Microsoft leaves Word zero-day holes unpatched

Software giant releases fixes for vulnerabilities in Windows and Office, but several known Word zero-day flaws go without patches.

Microsoft on Tuesday released fixes for vulnerabilities in its Windows and Office software, but left several known Word zero-day flaws without a patch.

As part of its monthly patch cycle, Microsoft published four security bulletins with fixes for 10 vulnerabilities. Three of the bulletins are deemed "critical," the company's most serious rating; the fourth is tagged "important," a notch lower. All bulletins, however, address flaws that could allow an attacker to commandeer a PC.

"Microsoft does recommend that all customers sign up for Microsoft Update and enable its Automatic Updates functionality to receive all updates available this month and to help make their systems more secure," a Microsoft representative said in an e-mailed statement.

Among Microsoft's fixes are three vulnerabilities that were previously known. Still, the company left several known zero-day vulnerabilities without a patch.

"Conspicuous by their absence are patches for the zero-day exploits in Word," Andrew Storms, director of security operations at network security firm nCircle, said in a statement. These patches were probably pulled due to quality issues, he said. Microsoft on Friday postponed four of its planned eight security bulletins.

All of the security vulnerabilities addressed by Microsoft's first fixes of 2007 relate to how multiple versions of Windows and Office handle specific files. Attackers could create malicious files that, when opened, at worst could give the attacker control of a vulnerable PC, according to Microsoft's bulletins.

Nine of the 10 security holes Microsoft provided fixes for lie in Office applications. Five affect Excel, three hit Outlook, and one impacts the Brazilian Portuguese grammar checker for Office. Opening rigged files could trigger the flaws and allow an attack to occur, Microsoft said. Both Windows and Mac versions of Office are affected.

"Today's patch release illustrates once again that the volume of client-side vulnerabilities for the Windows platform is not slowing down," Oliver Friedrichs, a Symantec Security Response director, said in a statement. "Attackers are exploiting vulnerabilities with increasing speed, and it's imperative that computer users protect themselves by installing updated software patches as quickly as possible."

The 10th hole is in Windows and is similar to a bug Microsoft rushed out a fix for in September after Windows users came under attack. The vulnerability lies in a Windows component called "vgx.dll" that is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web.

Like the first VML hole, this vulnerability can be exploited by tricking a user into viewing a malicious VML file on a Web site with Internet Explorer. All recent versions of Windows are vulnerable with all recent versions of IE, including IE 7, according to Microsoft. The exception is Windows Vista, which is not impacted, it said.

Microsoft's patches will be distributed via Automatic Updates and the company's Microsoft Update downloads Web site.

Featured Video

Who does it better? Apple Pencil vs. Surface Pen

The Apple Watch 2 is in development. The Apple Pencil and Surface pen go head-to-head and our NBA 2K16 giveaway!

by Brian Tong