Microsoft patches 10 bugs, omits Word fixes

Microsoft on Tuesday released four security updates to patch 10 vulnerabilities, seven of them judged "critical." But the company failed to fix multiple flaws in its popular word processor that have been exploited by attackers for more than a month.

January's security bulletins were half the number original expected, as on Friday Microsoft changed its mind and pared the number from eight to four without an explanation. Of the updates, three involve Microsoft's Office suite, while the fourth affects Internet Explorer, the developer's oft-patched Web browser.

The most dangerous bugs, says Amol Sarwate, manager of Qualys' vulnerability lab, is patched by MS07-003, which affects Microsoft Outlook, the email client packaged with Office. The update fixes three flaws, one tagged critical. "It addresses one zero-day [vulnerability] that had already been made public," says Sarwate. "And it also fixes a calendar vulnerability. Meeting requests are common in day-to-day use and users could be expected to open the e-mail with a malformed request." Two of the three Outlook flaws could let an attacker hijack a PC running Outlook 2000, 2002, or 2003. The newest version, Outlook 2007, is immune from these vulnerabilities.