August 7th, 2008
MS Patch Tuesday: Critical IE, Office, Excel patches coming
Next Tuesday (August 12th), Microsoft will ship 12 security bulletins with fixes for serious vulnerabilities in a wide range of of widely deployed products.
Seven of the 12 bulletins will be rated “critical,” Microsoft’s highest severity rating.
The critical bulletins will cover remotely exploitable flaws in Internet Explorer, Windows Media Player, MS Excel, MS PowerPoint, MS Access, MS Office and the Windows operating system.
The other five will carry an “important” rating and will include patches for bugs in Windows, Outlook Express, Windows Mail, Windows Messenger and Microsoft Word.
Windows Vista and Windows Server 2008 are affected by five of the bulletins.
It is very likely that the critical MS Access fix is for a known — and under attack — ActiveX control vulnerability in the Snapshot Viewer for Microsoft Access.
A pre-patch advisory is already available to warn about the MS Access attacks:
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.
The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.
For daily updates on Ryan's activities, follow him on Twitter.
