January 9, 2007 2:06 PM PST

Microsoft leaves Word zero-day holes unpatched

Microsoft on Tuesday released fixes for vulnerabilities in its Windows and Office software, but left several known Word zero-day flaws without a patch.

As part of its monthly patch cycle, Microsoft published four security bulletins with fixes for 10 vulnerabilities. Three of the bulletins are deemed "critical," the company's most serious rating; the fourth is tagged "important," a notch lower. All bulletins, however, address flaws that could allow an attacker to commandeer a PC.

"Microsoft does recommend that all customers sign up for Microsoft Update and enable its Automatic Updates functionality to receive all updates available this month and to help make their systems more secure," a Microsoft representative said in an e-mailed statement.

Among Microsoft's fixes are three vulnerabilities that were previously known. Still, the company left several known zero-day vulnerabilities without a patch.

"Conspicuous by their absence are patches for the zero-day exploits in Word," Andrew Storms, director of security operations at network security firm nCircle, said in a statement. These patches were probably pulled due to quality issues, he said. Microsoft on Friday postponed four of its planned eight security bulletins.

All of the security vulnerabilities addressed by Microsoft's first fixes of 2007 relate to how multiple versions of Windows and Office handle specific files. Attackers could create malicious files that, when opened, at worst could give the attacker control of a vulnerable PC, according to Microsoft's bulletins.

Nine of the 10 security holes Microsoft provided fixes for lie in Office applications. Five affect Excel, three hit Outlook, and one impacts the Brazilian Portuguese grammar checker for Office. Opening rigged files could trigger the flaws and allow an attack to occur, Microsoft said. Both Windows and Mac versions of Office are affected.

"Today's patch release illustrates once again that the volume of client-side vulnerabilities for the Windows platform is not slowing down," Oliver Friedrichs, a Symantec Security Response director, said in a statement. "Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible."

The 10th hole is in Windows and is similar to a bug Microsoft rushed out a fix for in September after Windows users came under attack. The vulnerability lies in a Windows component called "vgx.dll" that is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web.

Like the first VML hole, this vulnerability can be exploited by tricking a user into viewing a malicious VML file on a Web site with Internet Explorer. All recent versions of Windows are vulnerable with all recent versions of IE, including IE 7, according to Microsoft. The exception is Windows Vista, which is not impacted, it said.

Microsoft's patches will be distributed via Automatic Updates and the company's Microsoft Update downloads Web site.

See more CNET content tagged:
bulletin, vulnerability, attacker, patch management, flaw

7 comments

Join the conversation!
Add your comment
Patched or not, Microsoft technologies are insecure
It really doesn't matter if Microsoft patches current vulnerabilities or not. There will be plenty more where those came from. Anyone who really cares about the security of docs, or systems overall, uses non-Microsoft alternatives. And that's a fact.
Posted by Microsoft_Facts (109 comments )
Reply Link Flag
Patched or not, people like you are ignorant
It really doesn't matter either if Microsoft has updated Windows and Office versions without these flaws. True, there will be (not necessarily plenty) more where those came from, because the market share of these products it's huge. Anyone who really cares about security *and* compatibility, be it of docs or systems overall, uses Vista and Office 2007. A fact (because, unlike you, I can prove it with numbers) is most people choosing Microsoft when using an OS, browser and/or office suit: <a class="jive-link-external" href="http://marketshare.hitslink.com/" target="_newWindow">http://marketshare.hitslink.com/</a>.
Posted by Ryo Hazuki (378 comments )
Link Flag
And this surprises anyone....
Microsoft has other publicly announced vulnerabilities but the Word vulnerabilty KB notice was the funniest ever, the Workaround: Don't open Word Documents for untrusted sources and don't open Word documents for Trusted sources that you didn't expect.

So to be safe with a word document you need to schedule ahead of time with all that will receive your document or they shouldn't open it.

LAME...just lame.
Posted by fred dunn (793 comments )
Reply Link Flag
Your ignorance definitely doesn't surprise me...
Either that or use Office 2007.
Funniest thing for me is you bashing Microsoft for that workaround when Apple gave the exact same workaround for a Mac OS X flaw that could be exploited opening a "bad" email.
LAME... just lame.
Posted by Ryo Hazuki (378 comments )
Link Flag
Use Google Docs and Spreadsheets
Use Google Docs and Spreadsheets can open Microsoft Exel Docs, can import writley docs, and eventhough it won't work with as many features but it can't support a vires and you can still use word when you need to.

go to docs.google.com and (as usual) it is a free Google Service.
Posted by BaffyOfDaffy (3 comments )
Reply Link Flag
...and lose your important documents.
Very nice to be working in an important document with these online suits and suddenly the connection goes down and there goes all your hard work, even when you saved it before, like happened to many people already including a member of Cnet who reported that some months ago.
And, unlike what you say, online apps *are* prone to be exploited by hackers, just like recently happened with Gmail, nonetheless.
Posted by Ryo Hazuki (378 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.