Five new flaws for Microsoft

Microsoft has released a quintet of new patches, the bulk of them for applications. Only one is rated 'critical', with two 'important', one 'moderate' and one 'low priority'.

The 'critical' flaw is in Microsoft's Visual Basic for Applications (VBA) technology which could allow hackers to take control of Windows PCs.

The company said that the buffer overflow issue in the VBA technology included in versions of Office creates a backdoor that could allow hackers to compromise a Windows system, read files and run programs.

Microsoft confirmed that the buffer overrun could, if exploited successfully, allow an attacker to execute code of their choice.

For an attack to be successful, a user would have to open a specially crafted document sent to them by an attacker, such as a Word document, Excel spreadsheet or PowerPoint presentation.

The two 'important' flaws also affect key applications. The first concerns a buffer overflow problem with a WordPerfect converter and affects all versions of Office 97 and above.

The second patches a flaw in all versions of Word currently supported and could allow a specially crafted macro to take control of a host PC.

Users of Access are also advised to patch a 'moderate' flaw in the 97, 2000 and 2002 versions of the software.

An unchecked buffer in the Access Control Snapshot Viewer, which may allow databases to be viewed by non-Access users, could compromise security if an attacker embeds malware in a web page.

The final patch is a 'low priority' fix for Windows NT4, 2000 and XP. A flaw in the network built input/output system (NetBIOS) may reveal random data when queried by specially designed malware.

Julia Giera, research fellow at analyst Forrester, said that the high level of patching will hurt Microsoft's reputation in the short term, but will make it better in the long term.

"Microsoft has got much better in the past few years," she explained. "They are a huge target and every hacker wants to break them.

"In the short term this level of patching will have a negative effect on Microsoft. But the changes over the past few years have made a great difference in making its software more secure."

All five patches are available here.