Microsoft has just released eight security bulletins and one security advisory, as part of its regularly scheduled patch day, which came this Tuesday. Six of the bulletins are rated “critical,” while two of them are rated “important.” The security advisory alerts users that Microsoft is investigating reports of a so-called vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1 and Windows 2003 SP2. The bulletins address 28 vulnerabilities in the following software: the Windows graphics device interface, Windows Search, Internet Explorer, Visual Basic 6.0 Runtime Extended Files, Word, Excel, SharePoint Server and Windows Media Components. The vulnerabilities allow remote attackers to launch malicious attacks on victims' PCs.

Experts say that one of the most serious bugs repaired by this patch bulletin is a vulnerability found in GDI that could be exploited if a user opens a malicious WMF image file. It's only necessary for him to view the Web page containing the image and he will get infected. Another patch resolves two separate bugs in Windows Search and one in Internet Explorer, which affected IE versions 5,6, and 7. Microsoft has yet to identify whether or not the Internet Explorer 8 Beta 2 browser is at risk, and therefore it has not issued an update for it. The patch also includes six fixes for security flaws in third-party ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files. This is considered extremely dangerous, and that's because it's a third-party control and it ultimately relies on the software developers to fix it.

The vulnerabilities in Microsoft Word and Microsoft Office Outlook can also allow remote code execution if a user is compelled to open a malicious Word or Rich Text Format file. In addition, the patch also fixes three reported errors in Excel. Microsoft Office is identified as having eight vulnerabilities fixed in the update. The flaws are grouped around memory corruption and object parsing issues that could lead to a remote code execution. As for the reported errors in SharePoint, Microsoft resolves a vulnerability that allows an attacker to bypass normal user authentication by browsing an administrative URL on a SharePoint site. This would result in elevated user privilege status.

However, experts say that none of these vulnerabilities have been actively exploited, but users should patch their systems as soon as possible even if there's no immediate danger. Usually, attackers take these patches and reverse engineer them so we could very soon expect these attacks to be exploited if users do not protect their PCs. This December Patch Tuesday from Microsoft is the last scheduled Microsoft security update for 2008. Until today's release, the August Patch Tuesday reported 26 vulnerabilities and had been the largest patch haul from Microsoft this year.