Microsoft has released the second package of bug and security fixes for its Office XP application, including a patch made available for the first time to address Web component vulnerabilities.
Typically, a Microsoft service pack contains a collection of all the bug and security fixes that have been made available on an individual basis since a product's launch or the prior service pack's release. But the Office XP Service Pack 2 released last week also contains a newly released patch to address three vulnerabilities to Office Web components, the most serious of which was rated "critical" to client systems and could allow an attacker to run commands on a user's PC.
A company spokesman said the vulnerabilities were reported to Microsoft on March 17, and the Bulgarian "bug hunter" who identified them went public with the information two weeks later. Microsoft claimed that his disclosure "placed users at risk by not providing Microsoft with ample time to address vulnerabilities" to 16 affected products.
The Bulgarian couldn't be reached for comment.
According to Microsoft, the vulnerabilities resulted from implementation errors in certain methods and functions exposed by ActiveX controls.
In addition to bug and security fixes, Office XP Service Pack 2 contains the most recent product updates designed to improve stability and performance, according to Simon Marks, a product manager on Microsoft's Office team.
Marks said the maximum download of Service Pack 2 is 15MB. Users can download it from Microsoft's Web site or order a free CD and pay the shipping charges.
Service Pack 1 for Office XP was released on December 13 last year.
Beta versions of Office 11 are due in the next few months, with the final version to follow sometime next year. Office 11 will feature enhanced XML support, added collaboration capabilities and user interface improvements, Marks said.