Critical vulnerabilities in Microsoft Office star in the latest edition of Microsoft's Patch Tuesday updates.
All told, Microsoft has released six critical patches and five patches described as important, addressing a total of 26 underlying vulnerabilities. All six critical updates address code injection risks involving Access, Excel, Microsoft Office and Internet Explorer.
Both servers and (particularly) desktops will need patching to defend against the flaws, which affect the full range of Windows systems and many versions of Office. The total number of vulnerabilities addressed by the patch batch is the highest in two years.
Two of the patches (MS08-041 and MS08-042) cover vulnerabilities which had already been actively exploited by hackers, according to net security firm McAfee. Opening a rigged image or Office file as well as drive-by download attacks are all possible exploit scenarios for these flaws, which cover bugs in the ActiveX Control of Snapshot Viewer for Microsoft Access and a flaw in Word. Microsoft, for reasons best known to its security gnomes, rates the Word flaw only as "important" rather than critical.
McAfee reckons that updates that fix image processing flaws (MS08-044) and a cumulative update for Internet Explorer (MS08-045) are also likely targets for attacks and ought to receive prompt triage by sysadmins.
Microsoft originally planned to publish twelve bulletins on Tuesday because of a "last minute quality issue", a posting on Microsoft's Security Response Centre Blog explains. ®