Microsoft Patch Tuesday Targets 26 Application Flaws

Microsoft released its Patch Tuesday update today, which includes a fix for a zero-day flaw affecting Microsoft Office Access that has been targeted by hackers. Other fixes address issues in Microsoft Excel, PowerPoint, Windows and other products.

Microsoft released its August Patch Tuesday update Aug. 12 with 11 bulletins that plug 26 security holes across multiple products.

Six of the bulletins are rated "critical" and address remotely exploitable flaws in Internet Explorer, PowerPoint, Excel, Microsoft Office Access, Microsoft Office and the Windows operating system. The critical bulletins swat a total of six bugs in Internet Explorer, five affecting Microsoft Office filters, four in Microsoft Excel, three in Microsoft PowerPoint, and one apiece affecting Office Access and the Windows Image Color Management system.

"The patches that address zero-days issues are the most critical as some of the zero-days are actively being exploited by attackers," said Amol Sarwate, manager of the vulnerabilities lab at Qualys. "It's important to note that users should make it a priority to install all of the patches this month. This is the biggest batch of client-side security patches we've seen from Microsoft."

In July, Microsoft reported Office Access was falling victim to targeted attacks trying to take advantage of a bug in the ActiveX control for Snapshot Viewer. The vulnerability is exploitable via a malicious or compromised Web page, and affects the ActiveX control for the Snapshot Viewer for the Microsoft Office Access 2000, 2002 and 2003 versions. The vulnerability is addressed in bulletin MS08-041.

Other zero-day vulnerabilities addressed by the update include a fix for Microsoft Word that was rated "important" and has been exploited in the wild. Another zero-day, also rated important, lies in Windows Messenger and allows attackers to steal information such as a user's ID and initiate audio or video conferences without the knowledge of the logged-on user.

Another key bulletin is MS08-046, which addresses an issue in the Windows Image Color Management (ICM) system. The vulnerability is triggered by a heap overflow when the Microsoft Color Management System (MSCMS) module of the ICM component improperly allocates memory for a specially crafted image file. A successful exploit would mean getting a user to view the malicious image file, and could give the attacker complete control of an affected system. The vulnerability affects Windows 2000 and XP as well as Windows Server 2003.

Other bulletins rated "important" fixed flaws in Windows, Outlook Express and Windows Mail.