As Microsoft ushered out patches for Windows Movie Maker and Microsoft Excel, it mentioned in a separate advisory that a vulnerability discovered in Internet Explorer 6 and 7 could allow remote code execution.
"The vulnerability exists due to an invalid pointer reference being used within Internet Explorer," Microsoft said in its advisory. "It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted." The company said that it was aware of targeted attacks in the wild that attempted to take advantage of this vulnerability.
The security updates released by Microsoft today covered MS10-016, which could allow remote code execution in Windows Movie Maker, and Microsoft Producer 2003. The vulnerability does not affect Windows Movie Maker, which runs on Windows Vista and Windows 7. The other update, addressing security bulletin MS10-017, resolves seven privately reported vulnerabilities in Excel, which could also allow remote code execution if a malicious file was opened.
Several flaws in Internet Explorer remain unpatched. Advisory 980088, which allows for information disclosure in Internet Explorer, is still an issue, although Microsoft did publish a list of workarounds at the time.
Neither did it fix the 'F1' bug, announced at the start of this month by a researcher who did not responsibly disclose the vulnerability to Microsoft. That flaw enables remote code execution if a user can be lured into hitting the F1 key and activating Microsoft's help file system on a maliciously crafted web page.
"We continue to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution," said Jerry Bryant, senior security communications manager lead at Microsoft. "We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible."