Microsoft released its Patch Tuesday update today, which includes a fix for a zero-day flaw affecting Microsoft Office Access that has been targeted by hackers. Other fixes address issues in Microsoft Excel, PowerPoint, Windows and other products.Microsoft released its August Patch Tuesday update Aug. 12 with 11 bulletins that plug 26 security holes across multiple products.
Six of the bulletins are rated "critical" and address remotely
exploitable flaws in Internet Explorer, PowerPoint, Excel, Microsoft
Office Access, Microsoft Office and the Windows operating system. The
critical bulletins swat a total of six bugs in Internet
Explorer, five affecting Microsoft Office filters, four in
Microsoft Excel, three in Microsoft PowerPoint, and one apiece
affecting Office Access and the Windows Image Color Management system.
"The patches that
address zero-days issues are the most critical as some of the zero-days
are actively being exploited by attackers,” said Amol Sarwate, manager
of the vulnerabilities lab at Qualys. “It’s important to note that
users should make it a priority to install all of the patches this
month. This is the biggest batch of client-side security patches we’ve
seen from Microsoft."
In July, Microsoft reported Office Access was
falling victim to targeted attacks trying to take advantage of a bug in
the ActiveX control for Snapshot Viewer. The vulnerability is
exploitable via a malicious or compromised Web page, and affects the
ActiveX control for the Snapshot Viewer for the Microsoft Office Access
2000, 2002 and 2003 versions. The vulnerability is addressed in
bulletin MS08-041.
Other zero-day vulnerabilities addressed by the update include a fix
for Microsoft Word that was rated “important” and has been exploited in
the wild. Another zero-day, also rated important, lies in Windows
Messenger and allows attackers to steal information such as a user’s ID
and initiate audio or video conferences without the knowledge of the
logged-on user.
Another key bulletin is MS08-046, which addresses an issue in the
Windows Image Color Management (ICM) system. The vulnerability is
triggered by a heap overflow when the Microsoft Color Management System
(MSCMS) module of the ICM component improperly allocates memory for a
specially crafted image file. A successful exploit would mean getting a
user to view the malicious image file, and could give the attacker
complete control of an affected system. The vulnerability affects
Windows 2000 and XP as well as Windows Server 2003.
Other bulletins rated “important” fixed flaws in Windows, Outlook Express and Windows Mail.
/ 8 
