Microsoft has issued a security patch that plugs a vulnerability in Windows for which a zero-day exploit has been available for weeks, but another zero-day exploit remains a threat.
Zero-day exploits are considered particularly dangerous. While most security holes are plugged before an exploit is released, computers running vulnerable software for which there is a zero-day exploit already released are open to attack until the patch is available.
The critical Windows vulnerability was discovered in Microsoft Jet Database Engine 4.0. It allows an attacker to take complete control of an affected system, including installing malicious programs and modifying data.
Microsoft has acknowledged that people have been taking advantage of this vulnerability to compromise machines, said Amol Sarwate, manager of the vulnerability research lab at Qualys, which offers security as a service to corporations.
The other critical patches Microsoft released plug a hole in Microsoft Word and two holes in Microsoft Publisher that could allow attackers to remotely run code on an affected machine if the user were to open a specially crafted Word or Publisher file.
And Microsoft also fixed two holes rated "moderate" that would allow an attacker to shut down and restart the Microsoft Malware Protection Engine used in the company's security products including Windows Live OneCare and Windows Defender.
Missing from the patches was a fix for a vulnerability in the core Windows operating system for which there has been a zero-day exploit available for nearly a month, said Sarwate.
That unpatched vulnerability allows local users to escalate their privileges on a system and gain more access to resources and data. "It may look harmless," Sarwate says, but it not only gives insiders more control than they should have, but could enable outsiders to use the insider's escalated privileges to do damage.
"We were hoping to see a fix for that zero-day as well," he said.
More information about this month's Patch Tuesday patches is available here.
