Microsoft Issues Two Important Patches, Warns Of IE Zer-Day
Specifically, Microsoft patched one vulnerability in Windows Movie Maker, affecting XP and Vista, which could be exploited by remote hackers to launch malicious code onto users' PCs. During an attack, a hacker could create and send a malicious Movie Maker or Producer media file to a victim—typically delivered via e-mail. The victim would become infected with malicious code once they opened the file.
In the patch, Microsoft also called out Microsoft Producer 2003 in the affected products list, failed to update the application, downplaying Producer 2003 as "a free download with limited distribution."
"Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update," said Jerry Bryant, Microsoft senior security communications manager, in a blog post Tuesday. "Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows."
Bryant said that Microsoft continues to investigate security vulnerabilities in Producer 2003, but recommended that customers either uninstall the application or disassociate the project file type from the application via Microsoft Fix It, to further protect themselves from attack.
In addition, Microsoft also issued another "important" patch fixing seven security flaws in all versions of Excel, including Office 2004, Office 2008 for Mac, Open XML File Format Converter for Mac, and supported versions of Excel viewer and SharePoint 2007, which enabled hackers to launch malicious attacks if a victim opened an infected Excel file.
"As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited," Microsoft said.
Microsoft researchers recommend that users apply the patches as soon as possible, despite that this month's patch load repaired flaws giving the slightly less severe threat ranking of "important," contending that the vulnerabilities can still be exploited remotely by hackers.
Additionally, Microsoft also issued a security advisory warning users of a zero-day vulnerability affecting IE 6 and IE 7 which is already being exploited in the wild.
Vulnerable systems include Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable. However, Microsoft said that so far, Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected.
Specifically, vulnerability occurs because of an invalid pointer reference within Internet Explorer, which could allow hackers to launch malware when the pointer reference is accessed after an object is deleted.
So far, Microsoft said that attacks exploiting the IE flaw appear to be "targeted."
"At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes," Microsoft said in its advisory.
Down the road, Microsoft will either release a fix during a monthly patch update or as an out-of-band security update, in order to address the flaw.