IE, Outlook and Word get critical patches

Microsoft has issued six security patches for critical vulnerabilities in Word, Outlook Express, Internet Explorer (IE) and the Kodak image viewer that ships with Windows.

The updates fix nine bugs in Microsoft's products. In addition to the four critical updates, Microsoft also released "important" fixes for SharePoint and in Windows remote procedure call (RPC).

Nine updates is one less than expected. Last Thursday, Microsoft said it was planning to fix an unnamed flaw in Windows 2000 and Windows Server 2003 that could be used for "spoofing." That update was not included in Tuesday's patches.

Microsoft pulled the patch because of a "quality control issue," said the company. It's not unheard of for Microsoft to make such last-minute decisions. The SharePoint update that was released this week was pulled from the September updates for similar reasons.

The Word vulnerability may be of particular concern.

That's because it has been exploited by attackers, according to Christopher Budd, security program manager with Microsoft's Security Response Centre. "We're aware of very limited and targeted attacks, but the issue itself has not been publicly disclosed," he said.

The bug can be exploited by a maliciously crafted Word document. It was reported to Microsoft during the past three months, Budd said. This type of attack has been used many times over the past few years, exploiting bugs in a variety of Microsoft Office products. These attacks have been launched at a small number of select victims, often within government.

Though the Windows RPC flaw apparently cannot be exploited to run malware on a victim's machine, security experts consider it one of the week's most important patches. RPC has been the source of many virulent worms in the past, including 2003's Blaster, according to Amol Sarwate, manager of Qualys's vulnerability research lab.

"Whenever there is a denial of service there is always a chance of remote code execution," he said. However, even if hackers could find a way to use this bug to run unauthorised software, RPC is typically blocked by firewalls. This means that even if a worm could be crafted, it would have difficulty spreading.

Sarwate said that the IE patch, which fixes four bugs, should be moved to the front of the line by system administrators. That's because IE is so widely used and some of the bugs are very likely to be used in attacks.

Even users who have removed Outlook Express from their PCs should install this month's critical patch for this software, according to Microsoft's Budd. "The files in question are part of the core operating system, so what we tell people is if the bits in question are on the box then you should apply the security update."

The IE patch is the most critical, agreed Andrew Storms, director of security operations with nCircle Network Security. According to him, an address spoofing flaw that was patched in this update has been known publicly for three months. "The URL spoof has been known since at least July and it's the perfect tool for a phisher," he said.

As for what Storms would patch after installing the IE update? "Second on my list is pretty much a tie between everything else minus the SharePoint vulnerability," he wrote.