Microsoft patches IE and Office, but not Word

Redmond (USA) – Microsoft has released four new security bulletins that fix a total of 10 vulnerabilities, almost all of which could potentially be exploited for remote code execution. Except for one, which affects a component of Internet Explorer, the flaws are contained in Office.

Security experts say the most relevant issues are those described in MS07-004 and MS07-003, both of which Microsoft has classified as critical. The first contemplates a vulnerability in the Vector Markup Language implementation (VML) of Internet Explorer, an XML language used to create vector images to be published on the Web. What makes this weakness particularly dangerous is the existence of two public exploits and the possibility, for an attacker, to compromise a remote system simply by inducing a user to open a certain web page. Opening a malformed VML image can cause malicious code to run with the same privileges as the local user.

This is one of the few security problems discovered in IE to date to affect, in addition to versions 5.x and 6, also 7.

The aforementioned flaw is similar to the one corrected by Microsoft last September. As the VML language is used more and more infrequently, some experts suggest users to eliminate it from the system by disabling the vgx.dll component. To do this, you can issue this command from Start / Run or from a shell window:
regsvr32 -u “c: Program Files Common Files Microsoft SharedVGXvgx.dll” (if Windows is installed on a drive other than “c:”, change the path accordingly).

The second most serious bulletin, MS07-003, describes instead three vulnerabilities in Outlook 2000, 2002 and 2003. Of the three, the most dangerous could allow a cracker to package an Office Saved Searches (OSS) file, the format used by Outlook to save searches in virtual folders, and persuade the user to open it using social networking. The bug is triggered when Outlook processes the “.oss” file containing malicious code.

It should be noted that Outlook 2007 is not affected by the problem.

The third “critical” bulletin is MS07-002, and contains the fix for 5 different Excel vulnerabilities . The problems concern Office 2000/2002/2003, Works Suite 2004/2005, and Office 2004 / vX for Mac. Once again, Office 2007 is immune.

All five bugs can be exploited by an attacker through the creation of an ad hoc document which, once opened with Excel, causes the application to crash and possibly execute code.

Bulletin MS07-001, which Microsoft has assigned a severity level of “important”, finally describes a vulnerability in the Brazilian Portuguese grammar checker Office 2003 which, under certain circumstances, may allow remote code execution. The flaw, however, only affects users who have installed the aforementioned dictionary.

The summary of the January bulletins can be found here.

“The patches released in these days show once again that the volume of client-side vulnerabilities affecting the Windows platform are not decreasing”, commented Mauro Toson, Preseales Manager Symantec Italia. “Hackers are able to exploit vulnerabilities faster and faster and it is imperative that users protect themselves by installing updated patches as soon as possible.”

For this week Microsoft originally planned to release 8 security bulletins , some of which were supposed to fix bugs in Windows and Visual Basic. In recent days, however, the Redmond big has preferred to postpone its publication due to the need – so a spokesperson reported – to test the patches more accurately.

Among the expected but not yet released bug fixes there are also those related to three Word zero-day flaws emerged last month.