Microsoft released today (10/11) a bundle of patches for 15 vulnerabilities s Windows systems and Windows Server and applications of Excel and Word, including one that will probably be exploited quickly by hackers.

None affect the new operating system Windows 7 .

The 15 flaws fixed by six security updates released today represent less than half the record for the package last month that Microsoft patched 34 bugs in 13 separate bulletins.

Of the 15 holes today, three were classified as "critical" by Microsoft. The remaining 12 were considered "important", which is the level immediately prior to the system of four levels of classification adopted by the company.

Bug Priority
Experts agree that users should focus first the MS09-065. This update, which is a critical, affects all versions of Windows still entitled to support, with the exception of Windows 7 and Windows Server 2008 R2.

"The vulnerability of the core of Windows is by far the most important," said Andrew Storms, director of security operations at nCircle Network Security.

"This gap can use Internet Explorer as an attack vector, and this is one case where the user will not be notified or prompted. This scenario is quite a drive-by attack. "

Richie Lai, who is director of vulnerability research at security company Qualys, agreed. "Anyone running Internet Explorer (IE) is at risk here, even though the flaw is not in the browser, but in kernel mode driver Win32k."

In a three
Storms and Lai refers to a bug marked critical in MS09-065, which is actually a trio of vulnerabilities .

According to Microsoft, the Windows kernel improperly interprets sources like Embeded OpenType (EOT), which are a compact form of fonts designed for web pages. EOT fonts can also be used in Word and PowerPoint.

Thus, the hackers also could launch malicious attacks by attaching documents to Word and PowerPoint to e-mail, which would mistakenly opened by users.

As an alternative to applying the fix, users can easily block the most likely attacks by disabling IE's support for embedded fonts. "It's a low-impact," explains Lai. "The worst that can happen is that some sites might look ugly."

But His advice would still leave PCs open to attack via malicious Word documents and PowerPoint, an issue that Microsoft also made in the security bulletin.

Error-free
As Windows 7 and Windows Server 2008 R2 are not the target of MS09-065, Storms and Lai assumed that Microsoft caught the bug before it wrapped up the final code, or RTM (Release To Manufacturing) system operating, and only now taken steps to plug the gaps in Windows 2000, XP and Vista and Server 2003 and 2008.

"It's likely that Windows 7 Release Candidate (RC) is vulnerable," said Storms, noting that Microsoft's policy of not providing security updates for previous versions of an operating system after the final version is released.

"That's why you do not see Microsoft patching Windows 7 RC or Beta," said Storms. "Anyone who has run the RC should take heed and upgrade to the RTM."

But while Storms speculated that Microsoft knew the EOT font flaw was a security issue and waited until now to patch older Windows Lai defends the thesis that until recently Microsoft had no idea that the problem also reached earlier than Windows 7.

"I think they fixed this bug as part of the code sanitization during the development cycle (Windows 7). Only recently it became public, and then they fixed the other Windows. "

Public recognition
Microsoft recognizes that information about the EOT vulnerability became public before the patch released today.

"Our initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly by an independent entity," says the notice that accompanied the report.

Storms thinks hackers will exploit the vulnerability of EOT quickly.

"It's something that deserves to be followed in the weeks to come, not only because of its novelty, but also because it can be exploited through IE, which is an easy path, as well as through Word and PowerPoint documents," he said.

Microsoft also issued critical updates for Vista and Server 2008 and Windows Server 2000.

In the latter, the problem is a bug in the implementation of the License Logging Server, a tool originally designed to help manage client-access licenses server (CAL).

Storms recommends that users of these systems urgently implement the fix, even if the machines are probably well protected.

"Windows 2000 Server has the logging server enabled as default, but such systems are usually behind multiple firewalls, and people that run Windows 2000 know that it is an older version and will act accordingly."

Windows and Mac
Excel and Word also received updates today. Eight vulnerabilities were addressed in MS09-067 for Excel and Word in the MS09-068. Both updates also affect Issues Office 2004 and Office 2008 for Mac

"These are the type of file format vulnerabilities we've seen many times in the past," said Storms, then remembering that the bugs ruin the older binary formats and not the new XML-based formats that debuted in Office 2007 Windows and Office 2008 for Mac

The security updates this month can be downloaded and installed via Microsoft Update and Windows Update, as well as through Windows Server Update Services.