Microsoft  has released its February round of security updates, complete with some long-awaited patches for its Office productivity suite of applications. This month's Patch Tuesday addresses multiple critical fixes for vulnerabilities in both Office and Microsoft's line of security products. Altogether, Microsoft patched 20 flaws with its current release.
Eleven of the patches were labeled "critical," the highest ranking in Microsoft's scoring system . Eight of the patches fix Office flaws, including six vulnerabilities in Word and one each for Excel and PowerPoint. While all of these patches are significant from a security standpoint, the patch called MS07-010 seems to be stealing the spotlight.
MS07-010 fixes a critical bug in the malware-scanning engine used by Windows OneCare, Windows Defender, and Forefront Security and Antigen products. Hackers could exploit the flaw to take complete control of a victim's PC by feeding malformed PDFs to the computer through e-mail. The flaw is of particular concern to analysts.
"This continues the trend of malware authors targeting widely deployed Microsoft business applications and services," said Dave Marcus, security research and communications manager at McAfee's Avert Labs. "Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks, putting both business and consumer data at risk."
Security Focus
The MS07-010 patch, which comes on the heels of last week's RSA conference at which Microsoft Chairman Bill Gates delivered a keynote emphasizing the company's focus on security, came as a surprise to some.
"While this release does not contain any vulnerabilities that directly exploit the Vista core operating system, programs like Windows Defender, Antigen, and Windows Live OneCare are applications that can be installed on Windows operating systems including Vista," said Amol Sarwate, manager of the vulnerability research lab at Qualys.
According to Minoo Hamilton, senior vulnerability researcher for nCircle, Microsoft's continuing investment in security is starting to pay off, with many products becoming more secure in more recent versions. However, Hamilton said, MS07-010 is a critical vulnerability that demonstrates there is more work to be done.
"This vulnerability shows that many Microsoft products are still vulnerable to some of the same type of attack techniques that have been in play for the last couple of years," he noted. "Consumers and enterprises using the latest versions of Windows need to be aware that any and all of these products are still vulnerable." (continued...)
|
