Microsoft has released its monthly set of security patches, fixing a critical flaw in its Office suite.
Attackers could exploit the bug by tricking Office users into opening a maliciously encoded .pub document, which would then allow attackers to run unauthorised software on a victim's PC. These .pub documents are created by Microsoft's Publisher software, an Office component used for designing print and online business publications. The flaw is described here.
Microsoft rates the bug as 'critical' for Publisher 2000, but this warning has been downgraded to 'important' for the Publisher 2002 and Publisher 2003 products.
Although Publisher is the application being patched, Office users should also be mindful of the issue because Publisher is part of the Office Professional Edition suite, said Christopher Budd, a program manager with Microsoft's Security Response Center.
Some security experts expected Microsoft to fix a similar bug in Word, which has been used by online attackers over the past few weeks, but that problem remains unfixed.
Microsoft acknowledged the Word problem last week but was unable to run a fix through its quality assurance tests in time for September's updates, according to Budd. "It was just not feasible from an engineering standpoint... to get the quality testing in," he said.
Both the Word and Publisher bugs rely on the same type of attack to work: an attacker emails a malicious document and somehow tricks the victim into clicking on the attachment.
Security experts have been seeing more of these Office flaws exploited of late. "This is one of the trends that we have observed: the growing number of client-side vulnerabilities where you have a malformed Publisher file or Word file or Excel file," said Amol Sarwate, director of the Qualys vulnerability research lab.
Tuesday's patches also include less-critical fixes for two Windows components: the PGM (Pragmatic General Multicast) protocol used by Microsoft's Reliable Multicast Program software to transfer data, and the Windows Indexing service, which is used by the operating system's search engine.
More information on Microsoft's security bulletins can be found here.
September may seem like a bit of a reprieve for harried system administrators, who have been given 19 updates to test and deploy over the past two months. Microsoft was forced to reissue one of its August patches after it caused Internet Explorer to crash when working with a web-based enterprise applications such as PeopleSoft and Siebel.
But before Microsoft patchers get too relaxed, they should brace for the possibility of another patch later this month, Qualys said. Because attackers are actively exploiting the Word problem, Sarwate believes that Microsoft may issue an 'out-of-cycle' patch for the problem, ahead of its next scheduled security updates, which are due 10 October.
That prospect seems unlikely, however.
Christopher Budd characterised the Word attacks as "very limited in terms of scope", saying: "At this point in time, we've not made any determination to do anything out of cycle."