|
By Cara Garretson
Microsoft has released a light load of fixes as part of its monthly Patch Tuesday event, unlike the 13 security updates that the software giant released in February. However, reports of a new zero-day vulnerability affecting Internet Explorer, which Microsoft confirms hackers are attempting to exploit, could bring a security release update sooner than April.
On Tuesday, Microsoft released a fix for one vulnerability found in both Windows Movie Maker and Microsoft Producer 2003, and another fix that addresses a number of security holes in Excel. Both vulnerabilities are rated "important," which is mild compared to the "critical" ratings that five patches were assigned last month.
According to the company, the vulnerability found in Windows Movie Maker could allow for remote code execution if someone sent a specific type of Movie Maker or Microsoft Producer project file, and managed to convince the recipient to open it. Once opened, the file would give the sender access to the recipient's system with the same level of access as that user has; users with administrative rights would suffer more damage to their systems than those who operate with fewer rights, says Microsoft.
Products affected by the vulnerability include Microsoft Office and Microsoft Windows. The security update resolves the issue by changing the way that Windows Movie Maker parses project files, according to the company.
The second security update addresses seven vulnerabilities reported in Excel, which could also cause remote code execution. Users who open a specifically crafted Excel file could give an attacker access to their systems with the same level of user rights that they are assigned. The patch addresses this issue by changing the way that Excel parses specially crafted files, the company says. The product affected by the vulnerability is Microsoft Office.
Microsoft said it is investigating a zero-day vulnerability in IE 6 and IE 7 (though not the latest version, IE 8) that could allow for remote code execution. The company detailed mitigation and workarounds for the issue and is conducting an investigation into the vulnerability, though no patch has been issued yet. Microsoft said it is aware of targeted attacks that are attempting to gain unauthorized access to systems using this vulnerability.
"The vulnerability exists due to an invalid pointer reference being used within Internet Explorer," according to the security advisory. "It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."
The result of Microsoft's investigation into the vulnerability could result in the release of a patch during next month's security update release, or an "out of cycle" release -- a patch that is made available at times other than the first Tuesday of every month.
Only registered users can write comments.
Please login or register. |
