Researchers said that at least
five exploits targeting Word –
the first dating back to early December – were in the wild until
Microsoft today released bulletin MS07-014 to fix the
flaws.
Successful exploitation of the vulnerabilities could lead to
remote code execution if a user opens a specially crafted Word file,
researchers have said.
Experts today praised Microsoft for releasing the fixes as a single
patch.
"We didn’t see that there was anything propagating through the user community in a real strong way," Don Leatham, director of solutions and strategies at
PatchLink, told SCMagazine.com. "(The one patch) will lighten the load (for administrators) and have them avoid managing so many patches."
"According to Microsoft, this should fix all the outstanding (Word) issues," said Mark Allen, manager of the data team at vulnerability management firm
Shavlik Technologies. "I think what happened is (that) they found some quality assurance issues in recent incarnations of the patch, so they had to send it back to rework. To their credit, they weren’t ready to release it until they felt it was ready, and I appreciate that, from a Microsoft customer point-of-view."
Another highlight from today’s release was a patch for a vulnerability throughout Microsoft’s malware protection engine, which includes Windows Live OneCare, Microsoft Antigen, Windows Defender and ForeFront.
Remote code execution exploiting that flaw can occur when a user receives a malformed .pdf file that has been scanned by the malware protection engine, Leatham said. The file does not have to be opened for the user to be impacted.
"It’s configured, by default, to try to catch all the stuff coming in," said Allen of the malware engine.
But experts said PC users should not be too concerned.
"These products have their own built-in auto-update engines, so most people are probably already patched," said Michael Sutton, security evangelist at
SPI Dynamics, which offers solutions to safeguard web applications. "But it’s amusing that there was a security vulnerability in a security product."
The update – which patched 20 flaws in total - also corrected critical
ActiveX vulnerabilities that could affect users merely browsing websites. In addition, the update offered a cumulative fix for Internet Explorer versions 5, 6 and 7.
The 12 fixes – six of which are "critical" – is equal to the highest number of patches since last summer – guaranteeing network administrators will be busy this week of Valentine’s Day.
"There may be some special ladies out there not getting their roses," Leatham said.
Click here to email reporter Dan Kaplan.