Microsoft Patch Tuesday is upon us with four "important" fixes for SQL, Windows Explorer, DNS and Outlook Web Access for Exchange Server. But there's no fix for a critical bug in Access that is currently being exploited by hackers.
Microsoft isn't saying much about the specific flaw, only that it affects "all supported versions of Microsoft Office Access except Microsoft Access 2007" and lies in the Snapshot Viewer ActiveX control. Attackers are exploiting the vulnerability by luring targets to a malicious Web site, where visitors using Internet Explorer will pick up malicious code that exploits the flaw.
I am surprised Microsoft announced the vulnerability a day before its scheduled Patch Tuesday release when the fix wasn't included in this round of updates. By doing so, hackers essentially have at least another month to continue exploiting the vulnerability before a patch is available, unless Microsoft breaks protocol and releases one early. There are some manual workarounds available, but how many users are going to implement those on their own?