Microsoft released four security bulletins today to address nine critical vulnerabilities in Excel, Outlook and vector markup language (VML) – but perhaps the biggest news out of the security update is what it did not address.
The software giant did not offer fixes for three zero-day holes in Word, two of which, according to Microsoft researchers, have been exploited in "limited and targeted attacks."
Those two have now survived consecutive Patch Tuesdays without being sewed up.
Initially, Microsoft had planned to issue eight fixes today but released half that many, leading some security researchers to speculate that the Word fixes originally were included but were axed because they did not pass last-minute quality assurance testing across Office's huge user base.
"These patches were probably pulled due to quality issues – Microsoft has traditionally done a very good job of not issuing patches that are disruptive," said Andrew Storms, director of security operations at nCircle. "However, the business impact and public scrutiny of these missing patches is high enough that it is likely Microsoft will issue an out-of-cycle patch for these vulnerabilities."
The security update, however, did include several significant fixes, notably a patch for a vulnerability in VML that could be exploited for remote code execution and one in Outlook that could crash the email client.
In the VML case, users could be infected by following a link to a website that employs the scripting language, Lamar Bailey, senior operations manager at X-Force, IBM Internet Security Systems' research and development wing, told SCMagazine.com today. He said the bug is being exploited in the wild, which makes patching it crucial.
With the Outlook bug, should a user receive a maliciously coded HTML email, his or her email system could "jam up," causing Outlook to stop functioning until the infected message is deleted, Eric Schultze, chief security architect for Shavlik Technologies, told SCMagazine.com today.
"This could end up causing widespread disruption among organizations," he said.
Jonathan Bitle, manager of technical account care at Qualys, told SCMagazine.com that the Oulook flaw is the most critical because most businesses rely on it as a primary means of communication.
Today's update also released fixes for vulnerabilities in Excel that, if exploited, could allow an attacker to gain control of a system by duping a user into opening a maliciously crafted file. The patch appears to have come just in time, as a Microsoft spokesman told SCMagazine.com today that the company was investigating "detailed exploit code" targeting the vulnerability.
Microsoft additionally released a bulletin addressing an "important" flaw in Office 2003's Portuguese grammar checker that could lead to code execution.
Experts said the four fixes represent a continued trend toward client-side vulnerabilities.
Meanwhile, if Microsoft fails to release out-of-band patches for the unpatched Word flaws, instead choosing to wait for the next scheduled Patch Tuesday (Feb. 13), security professionals might use the popular RSA Conference in San Francisco as a forum for publicly ridiculing the software giant, Schultze predicts. The conference runs the week of Feb. 5.
"It will be a good time for someone to grandstand and talk about it," Schultze said.
Click here to email reporter Dan Kaplan.