Microsoft has patched critical vulnerabilities in its Office, Outlook and Windows software.
The software vendor released three sets of critical patches yesterday, fixing nine security bugs. A fourth update fixes a flaw in Office 2003's Brazilian Portuguese Grammar Checker. Microsoft gives this flaw a less-serious rating of 'important'.
Hackers have been paying close attention to Microsoft's Office products over the past few months, taking advantage of unpatched bugs in PowerPoint, Word and Excel to conduct extremely targeted attacks. Typically, the attacker will send the victim an email that includes a malicious Office attachment and try to entice the victim into opening the message.
In early December these attacks occurred on a very limited scale, exploiting unpatched vulnerabilities in Microsoft Word.
Microsoft didn't issue patches for Word on Tuesday, but it did patch five flaws in Excel, which has also been a point of attack over the past few months.
The Office flaws should be a top priority for system administrators, said Chris Andrew, vice-president of security technology at Patchlink.
The Windows update, which fixes a critical flaw in Windows' VML (Vector Markup Language) language is also one to watch, he said.
Last September, Microsoft was forced to rush an early patch for a similar VML bug after attackers began exploiting the flaw on the internet. By tricking victims into visiting specially crafted web pages, criminals could use this VML flaw to run unauthorised software on a victim's computer, Microsoft said.
Tuesday's VML update replaces the MS06-055 VML bug-fix that Microsoft published last September, the company said.
The Sans Internet Storm Center rates all four updates as critical, but it is singling out the VML bug in particular, saying that there is an "immediate danger" of attackers exploiting this flaw.
Sans says there are known exploits for bugs in all of the updates released Tuesday, except the Excel patches.
Microsoft had been planning to release eight sets of patches on Tuesday, but late last week, it abruptly pulled four of these updates out of the pipeline. No reason was given for this sudden decision.