Microsoft rolled out three security patches Tuesday to fix flaws in Windows, its PC operating system, and Office, its software suite.
The most serious vulnerability — labeled "critical" by Microsoft’s TechNet blog — left all versions of Microsoft Windows open to remote exploitation via specially crafted corrupt media files. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)
The final bulletin dealt with a bug in Microsoft Windows Remote Client Desktop. Similar in nature to the Groove flaw, a user who opened a rigged Remote Desktop file (ending in the extension .rdp) could make himself vulnerable to online attack.
Microsoft wrote on its blog that these security updates are automatically downloaded if users have enabled automatic updating on their systems. The updates can also be downloaded at Microsoft’s website.
There is still an outstanding vulnerability that Microsoft chose not to update in this month’s batch of updates.
The flaw affects Windows and could “allow an attacker to cause a victim to run malicious scripts when visiting various websites, resulting in information disclosure,” Microsoft wrote.
Microsoft said it is “actively monitoring the threat landscape,” and is working to prepare a fix for the bug.
Roel Schouwenberg, researcher at the security firm Kaspersky Lab, said that although the unpatched flaw is not often used in mass online attacks, “its importance should not be underestimated,” as it could “definitely serve a purpose in targeted attacks.”