Patch/Configuration Management, Vulnerability Management

Microsoft offers two fixes, but reveals a zero-day bug

Microsoft on Tuesday delivered two "important" patches to remedy eight vulnerabilities, seven of which are present in Office Excel.

The MS10-017 Excel bulletin affects all supported versions of Excel, as well as Office 2004 and 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. Victim machines can be infected if a user opens a specially crafted file.

Tuesday's other patch, MS10-016, corrects a single vulnerability in versions 2.1, 2.6 and 6.0 of Windows Movie Maker video creating and editing software, affecting Windows XP and Vista. The attack is spread by tricking a user into opening a malicious Movie Maker project file, containing the .mswmm extension.

Microsoft on Tuesday also revealed a zero-day vulnerability in Internet Explorer (IE) 6 and 7, which could result in remote code execution. The issue does not affect Microsoft's newest browser, IE 8.

The flaw currently is being exploited in targeted attacks, the company said in an advisory. Users are encouraged to upgrade to IE 8. Failing that, the bug can be mitigated through IE Protected Mode, which is turned on by default in IE 7 running on Vista.

Both of the patches released Tuesday earned a "2" rating on Microsoft's deployment priority scale (out of three) and a "1" on its exploitability index (also out of three).

Not included in Tuesday's update was a fix for a zero-day VBScript vulnerability, confirmed in an advisory last week. The issue does not affect Windows 7, Server 2008, Server 2008 R2 and Vista, and Microsoft said it is not aware of any active attacks. Customers, however, are encouraged to apply the workarounds documented in the advisory.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.