There have been three large cracks in the near past which should make everyone worry who bases his or her IT on Microsoft’s products: PlayForSure, Outlook Express with Hotmail, and OOXML in new MS Office 2007.
As explained in liquidat’s post, Microsoft screwed users with their products once again.
The total number of malicious code detected in 2007 jumped more than 40%, according to Microsoft’s latest Security Intelligence Report. While Microsoft issued fewer bulletins and patched fewer flaws in 2007, the number of flaws in Microsoft Office jumped, though the company pointed out that most only seriously affected earlier versions of the program.
Microsoft released four fixes on its regularly scheduled Tuesday patch day in March 2008, closing a dozen security holes in various Office applications.
While all 7 vulnerabilities were rated Critical for the Excel component of Office 2000 and could allow an attacker to take control of a Windows PC running the program, only two of the flaws affected Office 2007. All seven vulnerabilities affect Office 2004 for the Mac OS X, all are rated Important — Microsoft’s second-highest rating.
Dave Marcus, research and communications manager at McAfee Avert Labs, said in a statement: ”Vulnerabilities in Office applications have been a favorite attack method among cybercrooks, especially in stealthy attacks that seek to steal high-value intellectual property. Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite.”
The U.S. Computer Emergency Readiness Team (US-CERT) warned on Monday that at least one of the Excel flaws is being exploited by malicious attackers.
Another severe vulnerability is an issue in the way that Outlook parses the mailto: uniform resource identifier (URI) when passes from a browser. An attacker could use the Critical-rated flaw to take control of the victim’s computer.
Two other vulnerabilities affect systems that have Microsoft’s Office Web Components installed. Both flaws are rated Critical by the software giant.
“All of these security bulletins are serious, but the Microsoft Office Web Components one stands out because these ActiveX components are widely distributed and relatively easy to exploit,” Ben Greenbaum, senior research manager for Symantec Security Response, said in a statement. “We’ve observed attackers continuing to target Web plug-ins in their quest to quickly and quietly install malicious code onto users’ computers.”
The last two vulnerabilities affect all Office programs and could be exploited by a specially crafted Office file. The flaws are rated Critical for Office 2000 and Important for all other versions of Office.
I work with Microsoft applications only if i need to open some file in MS Office 2007 format. And I did not use Internet Explorer due to security reason.
My choice is Ubuntu, KOffice and Mozilla Thunderbird, and I’m happy to have repositories with latest updates and bug fixes for my distro 
(was used statistic from securityfocus.com)
