Microsoft fixes Office, Windows flaws

Patches released in Microsoft's monthly security update cycle tackle six holes in Office and one in Windows.

As part of its monthly patch cycle, Microsoft on Tuesday released fixes for six security holes in Office and one flaw in Windows.

Five of the six vulnerabilities in Office are specific to Excel. The most serious flaws could allow an attacker to gain control over a vulnerable PC running the spreadsheet program, Microsoft said in Security Bulletin MS06-012. In all cases, the miscreant would have to persuade the user to open a malformed Excel file, the software maker said.

The sixth problem affects a range of Office applications, including some versions of Word, Outlook and PowerPoint. Microsoft deems the Office security issues "critical." "We recommend that customers apply the update immediately," the company said in its bulletin.

Microsoft's second update deals with an operating system issue that affects Windows XP with Service Pack 1 and Windows Server 2003. The vulnerability could enable someone who already has limited user privileges on a vulnerable computer to gain so-called "administrative," or full, user rights, Microsoft said in Security Bulletin MS06-011.

The Windows flaw and two of the Excel vulnerabilities had been previously disclosed, Microsoft said. However, the company added that it has not seen any attacks that take advantage of the holes.

In addition to its own security fixes, Microsoft on Tuesday also released a security advisory alerting users to an update issued by Adobe Systems. This update addresses a publicly known vulnerability in the ubiquitous Macromedia Flash Player, a third-party software application that Microsoft has distributed with Windows.