Microsoft update brings critical patches

Microsoft, as part of its monthly patch release for April, has released a security update to address vulnerabilities in Windows and Office.

The software vendor rated updates for Internet Explorer, Windows Explorer and the Microsoft Data Access Components (MDAC) Function as "critical" because they could allow an attacker to execute arbitrary code on a user's system.

The MDAC vulnerability exists as part of Microsoft's ActiveX technology. An attacker could use the security hole through a specially crafted website to take over control of a system without any user interaction, Microsoft said in a security bulletin on its website.

Attackers could exploit the flaw in Windows Explorer again by persuading users to visit a specially crafted website. Microsoft warned that the site could force the system to connect to a remote file server, which could then cause Windows Explorer to fail in a way that allows an attacker to execute code. 

The Internet Explorer patch addresses a total of ten vulnerabilities with severity ratings ranging from critical to moderate. As expected, the update includes a fix for a previously disclosed vulnerability in the createTextRange call which is actively being exploited. It also repairs two other vulnerabilities that were disclosed earlier this month.

April's patch furthermore delivers a fix for Outlook Express. A vulnerability in the email and personal information client could allow attackers to take over control of a system. Because the bug requires user interaction to be exploited, it received a severity rating of "important".

The fifth patch addresses a vulnerability in Front Page that could allow for a cross site scripting attack.