Bugs and Fixes: Zero-Day Patch for Internet Explorer 6 or 7
By Erik Larkin
A dangerous vulnerability in Internet Explorer 6 and 7 became publicly known before a fix was available, raising the specter of a high-risk zero-day attack.
The bug involves the way IE handles Cascading Style Sheets (CSS) objects, and could let an attacker run any command on a targeted Windows XP, Vista, Server 2003, or Server 2008 PC. Bad guys have already posted sample attack code online. IE 8 is not affected. For more information, see Microsoft Security Advisory 977981.
Meanwhile, a bug in the way Windows handles Embedded OpenType could allow a baddie to take over vulnerable Windows XP, 2000, or Server 2003 computers via malicious Websites or poisoned Office documents. The bug can’t harm Vista or Server 2008, and doesn’t affect Windows 7. Read Microsoft Security Bulletin MS09-065 for details.
Office File Flaws
Two other patches repair Office flaws in Excel and Word affecting Office XP and 2003, and Office 2004 and 2008 for Mac.
The Excel bug endangers Office 2007, Office Excel Viewer 2003, and the Office Excel Viewer Service Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The Word flaw also affects Open XML File Format Converter for Mac, Office Word Viewer 2003, and Office Word Viewer. Microsoft rates the flaws as important; see Microsoft Security Bulletin MS09-067 (Excel) and Microsoft Security Bulletin MS09-068 (Word).
Microsoft has also released two critical fixes for business networks. One closes a hole in the Web Services on Devices application programming interface; it’s critical for Vista and Server 2008 (see Microsoft Security Bulletin MS09-063). The second flaw affects only Windows 2000 systems running License Logging Server (see Microsoft Security Bulletin MS09-064).
Java and Opera Bump Up
Sun’s Java Runtime Environment (JRE) and Java Development Kit (JDK) Update 17 closes a number of holes, including a serious flaw that allows attacks via Web pages. Java will check monthly to see whether updates are available, but you can check manually, too: Open Control Panel and double-click the Java icon. On the Update tab, click Update now. After updating, you may need to remove old Java versions manually with Add or Remove Programs. For details, or to download the latest Java, head to Sun’s Java SE Downloads page.
Fix Shockwave and Mac OS X
An attack on critical vulnerabilities in Shockwave Player versions prior to 22.214.171.1241 could “run malicious code on an affected system,” Adobe says. Check your Shockwave version at Adobe’s special testing page, and get the latest iteration (Shockwave 126.96.36.1992) from our Downloads pages.
Finally, the Mac OS X 10.6.2 update corrects various problems involving PDF files, H.264 movies, TIFF images, and other things. Get it via Software Update, and read more at About Security Update 2009-006.