Microsoft released patches to fix 26 vulnerabilities in the company’s software, including major issues in its Internet Explorer browser and Office suite of productivity applications.
The eleven patches, published on Microsoft’s monthly schedule, included six fixes rated Critical — Microsoft’s highest rating of severity — and five updates rated Important — the company’s second highest. On patch, a cumulative update for Internet Explorer, contained a half dozen vulnerabilities that could be used by an online attacker to remotely exploit a victim’s computer, according to Microsoft’s security bulletin.
Users should update their systems as soon as possible, said Karthik Raman, a research scientist at McAfee.
“Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply views a malformed image or visits a malicious Web site, a favorite attack method among cybercriminals,” Raman stated in an analysis of the patches sent to SecurityFocus.
Many other vulnerabilities affected components of Microsoft’s popular Office software, including flaws in the way Excel and PowerPoint handle various data types and the way the applications process different types of image files. Most Office flaws are only considered Critical for the aging Office 2000 version of the product.
As announced at the Black Hat Security Briefings, Microsoft will soon allow security companies to have some information about the vulnerabilities being patched each month, so the firms can provide their clients with additional protection on patch day. Microsoft had previously warned of attacks using one of the flaws found in Word.
Microsoft recommends that users set their systems to automatically download updates from the company’s Windows Update service.