Microsoft plugged 40 holes with 17 patches today and said it will improve the security of Office 2003 and Office 2007 by adding a feature to the older versions of its productivity software that opens files in Protected View.
Customers should focus on the two critical bulletins that are part of Microsoft's monthly Patch Tuesday security update, says Jerry Bryant, group manager for response communications in Microsoft's Trustworthy Computing Group. The first is MS10-090, a cumulative update for Internet Explorer. It fixes seven vulnerabilities in the browser and affects IE 6, 7 and 8. There have been attacks targeting IE 6 on Windows XP, Bryant said.
The other critical bulletin is MS10-091, which fixes several vulnerabilities in the Windows Open Type Font driver. It affects all versions of Windows, primarily on third-party browsers that natively render the Open Type Font, which IE does not, according to Bryant.
The other bulletins are not critical and "could potentially be put off until after Christmas," he said in an interview with CNET. Windows (all supported versions), Office IE, SharePoint, and Exchange are affected by the bulletins. Details are in the security advisory here and in the Microsoft Security Response Center blog post.
Meanwhile, the company will be porting Office File Validation, which is currently in Office 2010, to Office 2003 and Office 2007 by the first quarter of next year, Bryant said. It will be an optional update.
The move will help protect customers from attacks that target about 80 percent of the Office vulnerabilities, Bryant said. Attackers typically create a document that uses an exploit and e-mail the maliciously crafted document to potential victims or host it on a Web site and prompt people to open it.
Office File Validation checks the file-format binary schema, such as .doc or .xls, and alerts the user if it detects a problem. "If the user wants to edit or continue to open the document then there are severe warnings about what that might mean" and that it could be dangerous, Bryant said.