As Microsoft pushes out two Patch Tuesday security updates for Windows and Office Excel, the company warns that attackers are targeting a vulnerability in Internet Explorer that can be used to hijack machines.
Microsoft issued a warning March
9 for Internet Explorer users as the company pushed out its monthly round of
patches to cover security holes in Windows and Microsoft Office Excel.
In an advisory, the company warned
that a new vulnerability was being targeted in attacks
against Internet Explorer 6 and 7.
IE 8 is not believed to be
affected. According to Microsoft, the vulnerability is due to an invalid
pointer reference being used within IE and can be exploited by tricking users
into visiting a malicious or compromised Web page.
"At this time, we are
aware of targeted attacks attempting to use this vulnerability ... Based on our
investigation, setting the Internet zone security setting to High will protect
users from the issue described in this advisory," the company stated.
Besides changing the
Internet zone settings, users can also modify the access control list on
iepeers.dll. Instructions are contained within the advisory.
In addition to the advisory,
Microsoft released two
March 9 for Patch Tuesday. The bulletins fix eight
vulnerabilities affecting Windows and Office. Both security bulletins are rated
important-the company's second-highest designation-and both were given an
exploitability index rating of 1, meaning development of successful attack code
relating to the vulnerabilities they fix is likely.
addresses a vulnerability in Windows Movie Maker and Microsoft Producer 2003
that could allow an attacker to remotely execute code if a victim opens a
specially crafted Movie Maker or Producer file. Windows Live Movie Maker, which
is available for Windows Vista and Windows 7, is not affected by this
The second bulletin, MS10-017,
addresses seven vulnerabilities that impact all supported versions of Microsoft
"MS10-017 should be
addressed first on your network," Jason Miller, data and security team leader
at Shavlik Technologies, said in an e-mail. "Microsoft Excel attachments
are as common as Meryl Streep nominations at the Oscars [and] opening a
malicious Excel document could lead to remote code execution."
It is important to note that
MS10-016 affects Microsoft Producer 2003, he added, and that rather than
provide a patch, Microsoft is suggesting administrators remove the affected
component from their machines.
"This is a great example of why
administrators should take time each month and research the information
associated with each bulletin," Miller said. "Simply blindly pushing
out patches does not necessarily make your network secure."