Eight April patches from Microsoft

Shaun Nichols | Apr 10, 2008 7:31 AM
Microsoft has released its latest security update package..
The April edition of 'Patch Tuesday' fixes flaws in Windows, Office and Internet Explorer. Five of the patches address vulnerabilities that Microsoft has rated 'critical'.

Two of the critical patches addressed issues found in Internet Explorer. The patches included a remote code execution vulnerability in the browser itself and another patch for the ActiveX plugin used to connect the browser with Yahoo's Music Jukebox service.

Among the other critical fixes is a flaw in Office's handling of Project files, which could allow an attacker to remotely execute code on a target system.

The company also issued a fix for a pair of vulnerabilities in Office's Visio component, which were both rated as 'important'.

The remaining four patches addressed issues with Windows. Among them a privilege elevation flaw in Windows 2000, XP, Server 2003, Vista, and Server 2008. Other patches included a remote code execution flaw in the VBSript/Jscript component, a DNS spoofing flaw, and a remote code execution vulnerability in the handling of EMF and WMF image files.

McAfee security research and communications manager Dave Marcus said that the update should once again serve as a warning to users of the dangers that lurk on the web.

"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious website, a favourite attack method among cybercriminals,” said Marcus.

"In such drive-by downloads an attacker places malware onto a vulnerable computer without the user noticing it. This malware most often targets various types of identity information of the victim."