5 IE Flaws Patched with 14 Others

For May's Patch Tuesday, Microsoft corrected a total of 19 security flaws across its consumer and business product lines, with an update for IE fixing five remote code execution vulnerabilities. A highly-publicized DNS flaw was also patched.

Seven critical security bulletins were issued, three of which affect Office. MS07-023 fixes three separate flaws in Excel that could lead to remote code execution, while MS07-024 does the same for three vulnerabilities in Microsoft Word.

MS07-025 patches a critical vulnerability in Office related to the way the software handles a specially crafted drawing object. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object. All versions of Microsoft Office from 2000 to 2007 are affected.

Targeting Exchange Server, MS07-026 resolves four critical issues related to Outlook Web Access script injection, malformed iCal files, MIME decoding and IMAP literal processing. Exchange 2000 through 2007 could be exposed to remote code execution.

MS07-027 is a large bulletin for Internet Explorer 6 and 7, in addition to version 5.01 on Windows 2000. Five separate vulnerabilities have been addressed by the patch, and Microsoft is urging all users to update their browsers. One zero-day vulnerability is among the fixes.

Lastly are MS07-028, which addresses a critical flaw in Microsoft CAPICOM and BizTalk related to certificates, and MS07-028 for the DNS flaw affecting Windows 2000 and Windows Server 2003. Microsoft issued a security advisory about the DNS issue, which enables an attacker to trick the server into running any code remotely in a local system context.

"The Exchange Server flaw is extremely dangerous and PatchLink classifies this as a mandatory fix. This vulnerability could be used to drop malware, spam, and can also be used for targeted attacks where a hacker can drop a back door Trojan on the site," commented Paul Zimski, Senior Director at PatchLink.

"Since email is at the core of proprietary information for an organization, this is particularly powerful. If a hacker exploits this vulnerability, they have the opportunity to control the ebb and flow of all day-to-day business communications."

The 7 security patches are available for download via Windows Update and Microsoft Update, and will be delivered automatically to users with the feature enabled.