Microsoft released a dozen fixes on its scheduled patch day, closing 10 critical security holes and another 13 noncritical flaws in the latest versions of the company's software.

A cumulative fix for Internet Explorer was among the patches, updating Microsoft's browser to eliminate 3 critical vulnerabilities and 5 other flaws. Other remotely exploitable vulnerabilities include a flaw in the Windows server service and the operating system's domain-name resolution. The company also patched two critical flaws in PowerPoint 2000 and another in Office 2000, bringing the total number of Office flaws fixed by Microsoft in 2006 to 27. At least one of the PowerPoint flaws had been being used to level low-volume targeted attacks at a small number of companies.

The U.S. Computer Emergency Readiness Team (US-CERT) announced Tuesday morning that the federal response group had become aware of some attackers exploiting at least one of the vulnerabilities, but no other information was immediately available.

Three times in the past two months, attackers have targeted corporate systems running Microsoft Office. Last month, security firms reported that a previously unknown flaw in Excel had been used by attackers to compromise a limited number of systems. And, in May, some companies discovered a malicious program using a flaw in Word to compromise systems.

The exploits appear to be related to a string of targeted Trojan horse attacks that come from systems in China. A year ago, the national computer emergency response teams in the United Kingdom, Canada and Australia all warned of targeted attacks hitting organizations in those countries. While the U.S. organization, US-CERT, did not issue an alert, antivirus companies acknowledged that low-volume e-mail attacks had targeted U.S. companies and government agencies.

Microsoft's patches can be obtained from Microsoft's Windows Update site or, preferably, through its automatic update service.



securityfocus.com