Microsoft patches critical security holes in Windows, Office, IE

14.08.2012
Microsoft has fixed 26 vulnerabilities in its software products, including several considered critical, the company on Tuesday in its monthly security patch report.

The security holes, described in five critical and four important bulletins, affect multiple products, including Windows, Internet Explorer, Exchange, SQL Server and Office. In the worst-case scenarios, exploits could give attackers control of affected systems.

The first critical bulletin, labeled , involves Windows Common Controls vulnerabilities, which affect Office, SQL Server, other server products and developer tools.

There have been "limited, targeted attacks" to try to exploit this security hole, but no public proof-of-concept code has been made available to Microsoft's knowledge, Microsoft security official Yunsun Wee in a related blog post.

If a user visits a website that contains "specially crafted content" designed to exploit the vulnerability, attackers could execute code remotely on the affected machine. However, users would have to be tricked into visiting such a website. The malicious code can also be sent as an email attachment, but users would need to open the attachment for the attack to work.

Affected products include all supported editions of Office 2003, Office 2007, Office 2010 (except x64-based editions), SQL Server 2000 Analysis Services, SQL Server 2000 (except Itanium-based editions), SQL Server 2005 (except Microsoft SQL Server 2005 Express Edition, but including Microsoft SQL Server 2005 Express Edition with Advanced Services), SQL Server 2008, SQL Server 2008 R2, Commerce Server 2002, Commerce Server 2007, Commerce Server 2009, Commerce Server 2009 R2, Microsoft Host Integration Server 2004 SP 1, Visual FoxPro 8.0, Visual FoxPro 9.0 and Visual Basic 6.0 Runtime.