Microsoft fixes critical holes in Windows, Word, Publisher
Microsoft on Tuesday issued security patches that plug critical holes in Microsoft Word and Publisher and a vulnerability in Windows for which a zero-day exploit has been available for weeks.
Zero-day exploits are considered particularly dangerous. While most security holes are plugged before an exploit is released, computers running vulnerable software for which there is a zero-day exploit already released are open to attack until the patch is available.
The critical Windows vulnerability was discovered in Microsoft Jet Database Engine 4.0. It allows an attacker to take complete control of an affected system, including installing malicious programs and modifying data.
Microsoft has acknowledged that people have been taking advantage of this vulnerability to compromise machines, said Amol Sarwate, manager of the vulnerability research lab at Qualys, which offers security as a service to corporations.
The other critical patches Microsoft released plug a hole in Microsoft Word and two holes in Microsoft Publisher that could allow attackers to remotely run code on an affected machine if the user were to open a specially crafted Word or Publisher file.
And Microsoft also fixed two holes rated "moderate" that would allow an attacker to shut down and restart the Microsoft Malware Protection Engine used in the company's security products including Windows Live OneCare and Windows Defender.
Missing from the patches was a fix for a vulnerability in the core Windows operating system for which there has been a zero-day exploit available for nearly a month, said Sarwate.
That unpatched vulnerability allows local users to escalate their privileges on a system and gain more access to resources and data. "It may look harmless," Sarwate says, but it not only gives insiders more control than they should have, but could enable outsiders to use the insider's escalated privileges to do damage.
"We were hoping to see a fix for that zero-day as well," he said.
More information about this month's Patch Tuesday patches is available here.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
