Microsoft Tuesday released four patches to fix six vulnerabilities, three of which were rated critical for Microsoft Word, Publisher and the Jet Database Engine 4.0. Experts say the fourth patch, rated important, could also be viewed as critical because it affects security software that could be shut down in an attack.

The software patches were released as part of Microsoft's regularly scheduled Patch Tuesday. (Compare patch and vulnerability management products.)   

The fourth patch (MS08-029), which affects the Microsoft Malware Protection Engine, can result in a crash on a variety of different Microsoft security platforms, including Windows Defender; Live OneCare; Antigen for Exchange and SMTP Gateway; and Forefront Security for Exchange Server and SharePoint.

"I think it is moderate because the immediate consequence is a denial-of-service attack. But if you take the context that this is an antivirus product that should be running all the time, then I think people should look at this as critical as well," says Amol Sarwate, manager of vulnerability research for Qualys.

The three critical patches – MS08-026, MS08-027, MS08-028 – all involve specially crafted files that could be embedded with vulnerabilities.

Experts classify the Jet Database vulnerability (MS08-028) as the most important.

"It's been noted by Microsoft that 028 has been in the wild," says Jason Miller, security team manager for Shavlik Technologies. "It has been affecting systems and results in evil users being able to take complete control of computers."

The Jet Database 4.0 vulnerability concerns .MDB files and could be especially troubling for users of Outlook 2003 and 2007 who use the preview pane feature to view e-mail. Attacks that exploit the vulnerability can be carried out if a specially crafted file is embedded in an e-mail message. Malicious files also can be embedded in Word files.

Microsoft recommends that users upgrade immediately.

The Jet Database vulnerability affects Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003 Service Pack 1, Windows Server 2003 x64 Edition, and Windows Server 2003 with SP1 for Itanium-based Systems.

Microsoft's MS08-026 patch is closely aligned with MS08-028 in that specially crafted files can be embedded in Word files. It also affects users of Outlook 2007 and Outlook 2007 Service Pack 1 because both those programs contain some of the same core files that are affected in Word, namely editing features.

Whitepapers

• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology
• Vulnerability Management For Dummies

View more SECURITY whitepapers

Webcasts

• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports