Microsoft has released its monthly set of security patches, fixing a critical flaw in Office.
Attackers could exploit the bug by tricking Office users into opening a maliciously encoded .pub document, which would then allow attackers to run unauthorized software on a victim's PC. These .pub documents are created by Microsoft's Publisher software, an Office component used for designing print and online business publications. The flaw is described here: http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx.
Microsoft rates the bug as critical for Publisher 2000, but this warning has been downgraded to "important" for the Publisher 2002 and Publisher 2003 products.
Some security experts expected Microsoft to fix a similar bug in Word, which has been used by online attackers over the past few weeks, but that problem remains unfixed.
Microsoft acknowledged the Word problem last week and probably did not have time to run a fix through its quality assurance tests, said Jonathan Bitle, a manager of technical accounts with Qualys. "It's really late in their engineering cycle, so it's understandable that they wouldn't manage to get something out," he said.
Both the Word and Publisher bugs rely on the same type of attack to work: an attacker e-mails a malicious document and somehow tricks the victim into clicking on the attachment.
Security experts have been seeing more of these Office flaws exploited of late. "This is one of the trends that we have observed," said Amol Sarwate, director of the Qualys vulnerability research lab. "The growing number of client-side vulnerabilities where you have a malformed Publisher file or Word file or Excel file."
Tuesday's patches also include less-critical fixes for two Windows components: the PGM (Pragmatic General Multicast) protocol used by Microsoft's Reliable Multicast Program software to transfer data, and the Windows Indexing service, which is used by the operating system's search engine.
More information on Microsoft's security bulletins can be found here: http://www.microsoft.com/technet/security/bulletin/ms06-sep.mspx.
September may seem like a bit of a reprieve for harried system administrators who were given 19 updates to test and deploy over the past two months. Microsoft was forced to reissue one of its August patches after it caused Internet Explorer to crash when working with a Web-based enterprise applications such as PeopleSoft and Siebel.
But before Microsoft patchers get too relaxed, they should brace for the possibility of another patch later this month, Qualys said. Because attackers are actively exploiting the Word problem, Sarwate believes that Microsoft may issue an "out-of-cycle" patch for the problem, ahead of its next scheduled security updates, which are due Oct. 10.