Microsoft on Tuesday delivered two patches to address three vulnerabilities, but because of default settings, built-in protections and unaffected newer versions, experts don't anticipate widespread attacks ensuing.
Bulletin MS11-035 is the most pressing of the two fixes, as it corrects a single "critical" vulnerability in Windows Internet Name Service (WINS), which is not turned on by default. The flaw can be exploited, however, if an attacker sends malicious code to a targeted system that is running WINS.
"What might make the WINS vulnerability appealing to attackers is that it is a server-side issue," said Joshua Talbot, security intelligence manager at Symantec Security Response. "That means an attacker wouldn't have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data."
The issue affects Windows Server 2003 and 2008, but Talbot said built-in security features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), "will probably keep most attackers from achieving a complete takeover."
MS11-036, meanwhile, addresses two vulnerabilities, rated "important," in PowerPoint running in Office 2003, 2007 and XP, and Office 2004 and 2008 for Mac. According to Microsoft, the Office flaws can lead to remote code execution if a user is tricked into opening a malicious PowerPoint file. The attacker may then be able to obtain the same rights as the victim.
Office 2010 for Windows and Mac, however, are not affected
Despite the mitigations and that Tuesday's update fixes three issues that were privately known, attackers may act quickly to create exploits, experts said.
The update also marked a revamped version of Microsoft's exploitability index.
