Microsoft Patches Critical Database And Office Flaws
Microsoft released four fixes on Tuesday to close a half dozen security holes, including a vulnerability in the Microsoft Jet database which is currently being exploited by attackers. The most serious of them is a bug in Microsoft’s Jet Database Engine, a component built into Windows XP, Windows Server 2003 and Windows 2000 that works with Visual Basic, Access and multiple third-party applications. Attack code for the vulnerability went public in November, and it is actively being exploited in the wild.
The security vulnerabilities affect various Microsoft Office products, the Jet database engine, and Microsoft’s Malware Protection Engine. Among the most critical flaws, the Microsoft Jet database engine vulnerability allows an attacker to execute code by accessing a database file through Microsoft Word. The company patched both the Jet database flaw and the Word flaw.
Vulnerabilities of the type Microsoft is patching today have been a favorite attack method among attackers, especially in stealthy attacks that seek to steal high-value intellectual property. Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite.
Microsoft patched two vulnerabilities in Microsoft Word, including one issue that could be exploited through the Outlook e-mail client because the software uses a component of Word to display rich text format (RTF) and Web (HTML) files in the preview pane. Attacks against Microsoft Office have jumped over the past two years, though most exploits generally require some user interaction, clicking “OK” in a dialog box, for all but the oldest versions of Office.
Microsoft also remedied an issue in the way that its Malware Protection Engine handles file scanning. Malware Protection Engine is used in Windows Live OneCare service and Microsoft Forefront and Antigen products. A specially crafted file could be used to lock up the program or to keep the program from working on incoming files, the company stated in its bulletin.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.