Microsoft on Tuesday released fixes for 19 security flaws in several of its products, including the new Internet Explorer 7, Office 2007 and Exchange 2007.
The company published seven security bulletins as part of its monthly patch cycle. All are tagged "critical," its highest rating. Critical vulnerabilities typically allow an attacker to gain full control of an affected system with very little, if any, action by the user.
Most of the vulnerabilities addressed by Tuesday's fixes can only be exploited after someone visits a rigged Web site or opens a malicious file, attack approaches that are increasingly popular among cybercrooks.
Microsoft's MS07-027 update fixes six flaws in Internet Explorer that could be exploited through malicious Web sites. Three Microsoft updates deal with flaws in Office applications, including Office 2007. Most of these bugs exist because of errors in the way the applications handle certain files and could be exploited through a rigged Office file.
Exchange is flawed in a way that could allow a system running the e-mail server software to be fully compromised without any special user action. There are four vulnerabilities in Exchange, including Exchange 2007, addressed by Microsoft's MS07-026 fix. The most serious bug exists in the way Exchange encodes e-mail messages.
The fact that several of the newly reported vulnerabilities critically affect Internet Explorer 7, Office 2007 and Exchange 2007, hurts Microsoft's security message, said Amol Sarwate, manager of the vulnerability research lab at Qualys. Microsoft has marketed these programs as secure, citing its security development process.
"Microsoft 2007 software, including Exchange and Office, continues to come up vulnerable, demonstrating that the security development lifecycle is not infallible," Sarwate said. Last month's Microsoft patches included a fix for a
Another vulnerability that may affect many users lies in "Capicom," a component to add cryptography to applications. It is flawed in the way it handles specific data, a bug that could let an attacker commandeer a computer running the component, Microsoft said in bulletin MS07-028.