Microsoft fixed eight flaws in Windows and Office on Tuesday, bringing the total number of security bulletins for 2010 up to 17.
The eight bugs patched today were far from the near-record 26 that Microsoft fixed last month when it delivered 13 security updates.
Gerhard Eschelbeck, chief technology officer and senior vice president of Webroot, explained via email that Microsoft is [releasing] two security bulletins with corresponding patches affecting all supported version of its operating systems , as well as Office suites.
Eschelbeck added that both are rated as important, meaning they deserve attention. Even though this is significantly lighter compared to last month, these vulnerabilities could be exploited by opening a malicious document causing potential loss of confidential information. Users and IT organizations are encouraged to review these bulletins today, and plan for prompt rollout based on their priorities and environment.
At this time, we are aware of targeted attacks attempting to use this vulnerability, Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.
It doesn't look like an exploit has been publicly posted, noted Andrew Storms, director of security operations at nCircle Network Security Inc., who added that Microsoft might have been made aware of the vulnerability either via a customer report or from one of the security companies that partner with it in the Microsoft Active Protections Program (MAPP). A report on the bug later today from the likes of Symantec or McAfee would indicate the latter, said Storms.
This is the second time in the last 60 days that Microsoft has admitted that hackers were exploiting an unpatched bug in IE. In mid-January, Microsoft said that a flaw in IE had been used to attack several companies' networks, including Google's and Adobe's. Microsoft patched that vulnerability, and seven others, later in the month when it issued an emergency update, often dubbed an out-of-band update.