The three critical fixes address holes in Word, Publisher and the Jet Database Engine, according to Microsoft's advance notification. All of these flaws can be exploited to execute remote code.
The Word and Jet patches likely are related to a known zero-day vulnerability, Andrew Storms, director of security operations at network security firm nCircle, told SCMagazineUS.com on Friday.
In March, Microsoft warned of a Jet Database exploit that was spreading through Word in "limited, targeted attacks."
Jet Database files are referenced by the .mdb (Microsoft Access Database) file extension, which are considered unsafe and users are normally blocked from opening them in Outlook or Internet Explorer, according to Microsoft. However, attackers have discovered a way to evade the built-in restrictions.
"It looks like what we're seeing here is a fix for the same bug," Storms said of the Word and Jet patches. "Essentially both attack vectors are going to be repaired in this update."
He said he was not sure if the Publisher fix was related.
Microsoft is also planning a patch for its security software -- Windows Live OneCare, Antigen, Windows Defender and Forefront -- for a moderate vulnerability that could permit a denial-of-service attack.
Storms said the bug likely could allow an attacker to send a maliciously crafted file that would stall an an anti-virus scan.
"If you're scanning engine goes down, it's a big deal," he said.
Microsoft to push out four patches in May
By Dan Kaplan on May 12, 2008 10:09AM