Microsoft releases eight security bulletins for April's Patch Tuesday. Some of the bulletins address issues being targeted by hackers in the wild, including vulnerabilities in Microsoft Office Excel and WordPad. There are also fixes for Internet Explorer and other Microsoft products.
has bundled five critical bulletins
into a mammoth April Patch Tuesday
The release contains a total of eight bulletins, a few of which address vulnerabilities
already under attack. Among these are critical bulletins affecting
Microsoft Office Excel and text converters for WordPad and Office.
two memory corruption vulnerabilities in Excel tied to the way the
program parses the Excel spreadsheet file format. One of
these flaws is already on the radar of hackers
and is being targeted
by a Trojan making the rounds on the Web. Both of these flaws affect
multiple versions of the product but are only rated "critical" for
Excel 2000. The bulletin's severity is lowered to "important" for
other Excel versions because later editions generate prompts that require
additional user interaction for the exploits to work.
covering the WordPad and Office text converters
touches on four
issues, including two bugs Microsoft says are being targeted in the wild.
According to Microsoft,
hackers have been targeting a vulnerability in the way
the text converters in WordPad and Office process memory when a user opens a
specially crafted Word 6 file with malformed data. Attackers have also had
their eyes on a vulnerability in the way WordPad processes memory when
parsing specially crafted Word 97 documents.
While attackers have reportedly only been exploiting some of the bugs, they
may be knocking on the doors of others very soon. Two of the three
vulnerabilities affecting Microsoft
Windows HTTP Services
already have either exploit code or exploit tools
Also included in the round of patches is a critical
cumulative update for Internet Explorer
that swats six bugs in IE 7 and earlier
versions of the browser. There is also a serious
vulnerability in Microsoft DirectShow
that could permit a hacker to
remotely execute code if a user opens a malicious M-JPEG file.
"This software is a core component of Microsoft Windows 2000, XP and
Server 2003 and is used as an interface by most Windows-based applications,
such as Microsoft Media Player, that play multimedia files," said Holly
Stewart, threat response manager for IBM's
X-Force, adding attackers have increasingly turned to this exploit method in
the past year.
The bulletins rated "important" included privilege escalation
issues in Windows, denial-of-service bugs in Microsoft ISA Server and a blended
threat privilege escalation vulnerability in SearchPath is rated "moderate."