May's Patch Tuesday is only the fourth time in four years Microsoft has issued just one security bulletin, but that one bulletin addresses the most vulnerabilities of any release in Microsoft history.

Most of this month's fixes have to do with opening older, or legacy, PowerPoint file formats. However, security research firm Symantec pointed to exploit code for CVE-2009-0556 publicly available that could give attackers remote access to the machine. At this stage, only a limited number of exploits have been seen in the wild, but the zero-day vulnerability is cause for concern among security researchers.

A Forty-Day Fix

"Because taking advantage of these vulnerabilities requires a user to open a maliciously crafted PowerPoint file, e-mail is likely the most probable method attackers would use to try and exploit these," said Alfred Huger, vice president of Symantec Security Response. "Another possibility is for an attacker to lure a victim into downloading the file from a misleading or compromised Web site. At that point, the attacker would then have complete control over everything the user's account has permission to do on the system ."

Given the large amount of bugs Microsoft and Oracle fixed last month, this light Microsoft release will give enterprises a much-needed opportunity to catch up, noted Andrew Storms, director of security operations for nCircle.

"For the last two months users have been battling Microsoft Office zero-day attacks. The first set in February was in Microsoft Excel. The second set, announced on April 2nd, made users afraid of opening PowerPoint files," Storms said. "Forty days from bug to bug fix is a decent turnaround for Microsoft, given the vast number of Microsoft Office permutations that need to be quality tested."

Is MOICE the Answer?

While some of the PowerPoint vulnerabilities rank only as "important" on most versions of Microsoft Office, they are all categorized as "remote code execution" and have a low exploitability index. That means exploits are relatively easy to write, and Wolfgang Kandek, CTO of Qualys, expects to see attackers begin using them soon.

One of the workarounds for CVE-2009-0556, the zero-day vulnerability patched in this advisory, is MOICE. An acronym for Microsoft Office Isolated Conversion Environment, MOICE is a tool set that sanitizes Office documents when users open them through browsing and e-mail. MOICE removes potentially dangerous code, has been available since May 2007, and was cited as a workaround in eight of Microsoft's 78 advisories in 2008.

"MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file-format vulnerabilities," Kandek said. "Its limitation is that it only works with Office 2003 and 2007. Office 2000 and Office XP are not supported."