The vulnerabilities affect 16 different applications, and include four critical flaws each in Microsoft Office (MS06-062), Word (MS06-060), Excel (MS06-059) and PowerPoint (MS06-058).
The vulnerabilities affecting Powerpoint and Excel have already been exploited in the wild in recent months. These include an Excel zero-day exploit that employs Trojan.Hongmosa, and a Word zero-day exploit that uses Trojan.MDropper.Q, according to a Tuesday bulletin sent to Symantec Deepsight subscribers.
Microsoft has also patched a code execution vulnerability for Internet Explorer (MS06-057) that stems from a glitch in the WebViewFolderIcon ActiveX object, which has also been exploited in the wild in recent weeks.
"This patch is definitely a must because exploits are circulating and we're seeing attacks on peoples' systems," said Rohit Dhamankar, senior manager of security research at 3Com's TippingPoint division.
However, according to a post on the SANS Internet Storm Center Website, the threat is diminished by the fact that Internet Explorer on Windows Server 2003 by default runs in a restricted mode known as Enhanced Security Configuration.
TippingPoint's Zero Day Initiative, which pays security researchers for turning in undisclosed vulnerabilities, was responsible for alerting Microsoft to three critical flaws in Office applications, said Dhamankar. "This proves [the initiative is] a safe way for people to turn in vulnerabilities that prevents being used and sold for zero day attacks," he added.
However, Monty Ijzerman, senior manager at McAfee's Global Threat Group, believes that attackers are already sifting through the fresh patches to gain ammunition for future exploits.
"Now that the patches are out, it's fairly easy to do a comparison between the original components and the patch components to see the vulnerability. It's not easy, but for a skilled attacker it's not difficult either," Ijzerman said.
Another patch (MS06-061) addresses a flaw in the Extensible Stylesheet Language Transformations (XSLT), which enables viewing of XML content and affects Internet Explorer and Outlook. An exploit of this vulnerability would require the user to click on a link in an e-mail or Web page.
User education is needed to help people avoid falling victim to the various social engineering tactics attackers employ with client side exploits, according to Jonathan Bitle, a manager of technical accounts with Qualys, Redwood Shores, Calif.
"Attackers are increasingly taking advantage of the weakest link in the chain, the end-user," Bitle noted.
