Microsoft released its largest number of patches so far this year in yesterday's monthly 'Patch Tuesday' security update.
Release also fixes WordPad and IE bugs
The update fixes a number of well-known problems in the company's software, including vulnerabilities in Excel and the WordPad text converter that have been exploited by attackers in a small number of online attacks.
A few other known bugs also were fixed, including some issues in Windows and Internet Explorer that could be used to pull off a so-called 'carpet-bombing' attack, and Windows flaws that could give attackers extra privileges on a Windows machine.
All told, Microsoft released eight software updates, fixing dozens of bugs in its products. Five of the updates are rated critical by Microsoft, meaning they fix flaws that could be exploited by attackers to run unauthorised software on a computer.
Systems administrators should probably patch the Excel and WordPad bugs first, said Eric Schultze, the chief technology officer with Shavlik Technologies. "There are known issues out here, and why flirt with danger," he said.
The patch for Internet Explorer - always a favourite target of attack by hackers - and another critical fix for Microsoft's DirectX multimedia software should also be given top priority, he said.
Another critical patch is in the HTTP software used by Windows computers to connect to websites. This update is rated critical for all supported versions of Windows.
Microsoft also fixed a long-standing Internet Information Services (IIS) issue that could allow an attacker to get unauthorised privileges on a computer. This kind of attack, called 'token kidnapping', was first reported more than a year ago by Cesar Cerrudo, the CEO of security research firm Argeniss.
A token kidnapping attack could be very dangerous on servers that allow users to upload code - web servers used by a hosting provider, for example - because it could give users administrative control over the entire system, letting them control other users' websites.
"If you allow people to upload code to the web server, then you have got to get that one fixed right away," Schultze said.
The carpet-bombing patches are also interesting. Last year, security researcher Nitesh Dhanjani showed how Apple's Safari browser could litter a victim's desktop with downloaded programs. Another researcher soon found a way to combine this behaviour with some flaws in Windows and Internet Explorer in order to run unauthorised software on a victim's PC.
Apple patched the Safari part of the attack last year, and Microsoft has now followed suit and fixed the underlying Windows and IE issues, meaning that even if attackers found some other way to place software on a victim's machine, the carpet-bomb attack would no longer work.
See also: Critical Excel fix coming next week