Microsoft patches WINS and Office
Microsoft has released two updates to close a critical vulnerability in the WINS server and two holes in Office. The flaw in the Windows Internet Name Service (WINS) only affects the Windows 2003, 2008 and 2008 R2 server versions of Windows. The flaw allows remote attackers to inject code into a server and execute it there. WINS is not installed by default and, contrary to what its name may suggest, the service only operates in local networks where it is used for resolving NetBIOS names to IP addresses. Windows 7, Vista and XP are not affected by the problem.
The two holes in Office affect PowerPoint 2002, 2003 and 2007. Although the vulnerabilities allow PCs to become infected, Microsoft has rated the related updates only as "important" because a successful infection requires users to open a specially crafted document. The flaws also affect Office 2004 and 2008 for Mac. One can only hope that the update won't, like its predecessor, cripple PowerPoint 2003 and require a hotfix to solve the problem.
According to the Microsoft Security Response Center, the "Office File Validation" feature mitigates the risk of a successful attack. This feature is enabled by default in Office 2010 and was also deployed for Office 2003 and 2007 on the previous Patch Tuesday.
For the first time, Microsoft has provided a more detailed "exploitability index" for each vulnerability. Previously, such information as the likelihood of a reliable exploit never referred to a specific version of an affected product. The index now differentiates between the current version and previous versions. For the WINS hole, there is no difference: "Inconsistent exploit code" is "likely" for all versions. No exploits of the Office vulnerabilities are expected to appear for the current version of Office, because this version doesn't contain the holes. For previous versions, the index says "consistent exploit code likely" for the first hole, and "functioning exploit code unlikely" for the second hole.
An overview of the updates is available in the Microsoft Security Bulletin Summary for May 2011.