Microsoft issues first Vista bug fix

Microsoft has issued 12 security bulletins addressing 20 vulnerabilities in Windows, including the first patch for a shipping component of Windows Vista since January's consumer launch.

Among the patches in the monthly update is a fix for a critical vulnerability in the Microsoft Malware Protection Engine for Windows Vista.

The component powers the Windows Defender and OneCare security software for the operating system. The flaw could allow attackers to take control of a system, Microsoft warned.

"Because Windows Defender is a component of Windows Vista, Windows Vista is vulnerable," a Microsoft spokesman told vnunet.com.

"However, because Windows Defender automatically updates the engine, all Windows Defenders users are likely to be using an updated version of the engine and no additional action should need to be taken to download or install the update."

The February patch release offers an additional five critical bulletins that include fixes for Office, Internet Explorer and Windows.

The six remaining bulletins addressed vulnerabilities classified as 'important'. Microsoft said that 10 of the 12 updates concern vulnerabilities that could allow an attacker to remotely hijack a system.

Six of the vulnerabilities have been the targets of zero-day attacks, said McAfee. Office, in particular, has been a favourite target of attackers of late.

In recent weeks attackers have preyed on numerous vulnerabilities in versions of Word and Excel to install malware on target systems.

Dave Marcus, security research and communications manager at McAfee, told vnunet.com that the rash of Office exploits continues the trend of malware authors targeting widely deployed Microsoft business applications and services.

"Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks," he said.

One of the Office bulletins was issued to replace a previous patch for Excel and PowerPoint that Microsoft said was "ineffective".

Other critical fixes address problems in Internet Explorer, Windows Data Access Components, and the HTML Help access control.

The 'important' fixes include remote code execution flaws in Windows MFC and OLE Dialog components, and a pair of flaws in the Windows Shell and Image Acquisition service that could allow a users to elevate their user privileges.