Microsoft has issued a collection of twelve security bulletins addressing 20 vulnerabilities, including the first patch for a shipping component of Windows Vista since January's consumer launch.
Among the patches in the monthly update is a fix for a critical vulnerability the Microsoft Malware Protection Engine for Windows Vista. The component powers the Windows Defender and OneCare security software for the operating system. The flaw could allow attackers to take over control of a system, Microsoft warned.
"Because Windows Defender is a component of Windows Vista, Windows Vista is vulnerable," a Microsoft spokesperson told vnunet.com.
"However, because Windows Defender automatically updates the engine, all Windows Defenders users, including users of Windows Defender in Windows Vista are likely to be using an updated version of the engine and no additional action should need to be taken to download or install the update."
The February patch release offers an additional five critical bulletins that included fixes for Office, Internet Explorer and Windows.
The six remaining bulletins addressed vulnerabilities that were classified as "important." Microsoft said that ten of the twelve updates concerned vulnerabilities that could allow an attacker to remotely hijack a system.
Six of the vulnerabilities that received patches have been the targets of recent zero-day attacks, said McAfee. Office in particular has been a favorite target of attackers as of late. In recent weeks attackers have preyed on numerous vulnerabilities in versions of Word and Excel to install malware on target systems.
In a statement provided to vnunet.com, McAfee security research and communications manager Dave Marcus said the rash of Office exploits "continues the trend of malware authors targeting widely deployed Microsoft business applications and services. Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks."
One of the Office bulletins was issued to replace a previous patch for Excel and PowerPoint that Microsoft said was ineffective.
Other critical fixes included in the Patch Tuesday release address problems in Internet Explorer, Windows Data Access Components, and the HTML Help access control.
The "important" fixes included remote code execution flaws in Windows' MFC and OLE Dialog components and a pair of flaws in the Windows Shell and Image Acquisition service that could allow a users to elevate their user privileges.