Zero-day flaws that allowed for attacks against Internet Explorer 6 and 7, disclosed in late November, pick up critical patches in today's Patch Tuesday, as does Microsoft Office Project and Server 2008.
The cumulative IE update, MS09-072, shores up five different security bugs affecting IE 6, 7 and 8. While publicly available exploit code for the IE 6 and 7 zero-day didn't always trigger a successful attack in lab testing, Microsoft assigns this patch a 1 rating on its Exploitability Index, which means the company believes consistent attacks are likely. At least one of the flaws could be attacked by simply viewing a poisoned Web page.
The update is rated critical for IE 5 on Windows 2000, IE 6 on Windows XP or Server 2003, and IE 7 on XP and Vista. It's likewise essential for IE 8 on XP, Vista, and Windows 7, but rates moderate rather than critical for IE 7 on Server 2003 and Server 2008, as well as IE 8 on Server 2003 and Server 2008. For more details see the MS09-072 bulletin.
A second bulletin addresses flaws in Microsoft Office Project that could be triggered by opening a malicious Project file. MS09-074 is rated critical only for Microsoft Project 2000 Service Release 1, and important for Project 2002 SP 1 and 2003 SP 3. Project 2007 is not affected.
Windows Server 2008 is at critical risk from the third fixed flaw in the Internet Authentication Service. Only servers using PEAP with MS-CHAP v2 authentication are at risk, according to the MS09-071 bulletin, which is rated important or moderate for Windows 2000, XP, Server 2003, Vista and Server 2008.
Additional important-rated updates fix a denial-of-service vulnerability in Windows 2000, XP and Server 2003 (MS09-069), along with a flaw involving HTTP requests sent to a Server 2003 or Server 2008 web server (MS09-070). A final patch, MS09-073 takes care of a bug in WordPad and Office Text Converters that could be triggered by opening a malicious document.
Fire up Microsoft Update to pick up all these patches, and for more info see Microsoft's Security Bulletin Summary for December 2009, and also the MSRC post.