Microsoft Fixes Zero-Day Word Flaws

Microsoft on Tuesday released a bevy of patches, including three critical patches for the Microsoft Windows operating system, two for Office, and a critical patch for its antivirus and anti-malware software products.

Altogether, twelve patches were released, and the Redmond company finally addressed the issues within Microsoft Word and Office that were being exploited in zero-day attacks. Both Office patches dealt with code execution issues.

The first patch dealt with a total of six vulnerabilities within Word, including malformed string, data structure, drawing object, and function issues, as well as issues with Word Count and Word macros. The patch is intended for Word 2000, 2002, and 2003, as well as Works Suites 2004 through 2006 and Office for Mac.

Also patched in a separate fix were flaws within PowerPoint and Excel. Both concern malformed record issues that could put users at risk of a code execution attack, Microsoft said.

Of the Windows patches, a fix has been released for the HTML Help ActiveX control which could allow an attack to execute arbitrary code by visiting a specially crafted webpage.

Flaws within Microsoft's Data Access Components were also remedied, as well as a new cumulative security update for Internet Explorer. That patch fixes two issues with the COM object, as well as an issue with FTP server usage.

The last of the critical issues fixes an issue within Microsoft's antivirus software. According to an advisory, the flaw exists in how the Malware Protection Engine processes PDF files. If a specially crafted file is sent through, it could open up a code execution risk.

The remaining patches were all rated important: four remote code execution vulnerabilities in Step-by-Step Interactive Training, Microsoft OLE Dialog, Microsoft MFC, and RichEdit. All, however require user interaction in order to be exploited.

Two elevation of privilege risks were also remedied, which existed in the Windows Shell and Image Acquisition.

Of the patches, security firm PatchLink put the highest priority on the fix for Microsoft's Data Access Components, saying the vulnerability could put at risk secure databases.

"An attacker successfully exploiting this vulnerability could take complete control of an affected system to install programs to view, change, or delete data; or create new accounts with full user rights," vice presdent of security Technologies Chris Andrew said.

"Organizations should review the specifics of this security bulletin and to ascertain level of risk, especially for organizations that are dealing with mission critical or customer data," he continued.