Microsoft patches eight 'critical' holes

Microsoft has released 14 security patches as part of its monthly Patch Tuesday release cycle.

Eight of the updates were rated 'critical', four were rated 'important' and two were rated 'moderate'.

The patches were distributed through nine security bulletins, which Microsoft uses to describe one type of application or technology component.

Windows 2000 and XP were hit the hardest, receiving four and five of the critical bulletins respectively. Vista received two critical bulletins.

The August release contained a raft of vulnerabilities that offer an appealing target for criminals looking to build botnets or steal confidential information. Four of the 'critical' vulnerabilities could be exploited through a web browser.

One 'critical' vulnerability in Internet Explorer allows attackers to remotely execute code through a specially crafted website without the user's knowledge.

A second flaw in the Vector Markup Language opens users of all versions of Windows to remote execution on any of the currently supported IE versions.

A security hole in the Object Linking Embedding technology exposes users to the same kind of web-based attacks.

The fourth 'critical' flaw that can be exploited through the browser is limited to IE6 on Windows XP and 2000. It has less severe security ratings on Windows Server 2003 and IE7.

"Microsoft's patches again underline the trend of malware writers using the web browser as a means of attack and reinforce the need for safe browsing," said David Marcus, security research and communications manager at McAfee's Avert Labs.

A flaw in the Graphics Rendering Engine was rated 'critical', although attackers would have to convince their target to open a specially crafted email attachment or download the file from a website.

Attackers could target users of Excel with a specially crafted file that on infection allows them to take over control of the targeted system.

Online criminals have repeatedly used similar, unpatched Office vulnerabilities in highly targeted attacks. The update replaces a patch that Microsoft issued in July.

The Excel flaw has a 'critical' rating for Office 2000 only. It is rated 'important' for versions of the productivity suite because users receive a security prompt before the document is opened.

Users can download the patches directly from the Microsoft website, or through the Windows Update feature inside their operating system.