Microsoft Patches Eight Security Holes, Five Critical

Altogether, the patch load plugged an array of security holes in Windows, Microsoft Office, Internet Explorer and Microsoft Internet Security and Acceleration Server. Of the eight security updates released, five were ranked critical, indicating that hackers could exploit the vulnerabilities to launch arbitrary code on victims' computers. In addition, two were given the less severe ranking of "important" and one ranked as "moderate." Two of the critical flaws are actively exploited in the wild.

Meanwhile, Microsoft's security update included two Microsoft Office patches repairing zero-day vulnerabilities already actively exploited in the wild. Security experts say that one of Microsoft's most serious patches resolved a critical vulnerability in Microsoft Excel, first reported in February, which enables malicious hackers to launch a malware attack by sending a user a malformed Excel file. Once the user opened the infected file, the attacker could run malicious code in the context of the logged-on user.

Another Office patch addressed an active exploit in WordPad and Office Text Converters, first reported in December, which allowed attackers to exploit the flaw if a user opened an infected file sent via e-mail.

"If you open a Word or WordPad file, it will execute code and hack your system," said Eric Schultze, chief technology officer for Shavlik Technologies. "In both cases, Microsoft has seen exploit code floating around."

The security bulletin also contained a fix for a previously reported critical Internet Explorer flaw, which could allow an attacker to execute malicious code if a user viewed a malicious Web page on the browser or to connect to an attacker's server by way of the HTTP protocol. Generally, an attacker would lure victims by some kind of social engineering scam, and direct them to a malicious link or video embedded in an e-mail message.

Also included in the patch bundle was a fix for another critical hole that allowed remote code execution in Microsoft DirectX, which also exploited a malicious Web site or video file that could enable the attacker to log on with the same permissions as the user, Schultze said.

The final critical flaw was a glitch in the Microsoft Windows HTTP Services, which also allowed a hacker to infiltrate a user's system by launching remote code. Both the IE and the Windows HTTP flaws could be used in credential attacks, in which attackers could execute code to grab victims' user names and passwords, "replay those credentials and walk back onto your system," Schultze said.

Despite its moderate ranking, one of the most significant bulletins was a fix for a vulnerability in SearchPath, which, when combined with a flaw in Apple's Safari, enabled hackers to execute a carpetbombing attack, which enables users to unknowingly launch malicious executables directly from their browsers.

One Windows patch with a severity rating of "important" repaired some privilege escalation errors known as Token Kidnapping, which allowed hackers to write a malicious Web page that would be uploaded to a network Web server. The malicious page would then start executing code as a local system, enabling the hackers to have access to every customer site controlled by the server.

"It escapes the network service and runs as a local service," Schultze said. "It's really scary for those people who run those multi-site Web servers."

There were some mitigating factors, however. Schultze said that while exploit code was available for this flaw, a hacker would have to have a Web server account in order to carry out an attack.

The other "important" patch addressed an error in Microsoft Internet Security Acceleration Server and Microsoft Forefront Threat Management Gateway, Medium Business Edition, which could allow a denial of service attack if the hacker sent specially crafted network packages to the user's unpatched computer. The flaw could also allow information disclosure or spoofing if the attack was executed via the Web or a malicious link.

Schultze said that users should apply the patches as soon as possible -- which are available for download on the Microsoft site -- in particular, those that repair actively exploited vulnerabilities.