Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.
Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.
“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”
Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month — today — is Patch Tuesday).
Since that advisory, the IE exploit has been bundled into the Eleonore Exploit pack, a powerful and widely-used commercial crimeware kit that makes it trivial for attackers to turn legitimate Web sites into platforms for installing malware when visitors browse the sites with vulnerable PCs.
If you have Office Installed, take a moment to visit Microsoft Update to patch things up. If you use IE, either upgrade to IE8 — which provides additional protections against this zero-day attack — or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.
A summary of today’s bulletins is available here.
Update, 7:03 p.m. ET: Added information at the end of this post on the Microsoft FixIt Tool.