third flaw is a denial-of-service condition that involves the way Outlook processes email header information. "An attacker who successfully exploited the vulnerability could send a malformed email to a user of Outlook that would cause the Outlook client to fail under certain circumstances," Microsoft said. "The Outlook client would continue to fail so long as the malformed email message remained on the email server."
A fourth security update, MS07-001, was rated important. It fixes a remote code execution vulnerability in the Microsoft Office 2003 Brazilian Portuguese Grammar Checker. An attacker could exploit the flaw when Office opens a file and parses the text, Microsoft said.
While this flaw was only rated as important, Microsoft warned that a successful attacker could do the same damage to targeted machines that could be done if one of the critical flaws were exploited.
Oliver Friedrichs, director of emerging technologies in the security response center at Cupertino, Calif.-based Symantec Corp., said in a statement that Tuesday's patch release shows that the volume of client-side vulnerabilities in Windows isn't slowing down.
"Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible," he said.
Tuesday's security update was only half as large as first expected. Microsoft said last week that it would release eight security updates, but decided a day later to hold off on four of them.
Asked for an explanation, a Microsoft spokesman said in an email exchange that the software giant always makes it clear in the Patch Tuesday advance bulletins that the number of bulletins, products affected, restart information and severities are subject to change until the official updates are released.
"There are many factors that impact the release of a security update, and every vulnerability presents its own unique challenges," he said, adding that Microsoft also tweaked its advance notification last month when it added MS06-078 to fix two zero-day flaws in Windows Media Player.