Microsoft warns of Office, IE security risks

Tens of millions of users of Microsoft's Office and Internet Explorer applications are at risk from critical security holes which could allow malicious hackers to read and alter files on their PCs.

Microsoft has warned that the vulnerabilities could allow an attacker to use email or a Web page to remotely run programs on a user's PC, alter data and even wipe out a hard drive.

Microsoft's Trustworthy Computing team found six new vulnerabilities in IE, the most serious of which could enable a malicious hacker to execute commands on a user's PC.

Three vulnerabilities in Office were also uncovered, the most serious of which could allow an attacker to run commands on the user's system.

The new bugs are buffer overruns for Gopher and for Active X controls, a problem in HTML directives displaying XML data, a bug in file downloads, a cross-domain verification vulnerability, and a variant of cross-site scripting.

The bug in file downloads, according to Microsoft, could allow attackers to trick users into accepting a file download from an "untrusted source", believing it to be from a "trusted source".

The IE bugs are in versions 5.01, 5.5 and 6.0 of the software.

The Office holes are in BackOffice Server 2000, BizTalk Server 2000, Biztalk Server 2002, Commerce Server 2000, Commerce Server 2002, Internet Security Server 2000, Microsoft Money 2002, Microsoft Money 2003, Microsoft Office 2000, Microsoft Office XP, Microsoft Project 2002, Microsoft Project Server 2002 and Microsoft Small Business Server 2000.

Microsoft recommends users install the patches immediately from its TechNet Web site.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.