In a relatively light Patch Tuesday, Microsoft closed holes that could allow a poisoned Excel or Movie Maker file to install malware on a vulnerable PC. However, a new flaw involving VBScript and Windows Help files that can be targeted through Internet Explorer remains unfixed.
The Movie Maker bug affects Windows Movie Maker 2.1, 2.6 and 6.0, and also Microsoft Producer 2003, on Windows XP, Vista or Windows 7. Both XP and Vista shipped with with vulnerable 2.1 (XP) or 6.0 (Vista) versions, according to Microsoft. Opening a malicious .mswmm file which would likely come in the form of a malicious e-mail attachment or Web download, could trigger an attack.
While the MS10-016 patch will fix Movie Maker, Microsoft is not patching Microsoft Producer 2003. If you've installed the free download, Redmond has made a Fix it available that will remove the program's file associations so that it will no longer automatically open .mswmm files when they're double-clicked. Click the Fix it button on this solution page to apply the workaround.
The second and only other patch today closes seven similar holes involving Excel files. Excel in Office XP, 2003 and 2007 are vulnerable, as is Office 2004 and 2008 for Mac. Sharepoint 2007 and the Office Excel Viewer can also be targeted. See the MS10-017 patch details for more information.
Microsoft only rates these fixes as Important (the worst holes are rated Critical), in part because an attack against any of these holes requires user interaction in the form of opening a malicious file, . However, Redmond also gives them an exploitability rating of 1, meaning the company expects to see attacks in the wild. And e-mail attachment attacks are very much alive and well, though the majority of them these days involve .pdf's.
Finally, two security hole affecting IE remain unfixed. One affects any version of IE on Windows 2000 or Windows XP. Microsoft last week announced the flaw, which allows accessing unsafe Windows Help files using VBScript. There aren't yet any known attacks, but keep an eye out for any site that displays a pop-up asking you to hit F1.
The second IE flaw was only announced today, and involves an invalid pointer reference bug in Windows 6 and 7. It's already under attack, according to Microsoft, and can be targeted by a malicious site without the need to hit F1 or any other key.