Microsoft Patches PowerPoint Zero-Day

[ganeshbala]

Microsoft Patches PowerPoint Zero-Day

Microsoft today closed a security hole in its PowerPoint presentation software, with a fix in its latest regular monthly installment of "Patch Tuesday" updates.

The patch addresses a glitch that Microsoft ranks as "critical," the highest ranking on its four-tier severity scale.

The zero-day (define) vulnerability had first been called to Microsoft's attention in early April. Microsoft then issued a Security Advisory -- an official acknowledgment that the company's security team is tracking a bug -- about attacks using the vulnerability.

The zero-day hole had been discovered, and live attacks detected, just before Microsoft's April Patch Tuesday. For several years, Microsoft has been releasing almost all of its patches on the second Tuesday of each month to provide users, particularly IT shops, with predictable and regular patch drops. But the timing of the zero-day's discovery meant that it missed cut-off for inclusion in April's round of updates.

The patch fixes a total of 14 separate vulnerabilities in all supported versions of Office PowerPoint -- from Office 2000 Service Pack 3 (SP3) up through Office 2007 SP2. Of those, 12 rate a critical designation.

However, the only version of PowerPoint in which Microsoft rates the bugs as "critical" is the oldest -- PowerPoint 2000 SP3. For later versions, up to and including PowerPoint 2007, the bugs rate as "important" -- the second-highest Microsoft threat level.

That does not mean that "important" means "not to worry," though. Often, the difference between a ratings is a question of one or two extra mouse clicks.

Several top security analysts, therefore, warned against complacency and urged users to apply the patch to all versions of PowerPoint.

Windows 7 RC real and "fake" updates

It's the second round of patches for a major Microsoft offering in days. The company on Friday released a "hotfix" for the Windows 7 "Release Candidate" (RC), which began public testing last week.

Users testing the RC of Windows 7 -- specifically, Windows 7 32-bit Ultimate -- should install Friday's hotfix, but only if they are affected by the bug it's meant to fix, according to a Microsoft statement.

The Windows 7 RC of 32-bit Ultimate is missing some "security descriptors," the lack of which do not allow the user to perform some user-level functions such as deleting a folder.

"This problem occurs because the English version of Windows 7 Release Candidate 32-bit Ultimate incorrectly sets access control lists (ACLs) on the root," the company.