However, industry watchers say two additional critical flaws in Microsoft Word, including one released only a few days ago, have yet to be patched. These are zero-day flaws, which potentially enable a cyber criminal to take control of a user’s entire system. Successful hackers would gain the same user or administrative privileges as its victim. The second of these uncontained flaws was released on December 5.
Two of the critical flaws addressed as part of Microsoft’s monthly Patch Tuesday cycle were zero-day vulnerabilities that is, security holes whose procedure to exploit is well-known.
Hackers can write for the flaw but there is no badge available to fix it, said Amol Sarwate, manager of vulnerability labs at security outfit Qualys Inc. They can take full control of the machine.
Earlier this month, Microsoft advised that it would be releasing six security updates today, but since added a seventh to address one of these zero-day bugs in Windows Media Format, said a company spokesperson.
We have been working on an update for the Windows Media Format [called MS06-078] and were able to meet the quality bar necessary for release. Because of this, we were able to add it to the December release, said the spokesperson.
Microsoft’s second zero-day flaw update, MS-06-073, plugs a hole in Visual Studio 2005 developer tools. Unlike the Windows Media flaw, this vulnerability has been exploited, Microsoft confirmed.
Both of those flaws cause remote code execution, which means malicious code is executed on a victim’s machine. The attacker can execute arbitrary code on the user’s machine, which gets compromised, Sarwate said. What those instructions are depends on what the attacker wants to put there.
Disturbingly, these are the same types of vulnerabilities in the pair of Word flaws not yet patched by Microsoft, Sarwate said.
A third critical updated was patched yesterday, MS-06-072, for Internet Explorer. It was an accumulated update with fixes for four different flaws, one of which was remote code execution, Sarwate said. It was not, however, a zero-day flaw.
Less serious problems, as classified by Microsoft, affected Outlook Express, the Windows Client-Server Run-time Subsystem, the Windows Simple Network Management Protocol service and the Windows Remote Installation Services. All were addressed in yesterday’s update.