Microsoft closes seven holes in Office
As previously announced, Microsoft has released 3 bulletins and updates. The updates close eleven holes, seven in the company's Office and four in the Forefront Unified Access Gateway (UAG) products. Although all of the holes closed in Office allow code to be injected and executed, only one of them was rated critical because it can be exploited via specially crafted web pages. The remaining six require a potential victim to open a specially crafted Office document.
Older versions of Office, as well as Office 2010, are affected. Interestingly, French security firm VUPEN has been mentioned in the credits. Earlier this year, VUPEN had announced that it would only continue to pass security information to Microsoft against payment of a fee, so it seems that Microsoft and VUPEN have reached an agreement. For this patch day VUPEN had reported holes found in Office 2010. The update for the Forefront Unified Access Gateway (UAG) fixes three cross-site scripting (XSS) holes and a spoofing vulnerability.
The hole in Internet Explorer remains open. A public exploit appeared last weekend, and security firm AVG reports that criminals have already added a module to the Eleonore exploit kit which exploits the hole to infect Windows PCs. This could force Microsoft to release an emergency patch after all.