The wait for Word fixes ended today when Microsoft neatly delivered a single patch to correct a list of zero-day exploits, while also offering up 11 other bulletins as part of its monthly Patch Tuesday security update.
Researchers said that at least five exploits targeting Word – the first dating back to early December – were in the wild until Microsoft today released bulletin MS07-014 to fix the flaws.
Successful exploitation of the vulnerabilities could lead to remote code execution if a user opens a specially crafted Word file, researchers have said.
Experts today praised Microsoft for releasing the fixes as a single patch.
"We didn’t see that there was anything propagating through the user community in a real strong way," Don Leatham, director of solutions and strategies at PatchLink, told SCMagazine.com. "(The one patch) will lighten the load (for administrators) and have them avoid managing so many patches."
"According to Microsoft, this should fix all the outstanding (Word) issues," said Mark Allen, manager of the data team at vulnerability management firm Shavlik Technologies. "I think what happened is (that) they found some quality assurance issues in recent incarnations of the patch, so they had to send it back to rework. To their credit, they weren’t ready to release it until they felt it was ready, and I appreciate that, from a Microsoft customer point-of-view."
Another highlight from today’s release was a patch for a vulnerability throughout Microsoft’s malware protection engine, which includes Windows Live OneCare, Microsoft Antigen, Windows Defender and ForeFront.
Remote code execution exploiting that flaw can occur when a user receives a malformed .pdf file that has been scanned by the malware protection engine, Leatham said. The file does not have to be opened for the user to be impacted.
"It’s configured, by default, to try to catch all the stuff coming in," said Allen of the malware engine.
But experts said PC users should not be too concerned.
"These products have their own built-in auto-update engines, so most people are probably already patched," said Michael Sutton, security evangelist at SPI Dynamics, which offers solutions to safeguard web applications. "But it’s amusing that there was a security vulnerability in a security product."
The update – which patched 20 flaws in total - also corrected critical ActiveX vulnerabilities that could affect users merely browsing websites. In addition, the update offered a cumulative fix for Internet Explorer versions 5, 6 and 7.
The 12 fixes – six of which are "critical" – is equal to the highest number of patches since last summer – guaranteeing network administrators will be busy this week of Valentine’s Day.
"There may be some special ladies out there not getting their roses," Leatham said.
Click here to email reporter Dan Kaplan.
