Microsoft patches new Office flaw

Microsoft has patched a critical flaw in its Office software that affects Publisher documents.

Microsoft has released its monthly set of security patches, fixing a critical flaw in Office.

Attackers could exploit the bug by tricking Office users into opening a maliciously encoded .pub document, which would then allow attackers to run unauthorized software on a victim's PC. These .pub documents are created by Microsoft's Publisher software, an Office component used for designing print and online business publications. The flaw is described here: http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx.

Microsoft rates the bug as critical for Publisher 2000, but this warning has been downgraded to "important" for the Publisher 2002 and Publisher 2003 products.

Some security experts expected Microsoft to fix a similar bug in Word, which has been used by online attackers over the past few weeks, but that problem remains unfixed.

Microsoft acknowledged the Word problem last week and probably did not have time to run a fix through its quality assurance tests, said Jonathan Bitle, a manager of technical accounts with Qualys. "It's really late in their engineering cycle, so it's understandable that they wouldn't manage to get something out," he said.

Both the Word and Publisher bugs rely on the same type of attack to work: an attacker e-mails a malicious document and somehow tricks the victim into clicking on the attachment.

Security experts have been seeing more of these Office flaws exploited of late. "This is one of the trends that we have observed," said Amol Sarwate, director of the Qualys vulnerability research lab. "The growing number of client-side vulnerabilities where you have a malformed Publisher file or Word file or Excel file."

Tuesday's patches also include less-critical fixes for two Windows components: the PGM (Pragmatic General Multicast) protocol used by Microsoft's Reliable Multicast Program software to transfer data, and the Windows Indexing service, which is used by the operating system's search engine.

More information on Microsoft's security bulletins can be found here: http://www.microsoft.com/technet/security/bulletin/ms06-sep.mspx.

September may seem like a bit of a reprieve for harried system administrators who were given 19 updates to test and deploy over the past two months. Microsoft was forced to reissue one of its August patches after it caused Internet Explorer to crash when working with a Web-based enterprise applications such as PeopleSoft and Siebel.

But before Microsoft patchers get too relaxed, they should brace for the possibility of another patch later this month, Qualys said. Because attackers are actively exploiting the Word problem, Sarwate believes that Microsoft may issue an "out-of-cycle" patch for the problem, ahead of its next scheduled security updates, which are due Oct. 10.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?