Microsoft today released patches for a variety of critical holes in Excel, Internet Explorer, WordPad and other Windows operating system and application components. Some of the flaws are already under active attack.
The Patch Tuesday batch includes five patches that address 10 critical flaws, along with other fixes for a total of 21 vulnerabilities. The first critical patch closes an Excel hole that has been under the gun since February, and is finally fixed today with the MS09-009 patch. Microsoft lists the patch as critical for Office 2000, and important for Office XP, 2003 and 2007.
A second flaw, affecting Wordpad and Office text converters, has also already been attacked. The flaw is again listed as critical for Office 2000, and important for Office XP, the Office Converter Pack, and Windows XP, 2000 and Server 2003. See the MS09-010 bulletin for more details.
A major patch batch wouldn't be complete without some kind of Internet Explorer fix, and MS09-014 closes a major hole in IE 6 and 7. Viewing a poisoned Web page could allow an attacker to effectively take over a vulnerable PC. The flaw is critical for IE 6 on Windows XP and important for IE 6 on Windows Server 2003. It's also critical for IE 7 on Windows XP and Vista, and important for IE 7 on Server 2003 and Server 2008. The new IE 8 is not affected.
Other critical fixes include patches for a newly discovered DirectX hole (MS09-011) that can be exploited if you open a malicious MJPEG file, and flaws in the Microsoft Windows HTTP Services (MS009-013) that can be targeted by a malicious Web site.
For full details on this month's Microsoft fixes, including those listed as only important or moderate, see the Microsoft Security Bulletin Summary for April.