Windows, Visual Studio security fixes set

Microsoft Corp. plans to patch its Windows and Visual Studio products next week, but it does not have a fix in the works for a widely publicized flaw in Word, which hackers are reportedly exploiting in targeted attacks.

The company’s security team is readying five sets of patches for Windows, and will also issue a single critical security update for Visual Studio, Microsoft said in an alert published Thursday.

Microsoft rates the most serious of its Windows updates as “critical,” meaning an attacker could exploit the underlying flaw to run malware on a victim’s PC with no user action, the company said.

These security patches are usually released on the second Tuesday of each month, and the company strives to publish a small number of updates in December, because IT operations are often short-staffed during the holiday season.

On Tuesday, Microsoft warned of a vulnerability in its Word software that had been reportedly used in online attacks. Security researchers rated this flaw critical, because an attacker could exploit it to run malicious software on a victim’s PC. For such an attack to work, however, the victim would first have to be tricked into opening a maliciously encoded Word file.

The Word flaw is not scheduled to be patched next Tuesday, said a spokesman for Microsoft’s public relations firm.

There is, however, one critical Visual Studio flaw that may be addressed in the updates. That bug is in Visual Studio 2005’s WMI Object Broker ActiveX object. It was first reported in late October.