Microsoft Plans Four Security Fixes For Upcoming Patch Tuesday

[Thilaga]

Microsoft on Thursday said that it plans to release patches for four security vulnerabilities on Tuesday, May 13.

According to its Security Bulletin Advance Notification for May 2008, Microsoft said it will fix three critical vulnerabilities and one moderate vulnerability. Microsoft (NSDQ: MSFT) said it will fix three critical vulnerabilities and one moderate vulnerability.

The critical flaws affect Microsoft Office, Microsoft Word, and Microsoft Windows respectively. The moderate vulnerability affects several Microsoft security products, including Windows Live OneCare, Antigen, Defender, and Forefront Security. The critical designation typically means that a vulnerability, if successfully exploited, could allow an attacker to execute malicious code remotely. The moderate designation indicates that a number of factors, such as the targeted system's configuration, make the vulnerability harder to exploit.

The critical Windows vulnerability involves the Microsoft Jet 4.0 Database Engine. In March, Microsoft issued a Security Advisory saying that it was "investigating new public reports of very limited, targeted attacks using a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word."

The Microsoft Jet Database Engine makes data accessible to a variety of Microsoft and third-party applications, including Microsoft Access, Microsoft Visual Basic, and Information Services (IIS) applications.

According to Microsoft's Jet Security Advisory, versions of the Microsoft Jet Database Engine (msjet40.dll) lower than 4.0.9505.0 are vulnerable to a buffer overrun flaw. To exploit the flaw, an attacker would have to convince a user to open a Word file designed to load a database file that uses msjet40.dll.

"The Jet bulletin is the critical patch that will have the widest impact because it affects Windows XP, Windows 2000 and Windows Server 2003," said Lumension Security director of solutions and strategy Don Leatham in an e-mailed statement. "When prioritizing this month's patches, this will probably get the most attention because of the number of organizations running these systems and programs."